Junos OS

Services Interfaces Configuration Guide

Release

11.4

Published: 2011-11-14

Copyright 2011, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Services Interfaces Configuration Guide Release 11.4 Copyright 2011, Juniper Networks, Inc. All rights reserved. Revision History November 2011R1 Junos OS 11.4 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.

ii

Copyright 2011, Juniper Networks, Inc.

Abbreviated Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii

Part 1
Chapter 1 Chapter 2

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5

Part 2
Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Chapter 26

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103 Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113 Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149 Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239 Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277 Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289 Summary of Intrusion Detection Service Configuration Statements . . . . 301 IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377 Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413 Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431 Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447 Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509 Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531 Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551 Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Copyright 2011, Juniper Networks, Inc.

iii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 27 Chapter 28 Chapter 29 Chapter 30 Chapter 31 Chapter 32 Chapter 33 Chapter 34 Chapter 35 Chapter 36 Chapter 37 Chapter 38 Chapter 39

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585 Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625 PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649 Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751 Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753 Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761 PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843 Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883

Part 3
Chapter 40 Chapter 41 Chapter 42 Chapter 43 Chapter 44 Chapter 45 Chapter 46

Dynamic Application Awareness for Junos OS

Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893 Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901 Summary of Application Identification Configuration Statements . . . . . . 919 Application-Aware Access List Configuration Guidelines . . . . . . . . . . . . . 955 Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 963 Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . 975 Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 981

Part 4
Chapter 47 Chapter 48 Chapter 49

Encryption Services
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . 995 Summary of Encryption Configuration Statements . . . . . . . . . . . . . . . . . 1005

Part 5
Chapter 50 Chapter 51 Chapter 52 Chapter 53 Chapter 54 Chapter 55 Chapter 56 Chapter 57

Flow Monitoring and Discard Accounting Services

Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . 1015 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . 1019 Summary of Flow-Monitoring Configuration Statements . . . . . . . . . . . . . 1087 Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159 Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . 1171 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1189 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209

iv

Copyright 2011, Juniper Networks, Inc.

Abbreviated Table of Contents

Part 6
Chapter 58 Chapter 59 Chapter 60

Link and Multilink Services

Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233 Summary of Multilink and Link Services Configuration Statements . . . . 1271

Part 7
Chapter 61 Chapter 62 Chapter 63

Real-Time Performance Monitoring Services

Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . 1297 Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . 1299 Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319

Part 8
Chapter 64 Chapter 65 Chapter 66

Tunnel Services
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . 1375

Part 9

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

vi

Copyright 2011, Juniper Networks, Inc.

Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii
Junos Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii

Part 1
Chapter 1

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Services PIC Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2

Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5

[edit applications] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 [edit forwarding-options] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 [edit interfaces] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 [edit logical-systems] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 [edit services] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Part 2
Chapter 3

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Enabling Service Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . 43 Services Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Packet Flow Through the Adaptive Services or Multiservices PIC . . . . . . . . . . . . . 44 Stateful Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Stateful Firewall Support for Application Protocols . . . . . . . . . . . . . . . . . . . . 46 Stateful Firewall Anomaly Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Copyright 2011, Juniper Networks, Inc.

vii

Junos 11.4 Services Interfaces Configuration Guide

Network Address Translation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Types of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 NAT Concept and Facilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 IPv4-to-IPv4 Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Static Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 IPv6 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 NAT-PT with DNS ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Dynamic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Stateful NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Dual-Stack Lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Tunneling Services for IPv4-to-IPv6 Transition Overview . . . . . . . . . . . . . . . . . . . 53 6to4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Basic 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Anycast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Provider-Managed Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 DS-Lite SoftwiresIPv4 over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6rd SoftwiresIPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 IPsec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Comparison of IPsec Services and ES Interface Configuration . . . . . . . . . . . . 58 Layer 2 Tunneling Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Voice Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Class of Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Examples: Services Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: Service Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration . . 64 Example: Dynamic Source NAT as a Next-Hop Service . . . . . . . . . . . . . . . . . 65 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Example: BOOTP and Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 4

Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring Application Protocol Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring an Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring the Network Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Configuring the ICMP Code and Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring Source and Destination Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring the Inactivity Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring an SNMP Command for Packet Matching . . . . . . . . . . . . . . . . . . 80 Configuring an RPC Program Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring the TTL Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring a Universal Unique Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ALG Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Basic TCP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Basic UDP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

viii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 DCE RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ONC RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 NetShow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RPC and RPC Portmap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RTSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SQLNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 UNIX Remote-Shell Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Verifying the Output of ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 RTSP ALG Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Junos Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Examples: Referencing the Preset Statement from the Junos Default Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Examples: Configuring Application Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 5

Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103

application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 application-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 application-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 learn-sip-register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 rpc-program-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 sip-call-hold-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 snmp-command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 ttl-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 uuid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Copyright 2011, Juniper Networks, Inc.

ix

Junos 11.4 Services Interfaces Configuration Guide

Chapter 6

Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113

Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Match Direction for Stateful Firewall Rules . . . . . . . . . . . . . . . . . 114 Configuring Match Conditions in Stateful Firewall Rules . . . . . . . . . . . . . . . . 115 Configuring Actions in Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuring IP Option Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuring Stateful Firewall Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Examples: Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 7

Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123

allow-ip-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Chapter 8

Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Loading the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Configuring Memory for the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . 137 Configuring rsh, rlogin, rexec for Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 9

Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
control-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 data-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 data-flow-affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 extension-provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 forwarding-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 hash-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 object-cache-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 package (Loading on PIC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 policy-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 wired-process-mem-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Copyright 2011, Juniper Networks, Inc.

Table of Contents

Chapter 10

Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Addresses and Ports for Use in NAT Rules . . . . . . . . . . . . . . . . . . . . . 151 Configuring Pools of Addresses and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Preserve Range and Preserve Parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring Address Pools for Network Address Port Translation . . . . . . . . . 152 Round-Robin Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Port Block Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Sequential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Additional Options for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Specifying Destination and Source Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Requirements for NAT Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Configuring Match Direction for NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Configuring Match Conditions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Configuring Actions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring NAT Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Configuring Static Source Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . 162 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Configuring Static Source Translation in IPv6 Networks . . . . . . . . . . . . . . . . . . . . 165 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Dynamic Source Address and Port Translation in IPv4 Networks . . 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks . . . . . . 174 Configuring Static Destination Address Translation in IPv4 Networks . . . . . . . . . 177 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the DNS ALG Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the NAT Pool and NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 190 Examples: Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation in an IPv4 Network . . . 193 Example: Configuring Static Source Translation in an IPv6 Network . . . 194

Copyright 2011, Juniper Networks, Inc.

xi

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Translation for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Example: Configuring Dynamic Address-only Source Translation . . . . . . . . . 197 Example: Configuring Dynamic Address-Only Source Translation . . . . 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Example: Configuring Static Destination Address Translation . . . . . . . . . . . 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks . . . . . . . . . . . . 199 Example: Configuring the Translation Type Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring Source Dynamic and Destination Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Example: Configuring Port Forwarding with Twice NAT . . . . . . . . . . . . . . . . . 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT . . . . . 216 Example: Configuring an Oversubscribed Pool with No Fallback . . . . . . . . . 217 Example: Assigning Addresses from a Dynamic Pool for Static Use . . . . . . . 217 Example: Configuring NAT Rules Without Defining a Pool . . . . . . . . . . . . . . 218 Example: Preventing Translation of Specific Addresses . . . . . . . . . . . . . . . . 219 Example: Configuring NAT for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 219 Rendezvous Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Router 1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Example: NAT 44 CGN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion . . . 229

Chapter 11

Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 address-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 destined-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

xii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

dns-alg-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 dns-alg-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 filtering-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 ipv6-multicast-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 mapping-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 no-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 overload-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 overload-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 pgcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 port-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 port-forwarding-mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 ports-per-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 remotely-controlled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 secured-port-block-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 translated-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translation-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 use-dns-map-for-destination-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Chapter 12

Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Configuring Load Balancing on AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Load Balancing Network Address Translation Flows . . . . . . . . . . . . . . . . . . . 273 Example: Configuring Static Source Translation on AMS Infrastructure . . . . . . . 273

Chapter 13

Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277

drop-member-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . 277 enable-rejoin (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 family (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 high-availability-options (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 279 interfaces (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 load-balancing-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 281

Copyright 2011, Juniper Networks, Inc.

xiii

Junos 11.4 Services Interfaces Configuration Guide

many-to-one (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 member-failure-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . 283 member-interface (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . 285 redistribute-all-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . 286 rejoin-timeout (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 unit (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 14

Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289

Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Configuring Match Direction for IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Configuring Match Conditions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Configuring Actions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Configuring IDS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Examples: Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Chapter 15

Summary of Intrusion Detection Service Configuration Statements . . . . 301

aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 by-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 by-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 by-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 force-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 ignore-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syn-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

xiv

Copyright 2011, Juniper Networks, Inc.

Table of Contents

Chapter 16

IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Minimum Security Association Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Manual SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Dynamic SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Configuring Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Configuring Manual Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the Direction for IPsec Processing . . . . . . . . . . . . . . . . . . . . 328 Configuring the Protocol for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . 329 Configuring the Security Parameter Index . . . . . . . . . . . . . . . . . . . . . . . 329 Configuring the Auxiliary Security Parameter Index . . . . . . . . . . . . . . . . 329 Configuring Authentication for a Manual IPsec SA . . . . . . . . . . . . . . . . 329 Configuring Encryption for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . . 330 Configuring Dynamic Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Clearing Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring the Authentication Algorithm for an IKE Proposal . . . . . . . . . . . 333 Configuring the Authentication Method for an IKE Proposal . . . . . . . . . . . . 333 Configuring the Diffie-Hellman Group for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Encryption Algorithm for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Lifetime for an IKE SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Example: Configuring an IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring the IKE Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Mode for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Proposals in an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Preshared Key for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . 338 Configuring the Local Certificate for an IKE Policy . . . . . . . . . . . . . . . . . . . . 338 Configuring a Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring the Description for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation . . . . . . . . . . 339 Example: Configuring an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Configuring IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Configuring the Authentication Algorithm for an IPsec Proposal . . . . . . . . . 341 Configuring the Description for an IPsec Proposal . . . . . . . . . . . . . . . . . . . . 342 Configuring the Encryption Algorithm for an IPsec Proposal . . . . . . . . . . . . 342 Configuring the Lifetime for an IPsec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuring the Protocol for a Dynamic SA . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring IPsec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring the Description for an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring the Proposals in an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . 345 Example: Configuring an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 IPsec Policy for Dynamic Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring Match Direction for IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . 347 Configuring Match Conditions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring Actions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Enabling IPsec Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Configuring Destination Addresses for Dead Peer Detection . . . . . . . . 350

Copyright 2011, Juniper Networks, Inc.

xv

Junos 11.4 Services Interfaces Configuration Guide

Configuring or Disabling IPsec Anti-Replay . . . . . . . . . . . . . . . . . . . . . . 352 Enabling System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Specifying the MTU for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Configuring IPsec Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Configuring Dynamic Endpoints for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 353 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Implicit Dynamic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Reverse Route Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring an IKE Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Referencing the IKE Access Profile in a Service Set . . . . . . . . . . . . . . . . . . . . 357 Configuring the Interface Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Default IKE and IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Tracing IPsec Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Disabling IPsec Tunnel Endpoint in Traceroute . . . . . . . . . . . . . . . . . . . . . . . 359 Tracing IPsec PKI Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Configuring IPSec on the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Examples: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Example: Configuring Statically Assigned Tunnels . . . . . . . . . . . . . . . . . . . . 362 Example: Configuring Dynamically Assigned Tunnels . . . . . . . . . . . . . . . . . 364 Multitask Example: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Policy (and Referencing the IKE Proposal) . . . . . . 370 Configuring the IPsec Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Configuring the IPsec Policy (and Referencing the IPsec Proposal) . . . . 371 Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Configuring IPsec Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Access Profile (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Chapter 17

Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377

anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 authentication-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 auxiliary-spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 backup-remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-ike-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 clear-ipsec-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 dh-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

xvi

Copyright 2011, Juniper Networks, Inc.

Table of Contents

encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 encryption-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 initiate-dead-peer-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec-inside-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 lifetime-seconds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 local-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-ipsec-tunnel-in-traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 perfect-forward-secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 pre-shared-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 traceoptions (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 version (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Chapter 18

Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413

L2TP Services Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 L2TP Minimum Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Configuring L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Configuring Access Profiles for L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . 419 Configuring the Local Gateway Address and PIC . . . . . . . . . . . . . . . . . . . . . . 419 Configuring Window Size for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Configuring Timers for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Hiding Attribute-Value Pairs for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . 420

Copyright 2011, Juniper Networks, Inc.

xvii

Junos 11.4 Services Interfaces Configuration Guide

Configuring System Logging of L2TP Tunnel Activity . . . . . . . . . . . . . . . . . . . 421 Configuring the Identifier for Logical Interfaces that Provide L2TP Services . . . . 422 Example: Configuring Multilink PPP on a Shared Logical Interface . . . . . . . 423 AS PIC Redundancy for L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Tracing L2TP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Examples: Configuring L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Chapter 19

Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431

facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 hide-avps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 l2tp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 local-gateway address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 maximum-send-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 ppp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 receive-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 retransmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (L2TP System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 traceoptions (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 tunnel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 tunnel-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Chapter 20

Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447

Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . . . . 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Configuring the Association between LSQ and SONET Interfaces . . . . . . . 450 Configuring SONET APS Interoperability with Cisco Systems FRF.16 . . . . . . 451 Restrictions on APS Redundancy for LSQ Interfaces . . . . . . . . . . . . . . . . . . 452 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS . . 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Configuring Redundant Paired LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . 453 Restrictions on Redundant LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Configuring Link State Replication for Redundant Link PICs . . . . . . . . . . . . 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery . . . . 457 Configuring CoS Scheduling Queues on Logical LSQ Interfaces . . . . . . . . . . . . . 461 Configuring Scheduler Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Configuring Scheduler Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Scheduler Shaping Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces . . . . . . 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces . . . . . 466 Configuring Multiclass MLPPP on LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 467

xviii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

Oversubscribing Interface Bandwidth on LSQ Interfaces . . . . . . . . . . . . . . . . . . 468 Examples: Oversubscribing an LSQ Interface . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuring Guaranteed Minimum Rate on LSQ Interfaces . . . . . . . . . . . . . . . . . 473 Example: Configuring Guaranteed Minimum Rate . . . . . . . . . . . . . . . . . . . . 476 Configuring Link Services and CoS on Services PICs . . . . . . . . . . . . . . . . . . . . . . 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP . . . . . . . . . . 480 Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP . . 483 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 . . . . . . . . . . . 485 Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16 . . 488 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Examples: Configuring an LSQ Interface for a Fractional T1 Interface Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15 . . . . . . . . . . . 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12 . . . . . . . . . . . . . 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP . . . . . . . . . . . . 506

Chapter 21

Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509

cisco-interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 hot-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 link-layer-overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 lsq-failure-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 multilink-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 multilink-max-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 no-fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-termination-request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 preserve-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 trigger-link-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 warm-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Chapter 22

Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Configuring Services Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 522 Configuring the Logical Interface Address for the MLPPP Bundle . . . . . . . . 522 Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Configuring Delay-Sensitive Packet Interleaving . . . . . . . . . . . . . . . . . . . . . . 524

Copyright 2011, Juniper Networks, Inc.

xix

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . 524 Configuring Encapsulation for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Network Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Voice Services Bundles with MLPPP Encapsulation . . . . . . . . . 526 Configuring the Compression Interface with PPP Encapsulation . . . . . . . . . 526 Examples: Configuring Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Chapter 23

Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 f-max-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 maximum-contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Chapter 24

Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Restrictions and Cautions for CoS Configuration on Services Interfaces . . . . . . 542 Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Direction for CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Conditions In CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . 544 Configuring Actions in CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Configuring Application Profiles for Use as CoS Rule Actions . . . . . . . . 546 Configuring Reflexive and Reverse CoS Rule Actions . . . . . . . . . . . . . . 546 Example: Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Configuring CoS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Examples: Configuring CoS on Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 548

Chapter 25

Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551

application-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 (reflexive | reverse) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

xx

Copyright 2011, Juniper Networks, Inc.

Table of Contents

services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Chapter 26

Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Configuring Service Sets to be Applied to Services Interfaces . . . . . . . . . . . . . . 568 Configuring Interface Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Configuring Next-Hop Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Determining Traffic Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Interface Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Next-Hop Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Configuring Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Configuring IPsec Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Configuring the Local Gateway Address for IPsec Service Sets . . . . . . . . . . 574 IKE Addresses in VRF Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Configuring IKE Access Profiles for IPsec Service Sets . . . . . . . . . . . . . . . . . 575 Configuring Certification Authorities for IPsec Service Sets . . . . . . . . . . . . . 575 Configuring or Disabling Antireplay Service . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Clearing the Dont-Fragment Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Configuring Passive-Mode Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring the Tunnel MTU Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring Service Set Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Configuring System Logging for Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Enabling Services PICs to Accept Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 580 Tracing Services PIC Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Configuring the Adaptive Services Log Filename . . . . . . . . . . . . . . . . . . . . . . 581 Configuring the Number and Size of Adaptive Services Log Files . . . . . . . . . 581 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 582 Configuring the Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Example: Configuring Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Chapter 27

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585

adaptive-services-pics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 allow-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 bypass-traffic-on-exceeding-flow-limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 bypass-traffic-on-pic-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 ids-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 ike-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 interface-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Copyright 2011, Juniper Networks, Inc.

xxi

Junos 11.4 Services Interfaces Configuration Guide

ipsec-vpn-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 ipsec-vpn-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 local-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 max-flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 message-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 nat-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 next-hop-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 passive-mode-tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 pgcp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 port (syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 ptsp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 stateful-firewall-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 tcp-mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 trusted-ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Chapter 28

Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Services Interface Naming Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Configuring the Address and Domain for Services Interfaces . . . . . . . . . . . . . . . . 614 Configuring Default Timeout Settings for Services Interfaces . . . . . . . . . . . . . . . 614 Configuring System Logging for Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 616 Enabling Fragmentation on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Applying Filters and Services to Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Configuring AS or Multiservices PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . 620 Examples: Configuring Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Chapter 29

Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 cgn-pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 dial-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 maximum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

xxii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

open-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 post-service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 services-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 tcp-tickles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Chapter 30 Chapter 31

PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649
administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 application-data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 audit-observed-events-returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 base-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 bgf-core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 cancel-graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 cleanup-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 context-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 control-association-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 controller-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 delivery-function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 diffserv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disable-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Copyright 2011, Juniper Networks, Inc.

xxiii

Junos 11.4 Services Interfaces Configuration Guide

event-timestamp-notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-cold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 fast-update-filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 gateway-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 gateway-controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 gateway-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 h248-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 h248-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 h248-properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 h248-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 h248-timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 hanging-termination-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 inactivity-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 inactivity-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 initial-average-ack-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 interim-ah-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ip-flow-stop-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ipsec-transport-security-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 latch-deadlock-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 max-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 max-concurrent-calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 maximum-fuf-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 maximum-inactivity-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 maximum-net-propagation-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-synchronization-mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 maximum-waiting-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 mg-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 mg-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 mg-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 mg-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 mgc-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 mgc-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 mgc-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 mgc-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

xxiv

Copyright 2011, Juniper Networks, Inc.

Table of Contents

monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 network-operator-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 no-dscp-bit-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 no-rtcp-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 normal-mg-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 normal-mgc-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 notification-behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 overload-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 peak-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (RTCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 profile-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 profile-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 queue-limit-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-all-commands-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-new-calls-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 report-service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 request-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 rtcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 send-notification-on-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 service-change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual BGF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 state-loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 stop-detection-on-drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 sustained-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 timerx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 tmax-retransmission-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 traffic-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

Copyright 2011, Juniper Networks, Inc.

xxv

Junos 11.4 Services Interfaces Configuration Guide

up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-lower-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-wildcard-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 virtual-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 virtual-interface-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 virtual-interface-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 virtual-interface-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750

Chapter 32

Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751

Configuring Service Interface Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Chapter 33

Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754 service-interface-pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

Chapter 34 Chapter 35

Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761
actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 accelerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (Border Signaling Gateway) . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . 765 availability-check-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 blacklist-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 default-media-realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 dialogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 egress-service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 embedded-spdf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 forward-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 from (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 from (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784 from (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 manipulation-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 media-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 media-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 message-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

xxvi

Copyright 2011, Juniper Networks, Inc.

Table of Contents

maximum-records-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 maximum-time-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 message-manipulation-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 name-resolution-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 new-call-usage-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 new-call-usage-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 new-transaction-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 new-transaction-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 on-3xx-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 request-uri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 reverse-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 routing-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 service-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Service Point) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818 service-point-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 service-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 session-trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 signaling-realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 sip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 sip-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 term (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 then (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 timer-c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 transport-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840

Copyright 2011, Juniper Networks, Inc.

xxvii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 36 Chapter 37

PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843

application-group-any . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 count-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 demux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 forward-rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846 forward-rule (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848 local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 local-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 local-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 remote-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853 remote-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 remote-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 rule (Including in Rule Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858 term (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859 term (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 then (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861 then (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862

Chapter 38

Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865

Configuring a DS-Lite Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring a 6rd Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring Softwire Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 Configuring Stateful Firewall Rules for 6rd Softwire . . . . . . . . . . . . . . . . . . . . . . 867 Configuring IPv6 Multicast Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Configuring Service Sets for Softwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Examples: Softwire Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic DS-Lite Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic 6rd Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Example: Configuring DS-Lite and 6rd in the Same Service Set . . . . . . . . . . 877

Chapter 39

Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883

ds-lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 rule (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 rule-set (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 softwire-concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

xxviii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

softwire-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 term (Softwire Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887 v6rd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 ipv6-multicast-interfaces (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889

Part 3
Chapter 40

Dynamic Application Awareness for Junos OS

Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893
IDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894 APPID Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895 AACL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 L-PDF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 Configuring Multiple IDP Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Identification of DPI-Serviced Flows . . . . . . . . . . . . . . . 897 Features that Support Application-Level Filtering . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898 APPID, AACL, and L-PDF Processing in Preconvergence Scenarios . . . . . . 898 Prior to a Final or Best-Effort Application Identification . . . . . . . . . . . . 898 Upon Best-Effort Application Identification . . . . . . . . . . . . . . . . . . . . . 899 While Application Identification Is on a Best-Effort Basis . . . . . . . . . . . 899 If a Flow Ends Before an Application Identification Is Made . . . . . . . . . 899 If a Flow Ends While Application Identification on a Best-Effort Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Chapter 41

Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901

Defining an Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 Configuring APPID Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 Using Stateful Firewall Rules to Identify Data Sessions . . . . . . . . . . . . . . . . . . . 906 Configuring Application Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Configuring Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Application Identification for Nested Applications . . . . . . . . . . . . . . . . . . . . . . . 909 Disabling Application Identification for Nested Applications . . . . . . . . . . . . . . . . 910 Configuring Global APPID Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Configuring Automatic Download of Application Package Updates . . . . . . . . . . 912 Configuring APPID Support for Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912 Configuring APPID Support for Unidirectional Traffic . . . . . . . . . . . . . . . . . . . . . . 913 Tracing APPID Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913 Configuring the APPID Log Filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Configuring the Number and Size of APPID Log Files . . . . . . . . . . . . . . . . . . 914 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 915 Configuring the Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Examples: Configuring Application Identification Properties . . . . . . . . . . . . . . . . 915

Chapter 42

Summary of Application Identification Configuration Statements . . . . . . 919

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Defining) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922 application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922

Copyright 2011, Juniper Networks, Inc.

xxix

Junos 11.4 Services Interfaces Configuration Guide

application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923 application-system-cache-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924 automatic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924 chain-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925 context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Application) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Application Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Port Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928 disable-global-timeout-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928 download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 enable-heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 enable-asymmetic-traffic-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 enable-heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 idle-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931 ignore-errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931 inactivity-non-tcp-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932 inactivity-tcp-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932 index (Nested Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 max-checked-bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 maximum-transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935 member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935 min-checked-bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936 nested-application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937 nested-application-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938 no-application-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938 no-application-system-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-clear-application-system-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-nested-application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 no-protocol-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 no-signature-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 port-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945 rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945 rule (Including in Rule Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947

xxx

Copyright 2011, Juniper Networks, Inc.

Table of Contents

session-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 session-timeout (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 session-timeout (Application Identification) . . . . . . . . . . . . . . . . . . . . . . . . 948 signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 support-uni-directional-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951 type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952 type-of-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952 url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953

Chapter 43

Application-Aware Access List Configuration Guidelines . . . . . . . . . . . . . 955

Configuring AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956 Configuring Match Direction for AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . 956 Configuring Match Conditions in AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . 957 Configuring Actions in AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958 Configuring AACL Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 959 Configuring Logging of AACL Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960 Example: Configuring AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960

Chapter 44

Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 963

applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 application-group-any . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973

Chapter 45

Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . 975

Configuring Statistics Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975 Configuring an L-PDF Statistics Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976 Configuring an AACL Statistics Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977 Applying L-PDF Profiles to Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978 Tracing L-PDF Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979

Chapter 46

Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 981

aacl-fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982 aacl-statistics-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983 application-aware-access-list-fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985

Copyright 2011, Juniper Networks, Inc.

xxxi

Junos 11.4 Services Interfaces Configuration Guide

local-policy-decision-function . . policy-decision-statistics-profile statistics . . . . . . . . . . . . . . . . . . . traceoptions . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989

Part 4
Chapter 47

Encryption Services
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993

Chapter 48

Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . 995

Configuring Encryption Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995 Specifying the Security Association Name for Encryption Interfaces . . . . . 996 Configuring the MTU for Encryption Interfaces . . . . . . . . . . . . . . . . . . . . . . . 996 Example: Configuring an Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . 996 Configuring Filters for Traffic Transiting the ES PIC . . . . . . . . . . . . . . . . . . . . . . . 997 Traffic Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997 Configuring the Security Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Configuring an Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 Example: Configuring an Outbound Traffic Filter . . . . . . . . . . . . . . . . . . 999 Applying the Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Applying the Outbound Traffic Filter . . . . . . . . . . . . . . . . . . 1000 Configuring an Inbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Configuring an Inbound Traffic Filter . . . . . . . . . . . . . . . . . . . 1001 Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . . 1001 Example: Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Configuring an ES Tunnel Interface for a Layer 3 VPN . . . . . . . . . . . . . . . . . . . . 1002 Configuring ES PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Example: Configuring ES PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . 1003 Configuring IPsec Tunnel Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003

Chapter 49

Summary of Encryption Configuration Statements . . . . . . . . . . . . . . . . . 1005

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005 backup-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005 backup-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 es-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 ipsec-sa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012

xxxii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

Part 5
Chapter 50

Flow Monitoring and Discard Accounting Services

Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . 1015
Passive Flow Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015 Active Flow Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016

Chapter 51

Flow Monitoring and Discard Accounting Configuration Guidelines . . . . 1019

Configuring Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024 Minimum Configuration for Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . 1024 Configuring Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025 Disabling Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026 Sampling Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027 Configuring Traffic Sampling Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027 Traffic Sampling Output Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028 Tracing Traffic Sampling Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 Traffic Sampling Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 Example: Sampling a Single SONET/SDH Interface . . . . . . . . . . . . . . 1029 Example: Sampling All Traffic from a Single IP Address . . . . . . . . . . . 1030 Example: Sampling All FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031 Configuring Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034 Directing Traffic to Flow-Monitoring Interfaces . . . . . . . . . . . . . . . . . . 1034 Exporting Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035 Configuring Time Periods when Flow Monitoring is Active and Inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035 Example: Configuring Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036 Example: Configuring Active Monitoring on Logical Systems . . . . . . . . . . . . . . . 1037 Enabling Flow Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039 Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd . . . . . . . . . 1040 Configuring Flow Aggregation to Use Version 9 Flow Templates . . . . . . . . . . . . 1043 Configuring the Traffic to Be Sampled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044 Configuring the Version 9 Template Properties . . . . . . . . . . . . . . . . . . . . . . 1044 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045 Fields Included in Each Template Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046 MPLS Sampling Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Examples: Configuring Version 9 Flow Templates . . . . . . . . . . . . . . . . . . . . 1048 Configuring Sampling Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051 Configuring Inline Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Configuring Inline Flow Monitoring on MX80 Routers . . . . . . . . . . . . . . . . . . . . 1055 Directing Replicated Flows to Multiple Flow Servers . . . . . . . . . . . . . . . . . . . . . 1056 Directing Replicated Routing EngineBased Sampling Flows to Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057 Directing Replicated Version 9 Flow Aggregates to Multiple Servers . . . . . 1058 Logging cflowd Flows Before Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059 Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059 Configuring Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061 Port Mirroring with Next-Hop Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1062 Configuring Inline Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063

Copyright 2011, Juniper Networks, Inc.

xxxiii

Junos 11.4 Services Interfaces Configuration Guide

Filter-Based Forwarding with Multiple Monitoring Interfaces . . . . . . . . . . . 1064 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Configuring Port Mirroring on Services Interfaces . . . . . . . . . . . . . . . . . . . . 1065 Examples: Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066 Load Balancing Among Multiple Monitoring Interfaces . . . . . . . . . . . . . . . . . . . 1073 Configuring Discard Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076 Enabling Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077 Passive Flow Monitoring for MPLS Encapsulated Packets . . . . . . . . . . . . . 1079 Removing MPLS Labels from Incoming Packets . . . . . . . . . . . . . . . . . 1079 Example: Enabling IPv4 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . 1081 Example: Enabling IPv6 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . 1083 Configuring Services Interface Redundancy with Flow Monitoring . . . . . . . . . . 1084

Chapter 52

Summary of Flow-Monitoring Configuration Statements . . . . . . . . . . . . . 1087

accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089 aggregate-export-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089 aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090 autonomous-system-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091 cflowd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092 cflowd (Discard Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092 cflowd (Flow Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 core-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094 disable-all-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095 engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095 engine-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096 extension-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097 export-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 family (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 family (Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1100 family (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101 family (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 file (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 file (Trace Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106 flow-active-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107 flow-export-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108 flow-control-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108 flow-export-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109 flow-inactive-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110 flow-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111 flow-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112 forwarding-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113

xxxiv

Copyright 2011, Juniper Networks, Inc.

Table of Contents

inline-jflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 input (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 input (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 input-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115 instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 interface (Accounting or Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 interface (Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120 interface (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 ipv4-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 ipv6-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 label-position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122 local-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122 match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123 maximum-packet-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123 max-packets-per-second . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124 monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 mpls-ipv4-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 mpls-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 multiservice-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128 next-hop-group (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128 next-hop-group (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-core-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-filter-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-local-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-remote-trace (Trace Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 option-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131 output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 output (Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 output (Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 output (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 output (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 output-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135 passive-monitor-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 pop-all-labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138 port-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1140 receive-options-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1140 receive-ttl-exceeded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141

Copyright 2011, Juniper Networks, Inc.

xxxv

Junos 11.4 Services Interfaces Configuration Guide

required-depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141 run-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 sample-once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143 sampling (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144 sampling (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149 template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150 template (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150 template (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151 template-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1152 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1152 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153 version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154 version9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1156 version-ipfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1158 world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1158

Chapter 53

Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159

Configuring Flow Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring Destination FTP Servers for Flow Records . . . . . . . . . . . . . . . . . 1161 Configuring a Packet Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Interface Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Transfer Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1163 Configuring Retry Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1163 Sending cflowd Records to Flow Collector Interfaces . . . . . . . . . . . . . . . . . . . . . 1164 Configuring Flow Collection Mode and Interfaces on Services PICs . . . . . . . . . . 1164 Example: Configuring Flow Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164

Chapter 54

Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . 1171

analyzer-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171 analyzer-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172 archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172 collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173 data-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173 destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174 filename-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174 file-specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 file-specification (File Format) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 file-specification (Interface Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175

xxxvi

Copyright 2011, Juniper Networks, Inc.

Table of Contents

flow-collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1176 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178 ftp (Flow Collector Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 ftp (Transfer Log Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180 interface-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180 maximum-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1181 name-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 password (Flow Collector File Servers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 password (Transfer Log File Servers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185 retry-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185 transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 transfer-log-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187 variant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1187

Chapter 55

Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1189

Dynamic Flow Capture Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189 Liberal Sequence Windowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Intercepting IPv6 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191 Configuring the Capture Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Content Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Control Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193 Configuring the DFC PIC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195 Configuring Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196 Limiting the Number of Duplicates of a Packet . . . . . . . . . . . . . . . . . . . . . . 1196 Example: Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197

Chapter 56

Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201

Flow-Tap Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1202 Configuring the Flow-Tap Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Configuring the Flow-Tap Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Strengthening Flow-Tap Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204 Restrictions on Flow-Tap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Configuring FlowTapLite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Examples: Configuring Flow-Tap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207

Chapter 57

Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209 allowed-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1210 capture-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211 content-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212 control-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 duplicates-dropped-periodicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 dynamic-flow-capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214 flow-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215

Copyright 2011, Juniper Networks, Inc.

xxxvii

Junos 11.4 Services Interfaces Configuration Guide

g-duplicates-dropped-periodicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216 g-max-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217 hard-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217 hard-limit-target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218 input-packet-rate-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219 max-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1220 minimum-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1220 no-syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221 notification-targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221 pic-memory-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222 service-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 shared-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 soft-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224 soft-limit-clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224 source-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225 ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225

Part 6
Chapter 58

Link and Multilink Services

Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229

Chapter 59

Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233

Multilink and Link Services PICs Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1234 Configuring the Number of Bundles on Link Services PICs . . . . . . . . . . . . . . . . . 1235 Configuring the Links in a Multilink or Link Services Bundle . . . . . . . . . . . . . . . . 1236 Multilink and Link Services Logical Interface Configuration Overview . . . . . . . . 1237 Default Settings for Multilink and Link Services Logical Interfaces . . . . . . . 1238 Configuring Encapsulation for Multilink and Link Services Logical Interfaces . . 1239 Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1240 Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1241 Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1242 Configuring MRRU on Multilink and Link Services Logical Interfaces . . . . . . . . . 1242 Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1243 Configuring DLCIs on Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . 1244 Configuring Point-to-Point DLCIs for MLFR FRF.16 and MLPPP Bundles . . 1244 Configuring Multicast-Capable DLCIs for MLFR FRF.16 Bundles . . . . . . . . . 1244 Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245 Configuring LFI with DLCI Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246 Example: Configuring LFI with DLCI Scheduling . . . . . . . . . . . . . . . . . . 1246

xxxviii

Copyright 2011, Juniper Networks, Inc.

Table of Contents

Configuring Link Services Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248 Default Settings for Link Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 1248 Configuring Encapsulation for Link Services Physical Interfaces . . . . . . . . . 1249 Configuring Acknowledgment Timers on Link Services Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249 Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1250 Configuring Keepalives on Link Services Physical Interfaces . . . . . . . . . . . . 1251 Configuring CoS on Link Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252 CoS for Link Services Interfaces on M Series and T Series Routers . . . . . . . 1252 Example: Configuring CoS on Link Services Interfaces . . . . . . . . . . . . . . . . 1253 Examples: Configuring Multilink Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1257 Example: Configuring a Multilink Interface with MLPPP . . . . . . . . . . . . . . . 1257 Example: Configuring a Multilink Interface with MLPPP over ATM 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1258 Example: Configuring a Multilink Interface with MLFR FRF.15 . . . . . . . . . . . 1259 Examples: Configuring Link Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1260 Example: Configuring a Link Services Interface with Two Links . . . . . . . . . . 1261 Example: Configuring a Link Services Interface with MLPPP . . . . . . . . . . . . 1262 Example: Configuring a Link Services Interface with MLFR FRF.15 . . . . . . . 1263 Example: Configuring a Link Services PIC with MLFR FRF.16 . . . . . . . . . . . . 1263 Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1264

Chapter 60

Summary of Multilink and Link Services Configuration Statements . . . . 1271

acknowledge-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271 acknowledge-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1272 action-red-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274 bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275 disable-mlppp-inner-ppp-pfc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275 dlci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276 drop-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1278 encapsulation (Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1278 encapsulation (Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1279 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1280 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281 hello-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282 interleave-fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283 lmi-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283 minimum-links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284 mlfr-uni-nni-bundle-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285 mrru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1286 mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 multicast-dlci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 n391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288

Copyright 2011, Juniper Networks, Inc.

xxxix

Junos 11.4 Services Interfaces Configuration Guide

n392 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 n393 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 red-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 short-sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 t391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 t392 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1292 yellow-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293

Part 7
Chapter 61

Real-Time Performance Monitoring Services

Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . 1297
Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . . . . . 1297

Chapter 62

Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . 1299

Configuring BGP Neighbor Discovery Through RPM . . . . . . . . . . . . . . . . . . . . . . 1300 Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 1302 Configuring RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303 Configuring RPM Receiver Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307 Limiting the Number of Concurrent RPM Probes . . . . . . . . . . . . . . . . . . . . . 1307 Configuring RPM Timestamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307 Configuring TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310 Configuring TWAMP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Configuring TWAMP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Enabling RPM for the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312 Examples: Configuring BGP Neighbor Discovery Through RPM . . . . . . . . . . . . . . 1313 Examples: Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . 1314

Chapter 63

Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319

authentication-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319 bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1320 client-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1321 data-fill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1321 data-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1322 destination-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1323 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324 dscp-code-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325 hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326 history-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 max-connection-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328 maximum-connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328 maximum-connections-per-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 maximum-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 maximum-sessions-per-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330 moving-average-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330

xl

Copyright 2011, Juniper Networks, Inc.

Table of Contents

one-way-hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1331 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (RPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (TWAMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333 probe-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1334 probe-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1334 probe-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335 probe-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335 probe-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1336 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 rpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339 server-inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340 target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 test-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1343 thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1344 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345 twamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346 twamp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346 udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1347

Part 8
Chapter 64

Tunnel Services
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 GRE Keepalive Time Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1353

Chapter 65

Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355

Configuring Unicast Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Configuring a Key Number on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . 1357 Enabling Fragmentation on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358 Specifying an MTU Setting for the Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header . . . . . . 1359 Configuring Packet Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring GRE Keepalive Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1360 Restricting Tunnels to Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1362 Configuring Logical Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1362 Connecting Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1363 Configuring Tunnel Interfaces for Routing Table Lookup . . . . . . . . . . . . . . . . . . 1364 Configuring Virtual Loopback Tunnels for VRF Table Lookup . . . . . . . . . . . . . . . 1364 Configuring PIM Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366 Configuring IPv6-over-IPv4 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366 Configuring IPv4-over-IPv6 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367 Configuring Dynamic Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367

Copyright 2011, Juniper Networks, Inc.

xli

Junos 11.4 Services Interfaces Configuration Guide

Configuring Tunnel Interfaces on MX Series Routers . . . . . . . . . . . . . . . . . . . . . 1368 Examples: Configuring Unicast Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369 Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup . . . . . . 1370 Example: Configuring an IPv6-over-IPv4 Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 1370 Example: Configuring an IPv4-over-IPv6 Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 1371 Example: Configuring Logical Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373 Example: Configuring Keepalive for a GRE Interface . . . . . . . . . . . . . . . . . . . . . . 1374

Chapter 66

Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . 1375

allow-fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375 backup-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376 copy-tos-to-outer-ip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination (Tunnel Remote End) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination (Routing Instance) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination-networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378 do-not-fragment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378 dynamic-tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379 hold-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1380 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1380 keepalive-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381 key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381 multicast-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382 peer-unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382 reassemble-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384 routing-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385 ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1386 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1387 tunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389

Part 9

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419

xlii

Copyright 2011, Juniper Networks, Inc.

List of Figures
Part 2
Chapter 3

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC . . . . . . 45 Figure 2: Dynamic NAT Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Figure 3: Stateful NAT64 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Figure 4: DS-Lite Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Figure 5: 6rd Softwire Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 10

Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149

Figure 6: Configuring DNS ALGs with NAT-PT Network Topology . . . . . . . . . . . . 203 Figure 7: Configuring NAT for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Figure 8: NAT64 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Chapter 16

IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Figure 9: IPsec Dynamic Endpoint Tunneling Topology . . . . . . . . . . . . . . . . . . . . 365

Chapter 38

Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865

Figure 10: DS-Lite Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870

Part 4
Chapter 48

Encryption Services
Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . 995
Figure 11: Example: IPsec Tunnel Connecting Security Gateways . . . . . . . . . . . . 997 Figure 12: IPsec Tunnel Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003

Part 5
Chapter 50

Flow Monitoring and Discard Accounting Services

Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . 1015
Figure 13: Passive Monitoring Application Topology . . . . . . . . . . . . . . . . . . . . . . 1016 Figure 14: Active Monitoring Configuration Topology . . . . . . . . . . . . . . . . . . . . . . 1018

Chapter 51

Flow Monitoring and Discard Accounting Configuration Guidelines . . . . 1019

Figure 15: Configure Sampling Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026

Chapter 53

Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159

Figure 16: Flow Collector Interface Topology Diagram . . . . . . . . . . . . . . . . . . . . . 1165

Chapter 55

Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1189

Figure 17: Dynamic Flow Capture Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190

Chapter 56

Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201

Figure 18: Flow-Tap Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203

Copyright 2011, Juniper Networks, Inc.

xliii

Junos 11.4 Services Interfaces Configuration Guide

Part 6
Chapter 59

Link and Multilink Services

Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233
Figure 19: Multilink Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236

Part 8
Chapter 65

Tunnel Services
Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355
Figure 20: IPv6 Tunnel Connecting Two IPv4 Networks Across an IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371

xliv

Copyright 2011, Juniper Networks, Inc.

List of Tables
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . li Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . li

Part 2
Chapter 3

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 3: AS and Multiservices PIC Services by Service Package, PIC, and Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Table 4: Statement Equivalents for ES and AS Interfaces . . . . . . . . . . . . . . . . . . . 58

Chapter 4

Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Table 5: Application Protocols Supported by Services Interfaces . . . . . . . . . . . . . 73 Table 6: Network Protocols Supported by Services Interfaces . . . . . . . . . . . . . . . . 74 Table 7: ICMP Codes and Types Supported by Services Interfaces . . . . . . . . . . . . 76 Table 8: Port Names Supported by Services Interfaces . . . . . . . . . . . . . . . . . . . . . 77 Table 9: Supported RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 6

Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113

Table 10: IP Option Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Chapter 13

Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277

Table 11: Behavior of Member Interface After One Multiservices PIC Fails . . . . . . 283 Table 12: Behavior of Member Interface After Two Multiservices PICs Fail . . . . . 284

Chapter 16

IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations . . . . . . . . . 358

Chapter 18

Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413

Table 14: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 26

Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Table 15: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 Table 16: Adaptive Services Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Chapter 28

Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Table 17: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

Part 6
Chapter 59

Link and Multilink Services

Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233
Table 18: Multilink and Link Services PIC Capacities . . . . . . . . . . . . . . . . . . . . . . 1235 Table 19: Multilink and Link Services Logical Interface Statements . . . . . . . . . . 1238 Table 20: Link Services Physical Interface Statements for MLFR FRF.16 . . . . . . 1248

Copyright 2011, Juniper Networks, Inc.

xlv

Junos 11.4 Services Interfaces Configuration Guide

Table 21: Link Services CoS Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252 Table 22: Link Services Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261

Part 8
Chapter 64

Tunnel Services
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351
Table 23: Tunnel Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351

Chapter 65

Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355

Table 24: Methods for Configuring Egress Filtering . . . . . . . . . . . . . . . . . . . . . . . 1364

xlvi

Copyright 2011, Juniper Networks, Inc.

About This Guide

This preface provides the following guidelines for using the Junos OS Services Interfaces Configuration Guide:

Junos Documentation and Release Notes on page xlvii Objectives on page xlviii Audience on page xlviii Supported Platforms on page xlviii Using the Indexes on page xlix Using the Examples in This Manual on page xlix Documentation Conventions on page l Documentation Feedback on page lii Requesting Technical Support on page lii

Junos Documentation and Release Notes

For a list of related Junos documentation, see
http://www.juniper.net/techpubs/software/junos/ .

If the information in the latest release notes differs from the information in the documentation, follow the Junos Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ . Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .

Copyright 2011, Juniper Networks, Inc.

xlvii

Junos 11.4 Services Interfaces Configuration Guide

Objectives
This guide provides an overview of the services interfaces provided by Junos OS and describes how to configure these properties on the router.

NOTE: For additional information about the Junos OSeither corrections to or information that might have been omitted from this guidesee the software release notes at http://www.juniper.net/ .

Audience
This guide is designed for network administrators who are configuring and monitoring a Juniper Networks M Series, MX Series, T Series, EX Series, or J Series router or switch. To use this guide, you need a broad understanding of networks in general, the Internet in particular, networking principles, and network configuration. You must also be familiar with one or more of the following Internet routing protocols:

Border Gateway Protocol (BGP) Distance Vector Multicast Routing Protocol (DVMRP) Intermediate System-to-Intermediate System (IS-IS) Internet Control Message Protocol (ICMP) router discovery Internet Group Management Protocol (IGMP) Multiprotocol Label Switching (MPLS) Open Shortest Path First (OSPF) Protocol-Independent Multicast (PIM) Resource Reservation Protocol (RSVP) Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP)

Personnel operating the equipment must be trained and competent; must not conduct themselves in a careless, willfully negligent, or hostile manner; and must abide by the instructions provided by the documentation.

Supported Platforms
For the features described in this manual, the Junos OS currently supports the following platforms:

J Series M Series

xlviii

Copyright 2011, Juniper Networks, Inc.

About This Guide

MX Series T Series EX Series

Using the Indexes

This reference contains two indexes: a complete index that includes topic entries, and an index of statements and commands only. In the index of statements and commands, an entry refers to a statement summary section only. In the complete index, the entry for a configuration statement or command contains at least two parts:

The primary entry refers to the statement summary section. The secondary entry, usage guidelines, refers to the section in a configuration guidelines chapter that describes how to use the statement or command.

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load merge relative command. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration. If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example is a full example. In this case, use the load merge command. If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:
1.

From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your routing platform. For example, copy the following configuration to a file and name the file ex-script.conf. Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system { scripts { commit { file ex-script.xsl; } } } interfaces { fxp0 {

Copyright 2011, Juniper Networks, Inc.

xlix

Junos 11.4 Services Interfaces Configuration Guide

disable; unit 0 { family inet { address 10.0.0.1/24; } } } }

2. Merge the contents of the file into your routing platform configuration by issuing the

load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script.conf load complete

Merging a Snippet
To merge a snippet, follow these steps:
1.

From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform. For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit { file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

[edit] user@host# edit system scripts [edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the

load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf load complete

For more information about the load command, see the Junos OS CLI User Guide.

Documentation Conventions
Table 1 on page li defines notice icons used in this guide.

Copyright 2011, Juniper Networks, Inc.

About This Guide

Table 1: Notice Icons

Icon Meaning
Informational note

Description
Indicates important features or instructions.

Caution

Indicates a situation that might result in loss of data or hardware damage.

Warning

Alerts you to the risk of personal injury or death.

Laser warning

Alerts you to the risk of personal injury from a laser.

Table 2 on page li defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Convention
Bold text like this

Description
Represents text that you type.

Examples
To enter configuration mode, type the configure command: user@host> configure

Fixed-width text like this

Represents output that appears on the terminal screen.

user@host> show chassis alarms No alarms currently active

Italic text like this

Introduces important new terms. Identifies book names. Identifies RFC and Internet draft titles.

A policy term is a named structure that defines match conditions and actions. Junos OS System Basics Configuration Guide RFC 1997, BGP Communities Attribute

Italic text like this

Represents variables (options for which you substitute a value) in commands or configuration statements.

Configure the machines domain name: [edit] root@# set system domain-name domain-name

Text like this

Represents names of configuration statements, commands, files, and directories; interface names; configuration hierarchy levels; or labels on routing platform components. Enclose optional keywords or variables.

To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE.

< > (angle brackets)

stub <default-metric metric>;

Copyright 2011, Juniper Networks, Inc.

li

Junos 11.4 Services Interfaces Configuration Guide

Table 2: Text and Syntax Conventions (continued)

Convention
| (pipe symbol)

Description
Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. Indicates a comment specified on the same line as the configuration statement to which it applies. Enclose a variable for which you can substitute one or more values. Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level.

Examples
broadcast | multicast (string1 | string2 | string3)

# (pound sign)

rsvp { # Required for dynamic MPLS only

[ ] (square brackets)

community name members [ community-ids ]

Indention and braces ( { } )

; (semicolon)

[edit] routing-options { static { route default { nexthop address; retain; } } }

J-Web GUI Conventions

Bold text like this Represents J-Web graphical user interface (GUI) items you click or select.

In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel.

> (bold right angle bracket)

Separates levels in a hierarchy of J-Web selections.

In the configuration editor hierarchy, select Protocols>Ospf.

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include the following information with your comments:

Document or topic name URL or page number Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

lii

Copyright 2011, Juniper Networks, Inc.

About This Guide

or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . Product warrantiesFor product warranty information, visit http://www.juniper.net/support/warranty/ . JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

Copyright 2011, Juniper Networks, Inc.

liii

Junos 11.4 Services Interfaces Configuration Guide

liv

Copyright 2011, Juniper Networks, Inc.

PART 1

Overview

Services Interfaces Overview on page 3 Services Interfaces Configuration Statements on page 5

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

Copyright 2011, Juniper Networks, Inc.

CHAPTER 1

Services Interfaces Overview

Interfaces used in router networks fall into two categories:

Networking interfaces, such as Ethernet and SONET interfaces, that primarily provide traffic connectivity. For more information on these interfaces, see the Junos OS Network Interfaces Configuration Guide. Services interfaces that provide specific capabilities for manipulating traffic before it is delivered to its destination.

This chapter includes the following sections:

Services PIC Types on page 3 Supported Platforms on page 4

Services PIC Types

Services interfaces enable you to add services to your network incrementally. The Juniper Networks Junos OS supports the following services PICs:

Adaptive services interfaces (Adaptive Services [AS] PICs and Multiservices PICs)Enable you to perform multiple services on the same PIC by configuring a set of services and applications. The AS and Multiservices PICs offer a special range of services you configure in one or more service sets: stateful firewalls, Network Address Translation (NAT), intrusion detection service (IDS), class-of-service functionality, and IP Security (IPsec). You can also configure voice services and Layer 2 Tunneling Protocol (L2TP) services. For more information about these services, see Adaptive Services Overview on page 37.

NOTE: On Juniper Networks MX Series 3D Universal Edge Routers, the Multiservices DPC provides essentially the same capabilities as the Multiservices PIC. The interfaces on both platforms are configured in the same way.

ES PICProvides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. The suite provides functionality such as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. It also defines mechanisms for key generation and exchange, management of security associations,

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

and support for digital certificates. For more information about encryption interfaces, see Configuring Encryption Interfaces on page 995.

Monitoring Services PICsEnable you to monitor traffic flow and export the monitored traffic. Monitoring traffic allows you to perform the following tasks:

Gather and export detailed information about IPv4 traffic flows between source and destination nodes in your network. Sample all incoming IPv4 traffic on the monitoring interface and present the data in cflowd record format. Perform discard accounting on an incoming traffic flow. Encrypt or tunnel outgoing cflowd records, intercepted IPv4 traffic, or both. Direct filtered traffic to different packet analyzers and present the data in its original format.

For more information about flow monitoring interfaces, see Flow Monitoring.

Multilink Services and Link Services PICsEnable you to split, recombine, and sequence datagrams across multiple logical data links. The goal of multilink operation is to coordinate multiple independent links between a fixed pair of systems, providing a virtual link with greater bandwidth than any of the members. The Junos OS supports two services PICs based on the Multilink Protocol: the Multilink Services PIC and the Link Services PIC. For more information about multilink and link services interfaces, see Link and Multilink Properties. Tunnel Services PICBy encapsulating arbitrary packets inside a transport protocol, provides a private, secure path through an otherwise public network. Tunnels connect discontinuous subnetworks and enable encryption interfaces, virtual private networks (VPNs), and MPLS. For more information about tunnel interfaces, see Tunnel Properties.

Supported Platforms
For information about which platforms support Adaptive Services and MultiServices PICs and their features, see Enabling Service Packages on page 39. For information about PIC support on a specific Juniper Networks M Series Multiservice Edge Router or T Series Core Router, see the appropriate PIC Guide for the platform. For information about MS-DPC support on a specific MX Series router, see the appropriate DPC Guide for the platform. For information about services supported on Juniper Networks SRX Series Services Gateways and J Series Services Routers, see the Junos OS Feature Support Reference for SRX Series and J Series Devices.

Copyright 2011, Juniper Networks, Inc.

CHAPTER 2

Services Interfaces Configuration Statements

This chapter shows the complete configuration statement hierarchies for configuring services interfaces. It lists all the statements that pertain to configuring services and shows their level in the configuration hierarchy. When you are configuring the Junos OS, your current hierarchy level is shown in the banner on the line preceding the user@host# prompt. For a complete list of the Junos configuration statements, see the Junos OS Hierarchy and RFC Reference. This chapter is organized as follows:

[edit applications] Hierarchy Level on page 5 [edit forwarding-options] Hierarchy Level on page 6 [edit interfaces] Hierarchy Level on page 8 [edit logical-systems] Hierarchy Level on page 12 [edit services] Hierarchy Level on page 12

[edit applications] Hierarchy Level

To configure application protocols, include the following statements at the [edit applications] hierarchy level of the configuration:
application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; learn-sip-register; protocol type; rpc-program-number number; sip-call-hold-timeout seconds; snmp-command command; source-port port-number; ttl-threshold value; uuid hex-value;

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

} application-set application-set-name { application application-name; }

[edit forwarding-options] Hierarchy Level

To configure flow monitoring and accounting properties, include the following statements at the [edit forwarding-options] hierarchy level:

NOTE: For the complete [edit forwarding-options] hierarchy, see the Junos OS Routing Policy Configuration Guide. This listing includes only the statements used in flow monitoring and accounting services.

accounting name { output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); port port-number; version format; } flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } } monitoring name { family inet { output { cflowd hostname port port-number; export-format format; flow-active-timeout seconds; flow-export-destination { collector-pic; } flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number;

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

input-interface-index number; output-interface-index number; source-address address; } } } next-hop-group group-name { interface interface-name { next-hop address; } } port-mirroring { input { rate rate; run-length number; } family (inet | inet6) { input { rate rate; run-length number; } output { interface interface-name { next-hop address; } no-filter-check; } } traceoptions { file filename { files number; size bytes; (world-readable | no-world-readable); } } } sampling { disable; family (inet | inet6 | mpls) { max-packets-per-second number; rate number; run-length number; } input { rate number; run-length number; } output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant;

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

} source-prefix; } autonomous-system-type (origin | peer); version9 { template template-name; } (local-dump | no-local-dump); port port-number; source-address address; version format; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); } flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } traceoptions { file filename { files number; size bytes; (world-readable | no-world-readable); } } }

[edit interfaces] Hierarchy Level

To configure services interfaces, include the following statements at the [edit interfaces] hierarchy level of the configuration. The statements can also be configured at the [edit logical-systems logical-system-name interfaces] hierarchy level.

NOTE: For the complete [edit interfaces] hierarchy, see the Junos OS Network Interfaces Configuration Guide. This listing includes only the statements used in configuring services.

[edit interfaces] interface-name { (atm-options | fastether-options | gigether-options | sonet-options) { mpls { pop-all-labels { required-depth number;

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

} } } encapsulation type; lsq-failure-options { no-termination-request; trigger-link-failure interface-name; } mlfr-uni-nni-bundle-options { acknowledge-retries number; acknowledge-timer milliseconds; action-red-differential-delay (disable-tx | remove-link); drop-timeout milliseconds; fragment-threshold bytes; cisco-interoperability send-lip-remove-link-for-link-reject; hello-timer milliseconds; lmi-type (ansi | itu); minimum-links number; mrru bytes; n391 number; n392 number; n393 number; red-differential-delay milliseconds; t391 number; t392 number; yellow-differential-delay milliseconds; encapsulation type; } passive-monitor-mode; unit logical-unit-number { clear-dont-fragment-bit; compression { rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } } compression-device interface-name; copy-tos-to-outer-ip-header; disable-mlppp-inner-ppp-pfc; dlci dlci-identifier; drop-timeout milliseconds; dial-options { ipsec-interface-id name; l2tp-interface-id name; (dedicated | shared); } encapsulation type; family family { accounting { destination-class-usage;

Copyright 2011, Juniper Networks, Inc.

Junos 11.4 Services Interfaces Configuration Guide

source-class-usage direction; } address address { destination address; } bundle (ml-fpc/pic/port | ls-fpc/pic/port); ipsec-sa ipsec-sa; multicast-only; receive-options-packets; receive-ttl-exceeded; sampling direction; service { input { service-set service-set-name <service-filter filter-name>; post-service-filter filter-name; } output { service-set service-set-names <service-filter filter-name>; } } } fragment-threshold bytes; interleave-fragments; minimum-links number; mrru bytes; multicast-dlci dlci-identifier; peer-unit unit-number; reassemble-packets; rpm ; service-domain (inside | outside); short-sequence; tunnel { allow-fragmentation; backup-destination address; destination destination-address; do-not-fragment; key number; routing-instance { destination routing-instance-name; } source-address address; ttl number; } twamp-server; } multiservice-options { (core-dump | no-core-dump); (syslog | no-syslog); flow-control-options { down-on-flow-control; dump-on-flow-control; reset-on-flow-control; } } services-options { cgn-pic;

10

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

disable-global-timeout-override; ignore-errors <alg> <tcp>; inactivity-non-tcp-timeout seconds; inactivity-tcp-timeout seconds; inactivity-timeout seconds; open-timeout seconds; session-limit { maximum number; rate new-sessions-per-second; } session-timeout seconds; syslog { host hostname { facility-override facility-name; log-prefix prefix-value; port port-number; services severity-level; } message-rate-limit messages-per-second; } tcp-tickles tcp-tickles; } } rlsqnumber { redundancy-options { hot-standby | warm-standby; primary lsq-fpc/pic/port; secondary lsq-fpc/pic/port; } } rlsqnumber:number { redundancy-options { hot-standby | warm-standby; primary lsq-fpc/pic/port; secondary lsq-fpc/pic/port; } } encapsulation multilink-frame-relay-uni-nni; unit logical-unit-number { encapsulation multilink-frame-relay-end-to-end ; } } } rspnumber { redundancy-options { primary sp-fpc/pic/port; secondary sp-fpc/pic/port; } } so-fpc/pic/port { unit logical-unit-number { passive-monitor-mode; } }

Copyright 2011, Juniper Networks, Inc.

11

Junos 11.4 Services Interfaces Configuration Guide

[edit logical-systems] Hierarchy Level

The following lists the statements that can be configured at the [edit logical-systems] hierarchy level that are documented in this manual. For more information about logical systems, see the Junos OS Routing Protocols Configuration Guide.
logical-system-name { interfaces interface-name { interface-configuration; } }

[edit services] Hierarchy Level

To configure services, include the following statements at the [edit services] hierarchy level of the configuration:

NOTE: For the complete [edit services] hierarchy, see the Junos OS Hierarchy and RFC Reference. This listing includes only the statements documented in this manual; additional statements are documented in the Junos OS Subscriber Access Configuration Guide.

aacl { rule rule-name { match-direction (input | output | input-output); term term-name { from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } then { (accept | discard); count (application | application-group | application-group-any | none); forwarding-class class-name; policer policer-name; } } } rule-set rule-set-name { [ rule rule-names ]; } } adaptive-services-pics { traceoptions {

12

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag; no-remote-trace; } } application-identification { application application-name { disable; enable-heuristics; idle-timeout seconds; index number; session-timeout seconds; type type; type-of-service service-type; port-mapping { port-range { tcp (port | range); udp (port | range); } disable; } } application-group group-name { disable; application-groups { name [application-group-name]; } applications { name [application-name]; } index number; } application-system-cache-timeout seconds; max-checked-bytes bytes; min-checked-bytes bytes; nested-application nested-application-settings no-application-identification; no-application-system-cache; no-clear-application-system-cache; no-signature-based; profile profile-name { [ rule-set rule-set-name ]; } rule rule-name { disable; address address-name { destination { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } source {

Copyright 2011, Juniper Networks, Inc.

13

Junos 11.4 Services Interfaces Configuration Guide

ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } order number; } application application-name; } rule-set rule-set-name { rule application-rule-name; } traceoptions { file filename <files number> <match regex> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } } border-signaling-gateway { gateway gateway-name { admission-control admission-control-profile { dialogs { maximum-concurrent number; committed-attempts-rate dialogs-per-second; committed-burst-size number-of-dialogs; } transactions { maximum-concurrent number; committed-attempts-rate transactions-per-second; committed-burst-size number-of-transactions; } } embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video); } then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (alias | do-not-change | dscp-value); reject; } } } } service-point service-point-name { default-media-realm service-interface interface-name.unit-number; service-point-type service-point-type; service-policies { new-call-usage-input-policies [policy-and-policy-set-names]; new-call-usage-output-policies [policy-and-policy-set-names];

14

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

new-transaction-input-policies [policy-and-policy-set-names]; new-transaction-output-policies[policy-and-policy-set-names]; } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>; } sip { message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value; add field-value; add-missing field-value; add-overwrite field-value; remove-regular-expression regular-expression; remove-all; reject-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } no-anchoring; service-class service-class-name; } trace; } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]; } new-transaction-policy policy-name { term term-name { from { contact {

Copyright 2011, Juniper Networks, Inc.

15

Junos 11.4 Services Interfaces Configuration Guide

registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response{ recursion-limit number; } } route { egress-service-point service-point-name; next-hop (request-uri | address ipv4-address | <port port-number> <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; trace; } } } new-transaction-policy-set policy-set-name { policy-name [ policy-names ]; } routing-destinations { availability-check-profiles { profile-name; keepalive-interval { available-server seconds; unavailable-server seconds; }

16

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number); transaction-timeout seconds; } clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } default-availability-check-profile profile-name; } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } timers { inactive-callseconds; timer-c seconds; } } traceoptions { file { filename filename; files number; match regex; size size; } flag { datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } framework { action trace-level; event trace-level; executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } minimum trace-level; sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level;

Copyright 2011, Juniper Networks, Inc.

17

Junos 11.4 Services Interfaces Configuration Guide

message trace-level; minimum trace-level; user-interface trace-level; } session-trace trace-level; signaling { b2b trace-level; b2b-wrapper trace-level; minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } } } } } cos { application-profile profile-name { ftp { data { dscp (alias | bits); forwarding-class class-name; } } sip { video { dscp (alias | bits); forwarding-class class-name; } voice { dscp (alias | bits); forwarding-class class-name; } } } rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>;

18

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

} then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } syslog; } } } rule-set rule-set-name { rule rule-name; } } dynamic-flow-capture { capture-group client-name { content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } control-source identifier { allowed-destinations [ destination ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ address ]; } duplicates-dropped-periodicity seconds; input-packet-rate-threshold rate; interfaces interface-name; max-duplicates number; pic-memory-threshold percentage percentage; } g-max-duplicates number; g-duplicates-dropped-periodicity seconds; } flow-collector { analyzer-address address; analyzer-id name; destinations { ftp:url { password "password"; } file-specification { variant variant-number {

Copyright 2011, Juniper Networks, Inc.

19

Junos 11.4 Services Interfaces Configuration Guide

data-format format; name-format format; transfer { record-level number; timeout seconds; } } } interface-map { collector interface-name; file-specification variant-number; interface-name { collector interface-name; file-specification variant-number; } } retry number; retry-delay seconds; transfer-log-archive { archive-sites { ftp:url { password "password"; username username; } } filename-prefix prefix; maximum-age minutes; } } flow-monitoring { version9 { template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; ipv6-template; mpls-template { label-position [ positions ]; } mpls-ipv4-template { label-position [ positions ]; } option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } } } flow-tap { (interface interface-name | tunnel-interface interface-name); } ids { rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name;

20

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value<except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-number; source-prefix prefix-number | source-prefix-ipv6 prefix-number; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } } } } rule-set rule-set-name { rule rule-name; } } ipsec-vpn { clear-ike-sas-on-pic-restart; clear-ipsec-sas-on-pic-restart; ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); description description;

Copyright 2011, Juniper Networks, Inc.

21

Junos 11.4 Services Interfaces Configuration Guide

dh-group (group1 | group2 | group5 |group14); encryption-algorithm algorithm; lifetime-seconds seconds; } policy policy-name { description description; local-certificate identifier; local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); version (1 | 2); mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; remote-id { ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description; encryption-algorithm algorithm; lifetime-seconds seconds; protocol (ah | esp | bundle); } policy policy-name { description description; perfect-forward-secrecy { keys (group1 | group2); } proposals [ proposal-names ]; } } rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96);

22

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

key (ascii-text key | hexadecimal key ); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key ); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } } rule-set rule-set-name { rule rule-name; } no-ipsec-tunnel-in-traceroute; traceoptions { file { files number; size bytes; } flag flag; level level; } } l2tp { tunnel-group name { hello-interval seconds; hide-avps; l2tp-access-profile profile-name; local-gateway address address; maximum-send-window packets; ppp-access-profile profile-name; receive-window packets; retransmit-interval seconds; service-interface interface-name; syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } } tunnel-timeout seconds; } traceoptions { debug-level level; filter { protocol name; }

Copyright 2011, Juniper Networks, Inc.

23

Junos 11.4 Services Interfaces Configuration Guide

flag flag; interfaces interface-name { debug-level level; flag flag; } } } logging { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag; } } nat { ipv6-multicast-interfaces (all | interface-name) { disable; } pool nat-pool-name { address ip-prefix</prefix-length>; address-range low minimum-value high maximum-value; pgcp { hint [ hint-strings ]; ports-per-session ports; remotely-controlled; transport; } port (automatic | range low minimum-value high maximum-value) { random-allocation; } } rule rule-name { match-direction (input | output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { syslog; translated { destination-pool nat-pool-name; destination-prefix destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; overload-pool overload-pool-name; overload-prefix overload-prefix; source-pool nat-pool-name; source-prefix source-prefix; translation-type {

24

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

(basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 |twice-dynamic-nat-44 |twice-napt-44); } use-dns-map-for-destination-translation; } } } } rule-set rule-set-name { rule rule-name; } } pgcp { gateway gateway-name { cleanup-timeout seconds; gateway-address gateway-address; fast-update-filters { maximum-terms number-of-terms; maximum-fuf-percentage percentage; } gateway-controller gateway-controller-name { controller-address ip-address; controller-port port-number; interim-ah-scheme { algorithm algorithm; } } gateway-port gateway-port; graceful-restart { maximum-synchronization-mismatches number-of-mismatches; seconds; } data-inactivity-detection { inactivity-delay seconds; latch-deadlock-delay seconds; send-notification-on-delay; inactivity-duration seconds; no-rtcp-check stop-detection-on-drop; report-service-change { service-change-type (forced-906) | forced-910); } } h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify); } base-root { mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-originated-pending-limit { default number-of-messages;

Copyright 2011, Juniper Networks, Inc.

25

Junos 11.4 Services Interfaces Configuration Guide

maximum number-of-messages; minimum number-of-messages; } normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } } diffserv { dscp { default (dscp-value | alias | do-not-change); } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous); { hanging-termination-detection { timerx seconds; } notification-behavior { notification-regulation default (once | 0 - 100); } segmentation { mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } mgc-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } } traffic-management { max-burst-size { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp {

26

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

(fixed-value bytes-per-second | percentage percentage); } } peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } sustained-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } rtcp-include; } } inactivity-timer { inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } } } h248-options { audit-observed-events-returns; encoding { no-dscp-bit-mirroring; use-lower-case } service-change { context-indications { state-loss (forced-910 | forced-915 | none); } control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); } down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902);

Copyright 2011, Juniper Networks, Inc.

27

Junos 11.4 Services Interfaces Configuration Guide

} } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); failure (forced-904 | forced-906 | none); graceful (graceful-905 | none); } use-wildcard-response; virtual-interface-up { cancel-graceful (none | restart-918); warm (none | restart-900); } } } } h248-timers { initial-average-ack-delay milliseconds; maximum-net-propagation-delay milliseconds; maximum-waiting-delay milliseconds; tmax-retransmission-delay milliseconds; } max-concurrent-calls number-of-calls; monitor { media { rtcp; rtp; } } service-state (in-service | out-of-service-forced | out-of-service-graceful); session-mirroring { delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } } nat-pool nat-pool-name; rule rule-name { gateway gateway-name; nat-pool nat-pool-name; } rule-set rule-set-name { rule rule-name; } traceoptions { file <filename filename> <files number> <match regex> <size size> <world-readable | no-world-readable>; flag { bgf-core { common trace-level; default trace-level;

28

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

firewall trace-level; gate-logic trace-level; pic-broker trace-level; policy trace-level; statistics trace-level; } default trace-level; h248-stack { control-association trace-level; default trace-level; messages; media-gateway trace-level; } sbc-utils { common trace-level; configuration trace-level; default trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; messaging trace-level; user-interface trace-level; } } } virtual-interface interface-number { nat-pool nat-pool-name; service-interface interface-identifier; routing-instance instance-name { service-interface interface-name.unit-number; } service-state (in-service | out-of-service-forced | out-of-service-graceful); } session-mirroring { delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } } ptsp { forward-rule rule-name { term precedence { from { application-groups [ application-group-name ]; applications [ application-name ]; local-address address <except>; local-address-range low low-value high high-value <except >; local-prefix-list prefix-list-name <except >; } then { forwarding-instance forwarding-instance unit-number unit-number;

Copyright 2011, Juniper Networks, Inc.

29

Junos 11.4 Services Interfaces Configuration Guide

} } } rule rule-name { count-type (application | rule); demux (destination-address | source-address); forward-rule forward-rule-name; match-direction (input | input-output | output); term precedence { from { application-group-any; application-groups [ application-group-name ]; applications [ application-name ]; local-port-range low low-value high high-value; local-ports [ value-list ]; protocol protocol-number; remote-address address <except>; remote-address-range low low-value high high-value <except>; remote-port-range low low-value high high-value; remote-ports [ value-list ]; remote-prefix-list prefix-list-name <except>; } then { (accept | discard); count (application | application-group | application-group-any | rule | none); forwarding-class forwarding-class; police policer-name; } } } rule-set rule-set-name { rule rule-name; } } rpm { bgp { data-fill data; data-size size; destination-port port; history-size size; logical-system logical-system-name <routing-instances routing-instance-name>; moving-average-size number; probe-count count; probe-interval seconds; probe-type type; routing-instances instance-name; test-interval interval; } probe owner { test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp;

30

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url | address); test-interval interval; thresholds thresholds; traps traps; } } probe-limit limit; probe-server { tcp { destination-interface interface-name; port number; } udp { destination-interface interface-name; port number; } } twamp { server { authentication-mode (authenticated | encrypted | none); client-list list-name { address address; } inactivity-timeout seconds; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number; } } } service-set service-set-name { aacl-rules rule-name; policy-decision-statistics-profile profile-name; (ids-rules rule-names | ids-rule-sets rule-set-name); (ipsec-vpn-rules rule-names | ipsec-vpn-rule-sets rule-set-name); (nat-rules rule-names | nat-rule-sets rule-set-name); (pgcp-rules rule-names | pgcp-rule-sets rule-set-name); (ptsp-rules rule-names | ptsp-rule-sets rule-set-name); (stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name); allow-multicast; extension-service service-name { provider-specific rules; } interface-service { service-interface interface-name; }

Copyright 2011, Juniper Networks, Inc.

31

Junos 11.4 Services Interfaces Configuration Guide

ipsec-vpn-options { anti-replay-window-size bits; clear-dont-fragment-bit; ike-access-profile profile-name; local-gateway address; no-anti-replay; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes; } max-flows number; next-hop-service { inside-service-interface interface-name.unit-number; outside-service-interface interface-name.unit-number; service-interface-pool name; } service-order { forward-flow [ service-name1 service-name2 ]; reverse-flow [ service-name1 service-name2 ]; } syslog { host hostname { services severity-level; facility-override facility-name; port port-number; } } } softwire { softwire-concentrator { ds-lite ds-lite-softwire-concentrator { auto-update-mtu; copy-dscp; flow-limit flow-limit; mtu-v6 mtu-v6; softwire-address address; } v6rdv6rd-softwire-concentator{ ipv4-prefix ipv4-prefix; v6rd-prefix ipv6-prefix; mtu-v4 mtu-v4; } } rulerule-name { match-direction (input | output); term term-name{ then { ds-lite name; } } } ipv6-multicast-filters } stateful-firewall { rule rule-name { match-direction (input | output | input-output);

32

Copyright 2011, Juniper Networks, Inc.

Chapter 2: Services Interfaces Configuration Statements

term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value<except>; source-prefix-list list-name <except>; } then { (accept | discard | reject); allow-ip-options [ values ]; syslog; } } } rule-set rule-set-name { rule rule-name; } } }

Copyright 2011, Juniper Networks, Inc.

33

Junos 11.4 Services Interfaces Configuration Guide

34

Copyright 2011, Juniper Networks, Inc.

PART 2

Adaptive Services

Adaptive Services Overview on page 37 Applications Configuration Guidelines on page 71 Summary of Applications Configuration Statements on page 103 Stateful Firewall Services Configuration Guidelines on page 113 Summary of Stateful Firewall Configuration Statements on page 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines on page 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements on page 139 Carrier-Grade NAT Configuration Guidelines on page 149 Summary of Carrier-Grade NAT Configuration Statements on page 239 Load Balancing Configuration Guidelines on page 271 Summary of Load Balancing Configuration Statements on page 277 Intrusion Detection Service Configuration Guidelines on page 289 Summary of Intrusion Detection Service Configuration Statements on page 301 IPsec Services Configuration Guidelines on page 323 Summary of IPsec Services Configuration Statements on page 377 Layer 2 Tunneling Protocol Services Configuration Guidelines on page 413 Summary of Layer 2 Tunneling Protocol Configuration Statements on page 431 Link Services IQ Interfaces Configuration Guidelines on page 447 Summary of Link Services IQ Configuration Statements on page 509 Voice Services Configuration Guidelines on page 521 Summary of Voice Services Configuration Statements on page 531 Class-of-Service Configuration Guidelines on page 541 Summary of Class-of-Service Configuration Statements on page 551 Service Set Configuration Guidelines on page 567 Summary of Service Set Configuration Statements on page 585 Service Interface Configuration Guidelines on page 611 Summary of Service Interface Configuration Statements on page 625

Copyright 2011, Juniper Networks, Inc.

35

Junos 11.4 Services Interfaces Configuration Guide

PGCP Configuration Guidelines for the BGF Feature on page 643 Summary of PGCP Configuration Statements on page 649 Service Interface Pools Configuration Guidelines on page 751 Summary of Service Interface Pools Statements on page 753 Border Signaling Gateway Configuration Guidelines on page 755 Summary of Border Signaling Gateway Configuration Statements on page 761 PTSP Configuration Guidelines on page 841 Summary of PTSP Configuration Statements on page 843 Softwire Configuration Guidelines on page 865 Summary of Softwire Configuration Statements on page 883

36

Copyright 2011, Juniper Networks, Inc.

CHAPTER 3

Adaptive Services Overview

This chapter discusses the following topics:

Adaptive Services Overview on page 37 Enabling Service Packages on page 39 Services Configuration Procedure on page 44 Packet Flow Through the Adaptive Services or Multiservices PIC on page 44 Stateful Firewall Overview on page 45 Network Address Translation Overview on page 48 Tunneling Services for IPv4-to-IPv6 Transition Overview on page 53 IPsec Overview on page 57 Layer 2 Tunneling Protocol Overview on page 59 Voice Services Overview on page 60 Class of Service Overview on page 60 Examples: Services Interfaces Configuration on page 61

Adaptive Services Overview

The Adaptive Services (AS) and MultiServices PICs provide adaptive services interfaces, which allow you to coordinate multiple services on a single PIC by configuring a set of services and applications. The AS and MultiServices PICs offers a special range of services you configure in one or more service sets. The AS PIC is available in two versions that differ in memory size:

The Adaptive Services II PIC with 512 MB of memory is supported on all Juniper Networks M Series and T Series routers, including the M320 router. The Adaptive Services PIC with 256 megabytes (MB) of memory is supported on all M Series routers except the M320 router.

The M7i router includes the Adaptive Services Module (ASM), an integrated version of the AS PIC as an optional component, which offers all the features of the standalone version at a reduced bandwidth.

Copyright 2011, Juniper Networks, Inc.

37

Junos 11.4 Services Interfaces Configuration Guide

NOTE: To take advantage of the features available on the AS PIC, you must install it in an Enhanced Flexible PIC Concentrator (FPC) in an M Series router equipped with an Internet Processor II application-specific integrated circuit (ASIC), or a similarly equipped T Series router. To find out whether your router hardware is suitably equipped, use the show chassis hardware command. For more information, see the Junos OS System Basics and Services Command Reference.

The MultiServices PIC is available in three versions, the MultiServices 100, the MultiServices 400, and the MultiServices 500, which differ in memory size and performance. All versions offer enhanced performance in comparison with AS PICs. MultiServices PICs are supported on M Series and T Series routers except M20 routers. The MultiServices DPC is available for MX Series routers; it includes a subset of the functionality supported on the MultiServices PIC. Currently the MultiServices DPC supports the following Layer 3 services: stateful firewall, NAT, IDS, IPsec, active flow monitoring, RPM, and generic routing encapsulation (GRE) tunnels (including GRE key and fragmentation); it also supports graceful Routing Engine switchover (GRES) and Dynamic Applicaton Awareness for Junos OS. For more information about supported packages, see Enabling Service Packages on page 39. It is also possible to group several Multiservices PICs into an aggregated Multiservices (AMS) system. An AMS configuration eliminates the need for separate routers within a system. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. Starting with Junos OS 11.4, all MX Series routers will support high availability (HA) and Network Address Translation (NAT) on AMS infrastructure. See Configuring Load Balancing on AMS Infrastructure on page 271 for more information.

NOTE: The Adaptive Services and MultiServices PICs are polling based and not interrupt based; as a result, a high value in the show chassis pic Interrupt load average field may not mean that the PIC has reached its maximum limit of processing.

The following services are configured within a service set and are available only on adaptive services interfaces:

Stateful firewallA type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic. Network Address Translation (NAT)A security procedure for concealing host addresses on a private network behind a pool of public addresses. Intrusion detection service (IDS)A set of tools for detecting, redirecting, and preventing certain kinds of network attack and intrusion.

38

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

IP Security (IPsec)A set of tools for configuring manual or dynamic security associations (SAs) for encryption of data traffic. Class of service (CoS)A subset of CoS functionality for services interfaces, limited to DiffServ code point (DSCP) marking and forwarding-class assignment. CoS BA classification is not supported on services interfaces.

The configuration for these services comprises a series of rules that you can arrange in order of precedence as a rule set. Each rule follows the structure of a firewall filter, with a from statement containing input or match conditions and a then statement containing actions to be taken if the match conditions are met. The following services are also configured on the AS and MultiServices PICs, but do not use the rule set definition:

Layer 2 Tunneling Protocol (L2TP)A tool for setting up secure tunnels using Point-to-Point Protocol (PPP) encapsulation across Layer 2 networks. Link Services Intelligent Queuing (LSQ)Interfaces that support Junos OS class-of-service (CoS) components, link fragmentation and interleaving (LFI) (FRF.12), Multilink Frame Relay (MLFR) user-to-network interface (UNI) network-to-network interface (NNI) (FRF.16), and Multilink PPP (MLPPP). Voice servicesA feature that uses the Compressed Real-Time Transport Protocol (CRTP) to enable voice over IP traffic to use low-speed links more effectively.

In addition, Junos OS includes the following tools for configuring services:

Application protocols definitionAllows you to configure properties of application protocols that are subject to processing by router services, and group the application definitions into application sets. Service-set definitionAllows you to configure combinations of directional rules and default settings that control the behavior of each service in the service set.

NOTE: Logging of adaptive services interfaces messages to an external server by means of the fxp0 port is not supported on M Series routers. The architecture does not support system logging traffic out of a management interface. Instead, access to an external server is supported on a Packet Forwarding Engine interface.

Enabling Service Packages

For AS PICs, Multiservices PICs, Multiservices DPCs, and the internal Adaptive Services Module (ASM) in the M7i router, there are two service packages: Layer 2 and Layer 3. Both service packages are supported on all adaptive services interfaces, but you can enable only one service package per PIC, with the exception of a combined package supported on the ASM. On a single router, you can enable both service packages by installing two or more PICs on the platform.

Copyright 2011, Juniper Networks, Inc.

39

Junos 11.4 Services Interfaces Configuration Guide

NOTE: Graceful Routing Engine switchover (GRES) is automatically enabled on all services PICs and DPCs except the ES PIC. It is supported on all M Series, MX Series, and T Series routers except for TX Matrix routers. Layer 3 services should retain state after switchover, but Layer 2 services will restart. For IPsec services, Internet Key Exchange (IKE) negotiations are not stored and must be restarted after switchover. For more information about GRES, see the Junos OS High Availability Configuration Guide.

You enable service packages per PIC, not per port. For example, if you configure the Layer 2 service package, the entire PIC uses the configured package. To enable a service package, include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level, and specify layer-2 or layer-3:
[edit chassis fpc slot-number pic pic-number adaptive-services] service-package (layer-2 | layer-3);

To determine which package an AS PIC supports, issue the show chassis hardware command: if the PIC supports the Layer 2 package, it is listed as Link Services II, and if it supports the Layer 3 package, it is listed as Adaptive Services II. To determine which package a Multiservices PIC supports, issue the show chassis pic fpc-slot slot-number pic-slot slot-number command. The Package field displays the value Layer-2 or Layer-3.

NOTE: The ASM has a default option (layer-2-3) that combines the features available in the Layer 2 and Layer 3 service packages.

After you commit a change in the service package, the PIC is taken offline and then brought back online immediately. You do not need to manually take the PIC offline and online.

NOTE: Changing the service package causes all state information associated with the previous service package to be lost. You should change the service package only when there is no active traffic going to the PIC.

The services supported in each package differ by PIC and platform type. Table 3 on page 41 lists the services supported within each service package for each PIC and platform. For information about services supported on SRX Series Services Gateways and J Series Services Routers, see the Junos OS Feature Support Reference for SRX Series and J Series Devices. On the AS and Multiservices PICs, link services support includes Junos OS CoS components, LFI (FRF.12), MLFR end-to-end (FRF.15), MLFR UNI NNI (FRF.16), MLPPP (RFC 1990), and multiclass MLPPP. For more information, see Layer 2 Service Package Capabilities and Interfaces on page 43 and Layer 2 Service Package Capabilities and Interfaces on page 448.

40

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

NOTE: The AS PIC II for Layer 2 Service is dedicated to supporting the Layer 2 service package only.

For additional information about Layer 3 services, see the Junos OS Feature Guides.

Table 3: AS and Multiservices PIC Services by Service Package, PIC, and Platform
AS/AS2 PICs and Multiservices PICs M7i, M10i, and M20 AS/AS2 and Multiservices PICs M40e and M120 AS2 and Multiservices PICs M320, T320, and T640 AS2 and Multiservices PICs TX Matrix

Services Layer 2 Service Package (Only)

Link Services:

ASM M7i

Link services Multiclass MLPPP

Yes Yes

Yes Yes

Yes Yes

Yes Yes

No No

Voice Services:

CRTP and LFI CRTP and MLPPP CRTP over PPP (without MLPPP)

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

No No No

Layer 3 Service Package (Only)

Security Services:

M7i

M7i, M10i, and M20

M40e and M120

M320, T320, and T640

TX Matrix

CoS Intrusion detection system (IDS) IPsec NAT Stateful firewall

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

No No No No No

Accounting Services:

Active monitoring Dynamic flow capture (Multiservices 400 PIC only)

Yes No

Yes No

Yes No

Yes Yes

Yes No

Copyright 2011, Juniper Networks, Inc.

41

Junos 11.4 Services Interfaces Configuration Guide

Table 3: AS and Multiservices PIC Services by Service Package, PIC, and Platform (continued)
AS/AS2 PICs and Multiservices PICs
Yes

Services

ASM
Yes

AS/AS2 and Multiservices PICs

Yes (M40e only) Yes (M40e only) Yes

AS2 and Multiservices PICs

Yes

AS2 and Multiservices PICs

No

Flow-tap

Passive monitoring (Multiservices 400 PIC only) Port mirroring

No

Yes

Yes

No

Yes

Yes

Yes

Yes

LNS Services:

L2TP LNS

Yes

Yes (M7i and M10i only)

Yes (M120 only)

No

No

Voice Services:

BGF

Yes

Yes

Yes

Yes

No

Layer 2 and Layer 3 Service Package (Common Features)

RPM Services:

M7i

M7i, M10i, and M20

M40e and M120

M320, T320, and T640

TX Matrix

RPM probe timestamping

Yes

Yes

Yes

Yes

No

Tunnel Services:

GRE (gr-fpc/pic/port) GRE fragmentation (clear-dont-fragment-bit) GRE key IP-IP tunnels (ip-fpc/pic/port) Logical tunnels (lt-fpc/pic/port) Multicast tunnels (mt-fpc/pic/port) PIM de-encapsulation (pd-fpc/pic/port) PIM encapsulation (pe-fpc/pic/port) Virtual tunnels (vt-fpc/pic/port)

Yes Yes

Yes Yes

Yes Yes

Yes No

Yes No

Yes Yes No Yes Yes Yes Yes

Yes Yes No Yes Yes Yes Yes

Yes Yes No Yes Yes Yes Yes

Yes Yes No Yes Yes Yes Yes

No Yes No Yes Yes Yes Yes

42

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Layer 2 Service Package Capabilities and Interfaces

When you enable the Layer 2 service package, you can configure link services. On the AS and Multiservices PICs and the ASM, link services include support for the following:

Junos CoS componentsLayer 2 Service Package Capabilities and Interfaces on page 448 describes how the Junos CoS components work on link services IQ (lsq) interfaces. For detailed information about Junos CoS components, see the Junos OS Class of Service Configuration Guide. LFI on Frame Relay links using FRF.12 end-to-end fragmentationThe standard for FRF.12 is defined in the specification FRF.12, Frame Relay Fragmentation Implementation Agreement. LFI on MLPPP links. MLFR UNI NNI (FRF.16)The standard for FRF.16 is defined in the specification FRF.16.1, Multilink Frame Relay UNI/NNI Implementation Agreement. MLPPP (RFC 1990) MLFR end-to-end (FRF.15)

For the LSQ interface on the AS and Multiservices PICs, the configuration syntax is almost the same as for Multilink and Link Services PICs. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls. When you enable the Layer 2 service package, the following interfaces are automatically created:
gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 ... lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port

Interface types gr, ip, mt, pd, pe, and vt are standard tunnel interfaces that are available on the AS and Multiservices PICs whether you enable the Layer 2 or the Layer 3 service package. These tunnel interfaces function the same way for both service packages, except that the Layer 2 service package does not support some tunnel functions, as shown in Table 3 on page 41. Interface type lsq-fpc/pic/port is the physical link services IQ (lsq) interface. Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF.16 bundles. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] option. For more information, see Layer 2 Service Package Capabilities and Interfaces on page 448 and Link and Multilink Properties.

Copyright 2011, Juniper Networks, Inc.

43

Junos 11.4 Services Interfaces Configuration Guide

NOTE: Interface type sp is created because it is needed by the Junos OS. For the Layer 2 service package, the sp interface is not configurable, but you should not disable it.

Services Configuration Procedure

You follow these general steps to configure services:
1.

Define application objects by configuring statements at the [edit applications] hierarchy level.

2. Define service rules by configuring statements at the [edit services (ids | ipsec-vpn |

nat | stateful-firewall) rule] hierarchy level.

3. Group the service rules by configuring the rule-set statement at the [edit services (ids

| ipsec-vpn | nat | stateful-firewall)] hierarchy level.

4. Group service rule sets under a service-set definition by configuring the service-set

statement at the [edit services] hierarchy level.

5. Apply the service set on an interface by including the service-set statement at the

[edit interfaces interface-name unit logical-unit-number family inet service (input | output)] hierarchy level. Alternatively, you can configure logical interfaces as a next-hop

destination by including the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level.

NOTE: You can configure IDS, NAT, and stateful firewall service rules within the same service set. You must configure IPsec services in a separate service set, although you can apply both service sets to the same PIC.

Packet Flow Through the Adaptive Services or Multiservices PIC

You can optionally configure service sets to be applied at one of three points while the packets transit the router:

An interface service set applied at the inbound interface. A next-hop service set applied at the forwarding table. An interface service set applied at the outbound interface.

The packet flow is as follows, graphically displayed in Figure 1 on page 45. (You can configure a service set as either an interface service set or a next-hop service set.)
1.

Packets enter the router on the inbound interface.

2. A policer, filter, service filter, service set, postservice filter, and input forwarding-table

filter are applied sequentially to the traffic; these are all optional items in the configuration. If an interface service set is applied, the packets are forwarded to the

44

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

AS or MultiServices PIC for services processing and then sent back to the Packet Forwarding Engine; if a service filter is also applied, only packets matching the service filter are sent to the PIC. The optional postservice filter is applied and postprocessing takes place.
3. A next-hop service set can be applied to the VPN routing and forwarding (VRF) table

or to inet.0. If it is applied, packets are sent to the PIC for services processing and sent back to the Packet Forwarding Engine.

NOTE: For NAT, the next-hop service set can only be applied to the VRF table. For all other services, the next-hop service set can be applied to either the VRF table or to inet.0.

4. On the output interface, an output filter, output policer, and interface service set can

be applied sequentially to the traffic if you have configured any of these items. If an interface service set is applied, the traffic is forwarded to the PIC for processing and sent back to the Packet Forwarding Engine, which then forwards the traffic.
5. Packets exit the router.

Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC

NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds, the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. A system log message at level LOG_ERR is generated. This mechanism applies to both Layer 2 and Layer 3 service packages.

Stateful Firewall Overview

Routers use firewalls to track and control the flow of traffic. Adaptive Services and MultiServices PICs employ a type of firewall called a stateful firewall. Contrasted with a stateless firewall that inspects packets in isolation, a stateful firewall provides an extra

Copyright 2011, Juniper Networks, Inc.

45

Junos 11.4 Services Interfaces Configuration Guide

layer of security by using state information derived from past communications and other applications to make dynamic control decisions for new communication attempts. Stateful firewalls group relevant flows into conversations. A flow is identified by the following five properties:

Source address Source port Destination address Destination port Protocol

A typical Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) conversation consists of two flows: the initiation flow and the responder flow. However, some conversations, such as an FTP conversation, might consist of two control flows and many data flows. Firewall rules govern whether the conversation is allowed to be established. If a conversation is allowed, all flows within the conversation are permitted, including flows that are created during the life cycle of the conversation. You configure stateful firewalls using a powerful rule-driven conversation handling path. A rule consists of direction, source address, source port, destination address, destination port, IP protocol value, and application protocol or service. In addition to the specific values you configure, you can assign the value any to rule objects, addresses, or ports, which allows them to match any input value. Finally, you can optionally negate the rule objects, which negates the result of the type-specific match. Firewall rules are directional. For each new conversation, the router software checks the initiation flow matching the direction specified by the rule. Firewall rules are ordered. The software checks the rules in the order in which you include them in the configuration. The first time the firewall discovers a match, the router implements the action specified by that rule. Rules still unchecked are ignored. For more information, see Configuring Stateful Firewall Rules on page 114.

Stateful Firewall Support for Application Protocols

By inspecting the application protocol data, the AS or MultiServices PIC firewall can intelligently enforce security policies and allow only the minimal required packet traffic to flow through the firewall. The firewall rules are configured in relation to an interface. By default, the stateful firewall allows all sessions initiated from the hosts behind the interface to pass through the router.

Stateful Firewall Anomaly Checking

The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing:

46

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

IP anomalies:

IP version is not correct. IP header length field is too small. IP header length is set larger than the entire packet. Bad header checksum. IP total length field is shorter than header length. Packet has incorrect IP options. Internet Control Message Protocol (ICMP) packet length error. Time-to-live (TTL) equals 0.

IP address anomalies:

IP packet source is a broadcast or multicast. Land attack (source IP equals destination IP).

IP fragmentation anomalies:

IP fragment overlap. IP fragment missed. IP fragment length error. IP packet length is more than 64 kilobytes (KB). Tiny fragment attack.

TCP anomalies:

TCP port 0. TCP sequence number 0 and flags 0. TCP sequence number 0 and FIN/PSH/RST flags set. TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST). Bad TCP checksum.

UDP anomalies:

UDP source or destination port 0. UDP header length check failed. Bad UDP checksum.

Anomalies found through stateful TCP or UDP checks:

Copyright 2011, Juniper Networks, Inc.

47

Junos 11.4 Services Interfaces Configuration Guide

SYN followed by SYN-ACK packets without ACK from initiator. SYN followed by RST packets. SYN without SYN-ACK. Non-SYN first flow packet. ICMP unreachable errors for SYN packets. ICMP unreachable errors for UDP packets.

Packets dropped according to stateful firewall rules.

If you employ stateful anomaly detection in conjunction with stateless detection, IDS can provide early warning for a wide range of attacks, including these:

TCP or UDP network probes and port scanning SYN flood attacks IP fragmentation-based attacks such as teardrop, bonk, and boink

Network Address Translation Overview

Types of NAT on page 48

Types of NAT
The types of NAT supported by the Junos OS are described in the following sections:

NAT Concept and Facilities Overview on page 48 IPv4-to-IPv4 Basic NAT on page 49 NAT-PT on page 50 Static Destination NAT on page 50 Twice NAT on page 50 IPv6 NAT on page 51 NAT-PT with DNS ALG on page 51 Dynamic NAT on page 52 Stateful NAT64 on page 52 Dual-Stack Lite on page 52

NAT Concept and Facilities Overview

Network Address Translation (NAT) is a mechanism for translating IP addresses. NAT provides the technology used to support a wide range of networking goals, including:

Concealing a set of host addresses on a private network behind a pool of public addresses.

48

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Providing a security measure to protect the host addresses from direct targeting in network attacks. Providing a tool set for coping with IPv4 address depletion and IPV6 transition issues

The Junos OS provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks, and facilitates the transit of traffic between different types of networks. The multiservices Dense Port Concentrator (DPC) and multiservices PIC interfaces support the following types of traditional CGN:

Static-source translationAllows you to hide a private network. It features a one-to-one mapping between the original address and the translated address; the mapping is configured statically. For more information, see Basic NAT on page 50. Dynamic-source translationIncludes two options: dynamic address-only source translation and network address and port translation (NAPT):

Dynamic address-only source translationA NAT address is picked up dynamically from a source NAT pool and the mapping from the original source address to the translated address is maintained as long as there is at least one active flow that uses this mapping. For more information, see Dynamic NAT on page 52. NAPTBoth the original source address and the source port are translated. The translated address and port are picked up from the corresponding NAT pool. For more information, see NAPT on page 50.

Static destination translationAllows you to make selected private servers accessible. It features a one-to-one mapping between the translated address and the destination address; the mapping is configured statically. For more information, see Static Destination NAT on page 50. Protocol translationAllows you to assign addresses from a pool on a static or dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. For more information, see NAT-PT on page 50, NAT-PT with DNS ALG on page 51, and Stateful NAT64 on page 52. Encapsulation of IPv4 packets into IPv6 packets using softwiresEnables packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address. For more information, see Tunneling Services for IPv4-to-IPv6 Transition Overview on page 53..

The Junos OS supports NAT functionality described in IETF RFCs and Internet drafts, as shown in Supported NAT and SIP Standards in Standards Supported in Junos OS 11.4.

IPv4-to-IPv4 Basic NAT

Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation or NAPT is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses.

Copyright 2011, Juniper Networks, Inc.

49

Junos 11.4 Services Interfaces Configuration Guide

Traditional NAT, specified in RFC 3022, Traditional IP Network Address Translator, is fully supported by the Junos OS. In addition, NAPT is supported for source addresses. Basic NAT With Basic NAT, a block of external addresses are set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. For packets outbound from the private network, Basic NAT translates source IP addresses and related fields such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, Basic NAT translates the destination IP address and the checksums listed above. NAPT Use NAPT to enable the components of the private network to share a single external address. NAPT translates the transport identifier (for example, TCP port number, UDP port number, or ICMP query ID) of the private network into a single external address. NAPT can be combined with Basic NAT to use a pool of external addresses in conjunction with port translation. For packets outbound from the private network, NAPT translates the source IP address, source transport identifier (TCP/UDP port or ICMP query ID), and related fields, such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, NAPT translates the destination IP address, the destination transport identifier, and the IP and transport header checksums.

NAT-PT
NAT-Protocol Translation (NAT-PT) is an obsolete IPv4-to-IPv6 transition mechanism and is no longer recommended. NAT64 is the newer, recommended solution. Using a pool of IPv4 addresses, NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. RFC 2766, Network Address Translation - Protocol Translation (NAT-PT), recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes, and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. NAT-PT, specified in RFC 2766, Network Address Translation - Protocol Translation (NAT-PT) and obsoleted by RFC 2766, Reasons to Move Network Address Translator Protocol Translator (NAT-PT) to Historic Status, is still supported by the the Junos OS.

Static Destination NAT

Use static destination NAT to translate the destination address for external traffic to an address specified in a destination pool. The destination pool contains one address and no port configuration. For more information about static destination NAT, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.

Twice NAT
In Twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. The source information to be translated can be either

50

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

address only or address and port. For example, you would use Twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). In traditional NAT, only one of the addresses is translated. To configure Twice NAT, you must specify both a destination address and a source address for the match direction, pool or prefix, and translation type. You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall, NAT, or class-of-service (CoS) rules when Twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Control Protocol (PGCP). Twice NAT does not support other ALGs. By default, the Twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages. Twice NAT, specified in RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, is fully supported by the Junos OS.

IPv6 NAT
IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation (NAT66) is fully supported by the Junos OS.

NAT-PT with DNS ALG

NAT-PT and Domain Name System (DNS) ALG are used to facilitate communication between IPv6 hosts and IPv4 hosts. Using a pool of IPv4 addresses, NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. RFC 2766, Network Address Translation - Protocol Translation (NAT-PT), recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes, and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. DNS is a distributed hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. The DNS ALG is an application-specific agent that allows an IPv6 node to communicate with an IPv4 node and vice versa. When DNS ALG is employed with NAT-PT, the DNS ALG translates IPv6 addresses in DNS queries and responses to the corresponding IPv4 addresses and vice versa. IPv4 name-to-address mappings are held in the DNS with "A" queries. IPv6 name-to-address mappings are held in the DNS with "AAAA" queries. The Junos OS provides the following for controlling the translation of IPv4 and IPv6 DNS queries:

NOTE: For IPv6 DNS queries, use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.

Related Documentation

Configuring NAT Rules on page 156 Configuring NAT-PT on page 187

Copyright 2011, Juniper Networks, Inc.

51

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring NAT-PT on page 202

Dynamic NAT
Dynamic NAT flow is shown in Figure 2 on page 52.

Figure 2: Dynamic NAT Flow

IPv4 CPE CGN Public IPv4 aggregation IPv4 Destination host
g017571

Local host IPv4 end-user NAT

dynamic NAT

With dynamic NAT, you can map a private IP address (source) to a public IP address drawing from a pool of registered (public) IP addresses. NAT addresses from the pool are assigned dynamically. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts, in contrast with an equal-sized pool required by source static NAT. For more information about dynamic address translation, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations

Stateful NAT64
Stateful NAT64 flow is shown in Figure 3 on page 52.

Figure 3: Stateful NAT64 Flow

IPv6 CPE Local host IPv6 CGN Public IPv4 aggregation IPv4 Destination host
g017572

NAT64

Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP, several IPv6-only clients can share the same public IPv4 server address. To allow sharing of the IPv4 server address, NAT64 translates incoming IPv6 packets into IPv4 (and vice versa). When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server. DNS64 is out of scope of this document because it is normally implemented as an enhancement to currently deployed DNS servers. Stateful NAT64, specified in RFC 6146, Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers, is fully supported by the Junos OS.

Dual-Stack Lite
Dual-stack lite (DS-Lite) flow is shown in Figure 4 on page 53.

52

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Figure 4: DS-Lite Flow

DS-Lite IPv4 in IPv6 tunnel

IPv4

Destination host

IPv4 end-user Local host IPv6 AFTR/CGN

NAT44

IPv6

Destination host
g017570

IPv6 end-user

DS-Lite employs IPv4-over-IPv6 tunnels to cross an IPv6 access network to reach a carrier-grade IPv4-IPv4 NAT. This facilitates the phased introduction of IPv6 on the Internet by providing backward compatibility with IPv4. Related Documentation

DS-Lite SoftwiresIPv4 over IPv6 Configuring a DS-Lite Softwire Concentrator on page 866

Tunneling Services for IPv4-to-IPv6 Transition Overview

The Junos OS enables service providers to transition to IPv6 by using softwire encapsulation and decapsulation techniques. A softwire is a tunnel that is created between softwire CPE. A softwire CPE can share a unique common internal state for multiple softwires, making it a very light and scalable solution. When you use softwires, you need not maintain an interface infrastructure for each softwire, unlike a typical mesh of generic routing encapsulation (GRE) tunnels that would require you to do so. A softwire initiator at the customer end encapsulates native packets and tunnels them to a softwire concentrator at the service provider. The softwire concentrator decapsulates the packets and sends them to their destination. A softwire is created when a softwire concentrator receives the first tunneled packet of a flow and prepares for flow processing. The softwire exists as long as the softwire concentrator is providing flows for routing. A flow counter is maintained; when the number of active flows is 0, the softwire is deleted. Statistics are kept for both flows and softwires. Softwire addresses are not specifically configured under any physical or virtual interface. Therefore, the number of established softwires does not affect throughput, and scalability is independent of the number of interfaces. The scalability is only limited to the number of flows that the platform (services DPC or PIC) can support. This topic contains the following sections:

6to4 Overview on page 54 DS-Lite SoftwiresIPv4 over IPv6 on page 55 6rd SoftwiresIPv6 over IPv4 on page 56

Copyright 2011, Juniper Networks, Inc.

53

Junos 11.4 Services Interfaces Configuration Guide

6to4 Overview

Basic 6to4 on page 54 6to4 Anycast on page 54 6to4 Provider-Managed Tunnels on page 55

Basic 6to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. 6to4 is described in RFC 3056, Connection of IPv6 Domains via IPv4 Clouds. 6to4 is especially relevant during the initial phases of deployment to full, native IPv6 connectivity, since IPv6 is not required on nodes between the host and the destination. However, it is intended only as a transition mechanism and is not meant to be used permanently. 6to4 can be used by an individual host, or by a local IPv6 network. When used by a host, it must have a global IPv4 address connected, and the host is responsible for the encapsulation of outgoing IPv6 packets and the decapsulation of incoming 6to4 packets. If the host is configured to forward packets for other clients, often a local network, it is then a router. There are two kinds of 6to4 virtual routers: border routers and relay routers. A 6to4 border router is an IPv6 router supporting a 6to4 pseudointerface, and It is normally the border router between an IPv6 site and a wide-area IPv4 network. A relay router is a 6to4 router configured to support transit routing between 6to4 addresses and pure native IPv6 addresses. In order for a 6to4 host to communicate with the native IPv6 Internet, its IPv6 default gateway must be set to a 6to4 address which contains the IPv4 address of a 6to4 relay router. To avoid the need for users to set this up manually, the Anycast address of 192.88.99.1 has been allocated to send packets to a 6to4 relay router. Note that when wrapped in 6to4 with the subnet and hosts fields set to zero, this IPv4 address (192.88.99.1) becomes the IPv6 address 2002:c058:6301::. To ensure BGP routing propagation, a short prefix of 192.88.99.0/24 has been allocated for routes pointed at 6to4 relay routers that use this Anycast IP address. Providers willing to provide 6to4 service to their clients or peers should advertise the Anycast prefix like any other IP prefix, and route the prefix to their 6to4 relay. Packets from the IPv6 Internet to 6to4 systems must be sent to a 6to4 relay router by normal IPv6 routing methods. The specification states that such relay routers must only advertise 2002::/16 and not subdivisions of it to prevent IPv4 routes from polluting the routing tables of IPv6 routers. From there they can then be sent over the IPv4 Internet to the destination.

6to4 Anycast
Router 6to4 assumes that 6to4 routers and relays are managed and configured cooperatively. In particular, 6to4 sites must configure a relay router to carry the outbound traffic, which becomes the default IPv6 router (except for 2002::/16). The objective of

54

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

the Anycast variant, defined in RFC 3068, An Anycast Prefix for 6to4 Relay Routers, is to avoid the need for such configuration. This makes the solution available for small or domestic users, even those with a single host or simple home gateway instead of a border router. This is achieved by defining 192.88.99.1 as the default IPv4 address for a 6to4 relay, and 2002:c058:6301:: as the default IPv6 router prefix (well-known prefix) for a 6to4 site. RFC 6343, Advisory Guidelines for 6to4 Deployment, published in August, 2011, identifies a wide range of problems associated with the use of unmanaged 6to4 Anycast relay routers.

6to4 Provider-Managed Tunnels

A solution to many problems associated with unmanaged Anycast 6to4 is presented in IETF informational draft draft-kuarsingh-v6ops-6to4-provider-managed-tunnel-02, 6to 4 Provider-Managed Tunnels (PMT). That document, a work in progress, proposes a solution that allows providers to exercise greater control over the routing of 6to4 traffic. Anycast 6to4 implies a default configuration for the user site. it does not require any particular user action. It does require an IPv4 Anycast route to be in place to a relay at 192.88.99.1. Traffic does not necessarily return to the same 6to4 gateway because of the the well-known 6to4 prefix used and advertised by all 6to4 traffic. 6to4 provider-managed tunnels (PMTs) facilitate the management of 6to4 tunnels using an Anycast configuration. 6to4 PMT enables service providers to improve 6to4 operation when network conditions provide suboptimal performance or break normal 6to4 operation. 6to4 PMT provides a stable provider prefix and forwarding environment by utilizing existing 6to4 relays with an added function of IPv6 prefix translation that controls the flow of return traffic. The 6to4 managed tunnel model behaves like a standard 6to4 service between the customer IPv6 host or gateway and the 6ot4-PMT relay (within the provider domain). The 6to4-PMT Relay shares properties with 6RD [RFC5969] by decapsulating and forwarding embedded IPv6 flows, within an IPv4 packet, to the IPv6 Internet. The model provides an additional function which translates the source 6to4 prefix to a provider assigned prefix which is not found in 6RD [RFC5969] or traditional 6to4 operation. The 6to4-PMT relay provides a stateless (or stateful) mapping of the 6to4 prefix to a provider-supplied prefix by mapping the embedded IPv4 address in the 6to4 prefix to the provider prefix.

DS-Lite SoftwiresIPv4 over IPv6

When an Internet service provider (ISP) begins to allocate new subscriber homes IPv6 addresses and IPv6-capable equipment, dual-stack lite (DS-Lite) provides a method for the private IPv4 addresses behind the IPv6 customer edge (CE) WAN equipment to reach the IPv4 network. DS-Lite enables IPv4 customers to continue to access the Internet using their current hardware by using a softwire initiator, referred to as a Basic Bridging Broadband (B4), at the customer edge to encapsulate IPv4 packets into IPv6 packets and tunnel them over an IPv6 network to a softwire concentrator, referred to as an Address Family Transition Router (AFTR), for decapsulation. DS-Lite creates the IPv6

Copyright 2011, Juniper Networks, Inc.

55

Junos 11.4 Services Interfaces Configuration Guide

softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them. DS-Lite is supported on Multiservices 100, 400, and 500 PICs on M Series routers and on MX Series routers equipped with Multiservices Dense Port Concentrator (DPCs).

NOTE: IPv6 Provider Edge (6PE), or MPLS-enabled IPv6, is available for ISPs with MPLS-enabled networks. These networks now can use multi-protocol Border Gateway Protocol (MP-BGP) to provide connectivity between the DS-Lite B4 and AFTR (or any 2 IPv6 nodes). DS-Lite properly handles encapsulation and decapsulation despite the presence of additional MPLS header information.

For more information on DS-Lite softwires, see the IETF draft Dual Stack Lite Broadband Deployments Following IPv4 Exhaustion.

NOTE: The most recent IETF draft documentation for DS-Lite uses new terminology:

The term softwire initiator has been replaced by B4. The term softwire concentrator has been replaced by AFTR.

The Junos OS documentation generally uses the original terms when discussing configuration in order to be consistent with the command-line interface (CLI) statements used to configure DS-Lite.

6rd SoftwiresIPv6 over IPv4

6rd softwire flow is shown in Figure 5 on page 56.

Figure 5: 6rd Softwire Flow

IPv4 6rd Local host IPv6 end-user 6rd IPv4 in IPv6 tunnel Concentrator Destination host
g017573

IPv6

The Junos OS supports a 6rd softwire concentrator on a service DPC or PIC to facilitate rapid deployment of IPv6 service to subscribers on native IPv4 CE WANs. IPv6 packets are encapsulated in IPv4 packets by a softwire initiator at the CE WAN. These packets are tunneled to a softwire concentrator residing on a multiservices DPC (branch relay). A softwire is created when IPv4 packets containing IPv6 destination information are received at the softwire concentrator, which decapsulates IPv6 packets and forwards them for IPv6 routing. All of these functions are performed in a single pass of the Services PIC.

56

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

In the reverse path, IPv6 packets are sent to the Services DPC where they are encapsulated in IPv4 packets corresponding to the proper softwire and sent to the CE WAN. The softwire concentrator creates softwires as the IPv4 packets are received from the CE WAN side or IPV6 packets are received from the Internet. A 6rd softwire on the Services DPC is identified by the 3-tuple containing the service set ID, CE softwire initiator IPv4 address, and softwire concentrator IPv4 address. IPv6 flows are also created for the encapsulated IPv6 payload, and are associated with the specific softwire that carried them in the first place. When the last IPv6 flow associated with a softwire ends, the softwire is deleted. This simplifies configuration and there is no need to create or manage tunnel interfaces. 6rd is supported on Multiservices 100, 400, and 500 PICs on M Series and T Series routers, and on MX Series platforms equipped with Multiservices DPCs. For more information on 6rd softwires, see RFC 5969, IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification. Related Documentation

See Network Address Translation Overview on page 48.

IPsec Overview
The Juniper Networks Junos OS supports IPsec. This section discusses the following topics, which provide background information about configuring IPsec. For a list of the IPsec and IKE standards supported by the Junos OS, see the Junos OS Hierarchy and RFC Reference.

IPsec on page 57 Security Associations on page 57 IKE on page 58 Comparison of IPsec Services and ES Interface Configuration on page 58

IPsec
The IPsec architecture provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec, the Junos OS also supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations (SAs). IPsec also defines a security association and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities. IPsec provides secure tunnels between two peers.

Security Associations
To use IPsec security services, you create SAs between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. There are two types of SAs:

Copyright 2011, Juniper Networks, Inc.

57

Junos 11.4 Services Interfaces Configuration Guide

Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. Manual SAs statically define the security parameter index (SPI) values, algorithms, and keys to be used, and require matching configurations on both ends of the tunnel. Each peer must have the same configured options for communication to take place. Dynamic SAs require additional configuration. With dynamic SAs, you configure IKE first and then the SA. IKE creates dynamic security associations; it negotiates SAs for IPsec. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. This connection is then used to dynamically agree upon keys and other data used by the dynamic IPsec SA. The IKE SA is negotiated first and then used to protect the negotiations that determine the dynamic IPsec SAs.

IKE
IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPsec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway. IKE performs the following tasks:

Negotiates and manages IKE and IPsec parameters. Authenticates secure key exchange. Provides mutual peer authentication by means of shared secrets (not passwords) and public keys. Provides identity protection (in main mode).

Two versions of the IKE protocol (IKEv1 and IKEv2) are supported now. IKE negotiates security attributes and establishes shared secrets to form the bidirectional IKE SA. In IKE, inbound and outbound IPsec SAs are established and the IKE SA secures the exchanges. Starting with Junos OS Release 11.4, both IKEv1 and IKEv2 are supported by default on all M Series, MX Series, and T Series routers. IKE also generates keying material, provides Perfect Forward Secrecy, and exchanges identities.

Comparison of IPsec Services and ES Interface Configuration

Table 4 on page 58 compares the top-level configuration of IPsec features on the ES PIC interfaces and on the AS or MultiServices PIC interfaces.

Table 4: Statement Equivalents for ES and AS Interfaces

ES PIC Configuration
[edit security ipsec] proposal {...} [edit security ipsec] policy {...}

AS and MultiServices PIC IPsec Configuration

[edit services ipsec-vpn ipsec] proposal {...} [edit services ipsec-vpn ipsec] policy {...}

58

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Table 4: Statement Equivalents for ES and AS Interfaces (continued)

ES PIC Configuration
[edit security ipsec] security-association sa-dynamic {...} [edit security ipsec] security-association sa-manual {...}

AS and MultiServices PIC IPsec Configuration

[edit services ipsec-vpn rule rule-name] term term-name match-conditions {...} then dynamic {...}] [edit services ipsec-vpn rule rule-name] term term-name match-conditions {...} then manual {...}] [edit services ipsec-vpn ike] proposal {...} [edit services ipsec-vpn ike] policy {...} [edit services ipsec-vpn] rule-set {...} [edit services ipsec-vpn] service-set {...} [edit services ipsec-vpn service-set set-name ipsec-vpn local-gateway address] [edit services ipsec-vpn rule rule-name] remote-gateway address

[edit security ike] proposal {...} [edit security ike] policy {...} Not available

Not available

[edit interfaces es-fpc/pic/port] tunnel source address [edit interfaces es-fpc/pic/port] tunnel destination address

For more information about configuring IPsec services on an AS or MultiServices PIC, see IPsec Properties. For more information about configuring encryption services on an ES PIC, see Configuring Encryption Interfaces on page 995.

NOTE: Although many of the same statements and properties are valid on both platforms, the configurations are not interchangeable. You must commit a complete configuration for the PIC type that is installed in your router.

Layer 2 Tunneling Protocol Overview

L2TP is defined in RFC 2661,Layer Two Tunneling Protocol (L2TP). L2TP facilitates the tunneling of PPP packets across an intervening network in a way that is as transparent as possible to both end users and applications. It employs access profiles for group and individual user access, and uses authentication to establish secure connections between the two ends of each tunnel. Multilink PPP functionality is also supported. The L2TP services are supported on the following routers only:

M7i routers with AS PICs M10i routers with AS and MultiServices 100 PICs

Copyright 2011, Juniper Networks, Inc.

59

Junos 11.4 Services Interfaces Configuration Guide

M120 routers with AS, MultiServices 100, and MultiServices 400 PICs

For more information, see L2TP Services Configuration Overview on page 415.

Voice Services Overview

Adaptive services interfaces include a voice services feature that allows you to specify interface type lsq-fpc/pic/port to accommodate voice over IP (VoIP) traffic. This interface uses compressed RTP (CRTP), which is defined in RFC 2508, Compressing IP/UDP/RTP Headers for Low-Speed Serial Links. CRTP enables VoIP traffic to use low-speed links more effectively, by compressing the 40-byte IP/UDP/RTP header down to 2 to 4 bytes in most cases. Voice services on the AS and MultiServices PICs support single-link PPP-encapsulated IPv4 traffic over the following physical interface types: ATM2, DS3, E1, E3, OC3, OC12, STM1, and T1, including the channelized versions of these interfaces. Voice services do not require a separate service rules configuration. Voice services also support LFI on Juniper Networks M Series Multiservice Edge routers, except the M320 router. For more information about configuring voice services, see Configuring Services Interfaces for Voice Services on page 522. For link services IQ interfaces (lsq) only, you can configure CRTP with multiclass MLPPP (MCML). MCML greatly simplifies packet ordering issues that occur when multiple links are used. Without MCML, all voice traffic belonging to a single flow is hashed to a single link in order to avoid packet ordering issues. With MCML, you can assign voice traffic to a high-priority class, and you can use multiple links. For more information about MCML support on link services IQ interfaces, see Configuring Link Services and CoS on Services PICs on page 477.

Class of Service Overview

The CoS configuration available for the AS PIC enables you to configure Differentiated Services (DiffServ) code point (DSCP) marking and forwarding-class assignment for packets transiting the AS PIC. You can configure the CoS service alongside the stateful firewall and NAT services, using a similar rule structure. The component structures are described in detail in the Junos OS Class of Service Configuration Guide. Standards for Differentiated Services are described in the following documents:

RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 2475, An Architecture for Differentiated Services

NOTE: CoS BA classification is not supported on services interfaces.

For more information about configuring CoS services, see Class-of-Service Properties.

60

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Examples: Services Interfaces Configuration

This section includes the following examples:

Example: Service Interfaces Configuration on page 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: NAT Between VRFs Configuration on page 67 Example: BOOTP and Broadcast Addresses on page 70

Example: Service Interfaces Configuration

The following configuration includes all the items necessary to configure services on an interface. For examples showing individual service configurations, see the chapters that describe each service in detail.
[edit] interfaces { fe-0/1/0 { unit 0 { family inet { service { input { service-set Firewall-Set; } output { service-set Firewall-Set; } } address 10.1.3.2/24; } } } fe-0/1/1 { unit 0 { family inet { filter { input Sample; } address 172.16.1.2/24; } } } sp-1/0/0 { unit 0 { family inet { address 172.16.1.3/24 { } } } } }

Copyright 2011, Juniper Networks, Inc.

61

Junos 11.4 Services Interfaces Configuration Guide

forwarding-options { sampling { input { family inet { rate 1; } } output { cflowd 10.1.3.1 { port 2055; version 5; } flow-inactive-timeout 15; flow-active-timeout 60; interface sp-1/0/0 { engine-id 1; engine-type 136; source-address 10.1.3.2; } } } } firewall { filter Sample { term Sample { then { count Sample; sample; accept; } } } } services { stateful-firewall { rule Rule1 { match-direction input; term 1 { from { application-sets Applications; } then { accept; } } term accept { then { accept; } } } rule Rule2 { match-direction output; term Local { from { source-address {

62

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

10.1.3.2/32; } } then { accept; } } } } ids { rule Attacks { match-direction output; term Match { from { application-sets Applications; } then { logging { syslog; } } } } } nat { pool public { address-range low 172.16.2.1 high 172.16.2.32; port automatic; } rule Private-Public { match-direction input; term Translate { then { translated { source-pool public; translation-type source dynamic; } } } } } service-set Firewall-Set { stateful-firewall-rules Rule1; stateful-firewall-rules Rule2; nat-rules Private-Public; ids-rules Attacks; interface-service { service-interface sp-1/0/0; } } } applications { application ICMP { application-protocol icmp; } application FTP {

Copyright 2011, Juniper Networks, Inc.

63

Junos 11.4 Services Interfaces Configuration Guide

application-protocol ftp; destination-port ftp; } application-set Applications { application ICMP; application FTP; } }

Example: VPN Routing and Forwarding (VRF) and Service Configuration

The following example combines VPN routing and forwarding (VRF) and services configuration:
[edit policy-options] policy-statement test-policy { term t1 { then reject; } } [edit routing-instances] test { interface ge-0/2/0.0; interface sp-1/3/0.20; instance-type vrf; route-distinguisher 10.58.255.1:37; vrf-import test-policy; vrf-export test-policy; routing-options { static { route 0.0.0.0/0 next-table inet.0; } } } [edit interfaces] ge-0/2/0 { unit 0 { family inet { service { input service-set nat-me; output service-set nat-me; } } } } sp-1/3/0 { unit 0 { family inet; } unit 20 { family inet; service-domain inside; } unit 21 { family inet; service-domain outside;

64

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

} [edit services] stateful-firewall { rule allow-any-input { match-direction input; term t1 { then accept; } } } nat { pool hide-pool { address 10.58.16.100; port automatic; } rule hide-all-input { match-direction input; term t1 { then { translated { source-pool hide-pool; translation-type source dynamic; } } } } } service-set nat-me { stateful-firewall-rules allow-any-input; nat-rules hide-all-input; interface-service { service-interface sp-1/3/0.20; } } }

Example: Dynamic Source NAT as a Next-Hop Service

The following example shows dynamic-source NAT applied as a next-hop service:
[edit interfaces] ge-0/2/0 { unit 0 { family mpls; } } sp-1/3/0 { unit 0 { family inet; } unit 20 { family inet; } unit 32 { family inet; }

Copyright 2011, Juniper Networks, Inc.

65

Junos 11.4 Services Interfaces Configuration Guide

} [edit routing-instances] protected-domain { interface ge-0/2/0.0; interface sp-1/3/0.20; instance-type vrf; route-distinguisher 10.58.255.17:37; vrf-import protected-domain-policy; vrf-export protected-domain-policy; routing-options { static { route 0.0.0.0/0 next-hop sp-1/3/0.20; } } } [edit policy-options] policy-statement protected-domain-policy { term t1 { then reject; } } [edit services] stateful-firewall { rule allow-all { match-direction input; term t1 { then { accept; } } } } nat { pool my-pool { address 10.58.16.100; port automatic; } rule hide-all { match-direction input; term t1 { then { translated { source-pool my-pool; translation-type source dynamic; } } } } } service-set null-sfw-with-nat { stateful-firewall-rules allow-all; nat-rules hide-all; next-hop-service { inside-service-interface sp-1/3/0.20; outside-service-interface sp-1/3/0.32; }

66

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

Example: NAT Between VRFs Configuration

The following example configuration enables NAT between VRFs with overlapping private addresses, using distinct public addresses for the source and destination NAT in this scenario:

A host in vrf-a traverses 10.58.16.201 to reach 10.58.0.2 in vrf-b. A host in vrf-b traverses 10.58.16.101 to reach 10.58.0.2 in vrf-a.
[edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10.58.0.1/24; service { input service-set vrf-a-svc-set; output service-set vrf-a-svc-set; } } } } ge-0/3/0 { unit 0 { family inet { address 10.58.0.1/24; service { input service-set vrf-b-svc-set; output service-set vrf-b-svc-set; } } } } sp-1/3/0 { unit 0 { family inet; } unit 10 { family inet; service-domain inside; } unit 20 { family inet; service-domain inside; } } [edit policy-options] policy-statement test-policy { term t1 { then reject; } } [edit routing-instances] vrf-a {

Copyright 2011, Juniper Networks, Inc.

67

Junos 11.4 Services Interfaces Configuration Guide

interface ge-0/2/0.0; interface sp-1/3/0.10; instance-type vrf; route-distinguisher 10.1.1.1:1; vrf-import test-policy; vrf-export test-policy; routing-options { static { route 0.0.0.0/0 next-table inet.0; } } } vrf-b { interface ge-0/3/0.0; interface sp-1/3/0.20; instance-type vrf; route-distinguisher 10.2.2.2:2; vrf-import test-policy; vrf-export test-policy; routing-options { static { route 0.0.0.0/0 next-table inet.0; } } } [edit services] stateful-firewall { rule allow-all { match-direction input-output; term t1 { then { accept; } } } } nat { pool vrf-a-src-pool { address 10.58.16.100; port automatic; } pool vrf-a-dst-pool { address 10.58.0.2; } rule vrf-a-input { match-direction input; term t1 { then { translated { source-pool vrf-a-src-pool; translation-type napt-44; } } } } rule vrf-a-output {

68

Copyright 2011, Juniper Networks, Inc.

Chapter 3: Adaptive Services Overview

match-direction output; term t1 { from { destination-address 10.58.16.101; } then { translated { destination-pool vrf-a-dst-pool; translation-type destination static; } } } } pool vrf-b-src-pool { address 10.58.16.200; port automatic; } pool vrf-b-dst-pool { address 10.58.0.2; } rule vrf-b-input { match-direction input; term t1 { then { translated { source-pool vrf-b-src-pool; translation-type source dynamic; } } } } rule vrf-b-output { match-direction output; term t1 { from { destination-address 10.58.16.201; } then { translated { destination-pool vrf-b-dst-pool; translation-type destination static; } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all; nat-rules vrf-a-input; nat-rules vrf-a-output; interface-service { service-interface sp-1/3/0.10; } } service-set vrf-b-svc-set { stateful-firewall-rules allow-all;

Copyright 2011, Juniper Networks, Inc.

69

Junos 11.4 Services Interfaces Configuration Guide

nat-rules vrf-b-input; nat-rules vrf-b-output; interface-service { service-interface sp-1/3/0.20; } }

Example: BOOTP and Broadcast Addresses

The following example supports Bootstrap Protocol (BOOTP) and broadcast addresses:
[edit applications] application bootp { application-protocol bootp; protocol udp; destination-port 67; } [edit services] stateful-firewall bootp-support { rule bootp-allow { direction input; term bootp-allow { from { destination-address { any-unicast; 255.255.255.255; } application bootp; } then { accept; } } } }

70

Copyright 2011, Juniper Networks, Inc.

CHAPTER 4

Applications Configuration Guidelines

You can define application protocols for the stateful firewall and Network Address Translation (NAT) services to use in match condition rules. An application protocol, or application layer gateway (ALG), defines application parameters using information from network Layer 3 and above. Examples of such applications are FTP and H.323. To configure applications that are used with services, include the following statements at the [edit applications] hierarchy level:
[edit applications] application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; learn-sip-register; protocol type; rpc-program-number number; sip-call-hold-timeout seconds; snmp-command command; source-port port-number; ttl-threshold value; uuid hex-value; } application-set application-set-name { application application-name; }

This chapter includes the following sections:

Configuring Application Protocol Properties on page 72 Configuring Application Sets on page 81 ALG Descriptions on page 81 Verifying the Output of ALG Sessions on page 88 Junos Default Groups on page 94 Examples: Configuring Application Protocols on page 101

Copyright 2011, Juniper Networks, Inc.

71

Junos 11.4 Services Interfaces Configuration Guide

Configuring Application Protocol Properties

To configure application properties, include the application statement at the [edit applications] hierarchy level:
[edit applications] application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; protocol type; rpc-program-number number; snmp-command command; source-port port-number; ttl-threshold value; uuid hex-value; }

You can group application objects by configuring the application-set statement; for more information, see Configuring Application Sets on page 81. This section includes the following tasks for configuring applications:

Configuring an Application Protocol on page 72 Configuring the Network Protocol on page 74 Configuring the ICMP Code and Type on page 75 Configuring Source and Destination Ports on page 77 Configuring the Inactivity Timeout Period on page 80 Configuring an SNMP Command for Packet Matching on page 80 Configuring an RPC Program Number on page 80 Configuring the TTL Threshold on page 80 Configuring a Universal Unique Identifier on page 81

Configuring an Application Protocol

The application-protocol statement allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. To configure application protocols, include the application-protocol statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] application-protocol protocol-name;

Table 5 on page 73 shows the list of supported protocols. For more information about specific protocols, see ALG Descriptions on page 81.

72

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 5: Application Protocols Supported by Services Interfaces

Protocol Name
Bootstrap protocol (BOOTP) Distributed Computing Environment (DCE) remote procedure call (RPC) DCE RPC portmap

CLI Value
bootp dce-rpc

Comments
Supports BOOTP and dynamic host configuration protocol (DHCP). Requires the protocol statement to have the value udp or tcp. Requires a uuid value. You cannot specify destination-port or source-port values. Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. Requires the protocol statement to have the value udp. This application protocol closes the DNS flow as soon as the DNS response is received. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value icmp or to be unspecified. Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. Requires a rpc-program-number value. You cannot specify destination-port or source-port values. Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port or source-port value.

dce-rpc-portmap

Domain Name System (DNS)

dns

Exec

exec

FTP

ftp

Internet Control Message Protocol (ICMP) IP Login NetBIOS

icmp

ip login netbios

NetShow

netshow

Real-Time Streaming Protocol (RTSP) RPC User Datagram Protocol (UDP) or TCP

rtsp

rpc

RPC port mapping

rpc-portmap

Shell

shell

SNMP

snmp

SQLNet

sqlnet

Copyright 2011, Juniper Networks, Inc.

73

Junos 11.4 Services Interfaces Configuration Guide

Table 5: Application Protocols Supported by Services Interfaces (continued)

Protocol Name
Trace route

CLI Value
traceroute

Comments
Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value.

Trivial FTP (TFTP)

tftp

NOTE: You can configure application-level gateways (ALGs) for ICMP and trace route under stateful firewall, NAT, or CoS rules when twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Controller Protocol (PGCP). Twice NAT does not support any other ALGs. NAT applies only the IP address and TCP or UDP headers, but not the payload. For more information about configuring twice NAT, see Network Address Translation.

Configuring the Network Protocol

The protocol statement allows you to specify which of the supported network protocols to match in an application definition. To configure network protocols, include the protocol statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] protocol type;

You specify the protocol type as a numeric value; for the more commonly used protocols, text names are also supported in the command-line interface (CLI). Table 6 on page 74 shows the list of the supported protocols.

Table 6: Network Protocols Supported by Services Interfaces

Network Protocol Type
IP Security (IPsec) authentication header (AH) External Gateway Protocol (EGP) IPsec Encapsulating Security Payload (ESP) Generic routing encapsulation (GR) ICMP

CLI Value
ah

Comments

egp esp gre icmp

Requires an application-protocol value of icmp.

74

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 6: Network Protocols Supported by Services Interfaces (continued)

Network Protocol Type
Internet Group Management Protocol (IGMP) IP in IP OSPF Protocol Independent Multicast (PIM) Resource Reservation Protocol (RSVP) TCP

CLI Value
igmp

Comments

ipip ospf pim rsvp tcp

Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp.

UDP

udp

Virtual Router Redundancy Protocol (VRRP)

vrrp

For a complete list of possible numeric values, see RFC 1700, Assigned Numbers (for the Internet Protocol Suite).

NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions. By default, the twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations. For more information about configuring twice NAT, see Network Address Translation.

Configuring the ICMP Code and Type

The ICMP code and type provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ICMP settings, include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] icmp-code value; icmp-type value;

You can include only one ICMP code and type value. The application-protocol statement must have the value icmp. Table 7 on page 76 shows the list of supported ICMP values.

Copyright 2011, Juniper Networks, Inc.

75

Junos 11.4 Services Interfaces Configuration Guide

Table 7: ICMP Codes and Types Supported by Services Interfaces

CLI Statement
icmp-code

Description
This value or keyword provides more specific information than icmp-type. Because the values meaning depends upon the associated icmp-type value, you must specify icmp-type along with icmp-code. For more information, see the Junos OS Routing Policy Configuration Guide. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp-type

Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see the Junos OS Routing Policy Configuration Guide. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

NOTE: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an ICMP error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction. Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service.

76

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Configuring Source and Destination Ports

The TCP or UDP source and destination port provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ports, include the destination-port and source-port statements at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] destination-port value; source-port value;

You must define one source or destination port. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port; for constraints, see Table 5 on page 73. You can specify either a numeric value or one of the text synonyms listed in Table 8 on page 77.

Table 8: Port Names Supported by Services Interfaces

Port Name
afs bgp biff bootpc bootps cmd cvspserver dhcp domain eklogin ekshell exec finger ftp ftp-data

Corresponding Port Number

1483 179 512 68 67 514 2401 67 53 2105 2106 512 79 21 20

Copyright 2011, Juniper Networks, Inc.

77

Junos 11.4 Services Interfaces Configuration Guide

Table 8: Port Names Supported by Services Interfaces (continued)

Port Name
http https ident imap kerberos-sec klogin kpasswd krb-prop krbupdate kshell ldap login mobileip-agent mobilip-mn msdp netbios-dgm netbios-ns netbios-ssn nfsd nntp ntalk ntp pop3 pptp

Corresponding Port Number

80 443 113 143 88 543 761 754 760 544 389 513 434 435 639 138 137 139 2049 119 518 123 110 1723

78

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 8: Port Names Supported by Services Interfaces (continued)

Port Name
printer radacct radius rip rkinit smtp snmp snmptrap snpp socks ssh sunrpc syslog tacacs-ds talk telnet tftp timed who xdmcp zephyr-clt zephyr-hm

Corresponding Port Number

515 1813 1812 520 2108 25 161 162 444 1080 22 111 514 65 517 23 69 525 513 177 2103 2104

For more information about matching criteria, see the Junos OS Routing Policy Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

79

Junos 11.4 Services Interfaces Configuration Guide

Configuring the Inactivity Timeout Period

You can specify a timeout period for application inactivity. If the software has not detected any activity during the duration, the flow becomes invalid when the timer expires. To configure a timeout period, include the inactivity-timeout statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] inactivity-timeout seconds;

The default value is 30 seconds. The value you configure for an application overrides any global value configured at the [edit interfaces interface-name service-options] hierarchy level; for more information, see Configuring Default Timeout Settings for Services Interfaces on page 614.

Configuring an SNMP Command for Packet Matching

You can specify an SNMP command setting for packet matching. To configure SNMP, include the snmp-command statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] snmp-command value;

The supported values are get, get-next, set, and trap. You can configure only one value for matching. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value snmp. For information about specifying the application protocol, see Configuring an Application Protocol on page 72.

Configuring an RPC Program Number

You can specify an RPC program number for packet matching. To configure an RPC program number, include the rpc-program-number statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] rpc-program-number number;

The range of values used for DCE or RPC is from 100,000 through 400,000. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value rpc. For information about specifying the application protocol, see Configuring an Application Protocol on page 72.

Configuring the TTL Threshold

You can specify a trace route time-to-live (TTL) threshold value, which controls the acceptable level of network penetration for trace routing. To configure a TTL value, include the ttl-threshold statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] ttl-threshold value;

80

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value traceroute. For information about specifying the application protocol, see Configuring an Application Protocol on page 72.

Configuring a Universal Unique Identifier

You can specify a Universal Unique Identifier (UUID) for DCE RPC objects. To configure a UUID value, include the uuid statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] uuid hex-value;

The uuid value is in hexadecimal notation. The application-protocol statement at the [edit applications application application-name hierarchy level must have the value dce-rpc. For information about specifying the application protocol, see Configuring an Application Protocol on page 72. For more information on UUID numbers, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.

Configuring Application Sets

You can group the applications you have defined into a named object by including the application-set statement at the [edit applications] hierarchy level with an application statement for each application:
[edit applications] application-set application-set-name { application application; }

For an example of a typical application set, see Examples: Configuring Application Protocols on page 101.

ALG Descriptions
This section includes details about the ALGs. It includes the following:

Basic TCP ALG on page 82 Basic UDP ALG on page 82 BOOTP on page 83 DCE RPC Services on page 83 ONC RPC Services on page 83 FTP on page 83 ICMP on page 84 NetShow on page 84 RPC and RPC Portmap Services on page 84 RTSP on page 86 SMB on page 86 SNMP on page 86

Copyright 2011, Juniper Networks, Inc.

81

Junos 11.4 Services Interfaces Configuration Guide

SQLNet on page 87 TFTP on page 87 Traceroute on page 87 UNIX Remote-Shell Services on page 87

Basic TCP ALG

This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates the following anomaly events and system log messages:

TCP source or destination port zero TCP header length check failed TCP sequence number zero and no flags are set TCP sequence number zero and FIN/PSH/RST flags are set TCP FIN/RST or SYN(URG|FIN|RST) flags set

The TCP ALG performs the following steps:

1.

When the router receives a SYN packet, the ALG creates TCP forward and reverse flows and groups them in a conversation. It tracks the TCP three-way handshake.

2. The SYN-defense mechanism tracks the TCP connection establishment state. It

expects the TCP session to be established within a small time interval (currently 4 seconds). If the TCP three-way handshake is not established in that period, the session is terminated.
3. A keepalive mechanism detects TCP sessions with nonresponsive endpoints. 4. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

Basic UDP ALG

This ALG performs basic sanity checking on UDP headers. If it finds errors. it generates the following anomaly events and system log messages:

UDP source or destination port 0 UDP header length check failed

The UDP ALG performs the following steps:

1.

When it receives the first packet, the ALG creates bidirectional flows to accept forward and reverse UDP session traffic.

2. If the session is idle for more than the maximum allowed idle time (the default is

30 seconds), the flows are deleted.

3. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

82

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

BOOTP
The Bootstrap Protocol client retrieves its networking information from a server across the network. It sends out a general broadcast message to request the information, which is returned by the Bootstrap Protocol server. For the protocol specification, see ftp://ftp.isi.edu/in-notes/rfc951.txt. Stateful firewall support requires that you configure the BOOTP ALG on UDP server port 67 and client port 68. If the client sends a broadcast message, you should configure the broadcast address in the from statement of the service rule. NAT is not performed on the BOOTP traffic, even if the NAT rule matches the traffic. If the BOOTP relay feature is activated on the router, the remote BOOTP server is assumed to assign addresses for clients masked by NAT translation.

DCE RPC Services

DCE RPC services are mainly used by Microsoft applications. The ALG uses well-known TCP port 135 for port mapping services and uses the Universal Unique Identifier (UUID) instead of the program number to identify protocols. The main application-based DCE RPC is the Microsoft Exchange Protocol. Support for stateful firewall and NAT services requires that you configure the DCE RPC portmap ALG on TCP port 135. The DCE RPC ALG uses the TCP protocol with application-specific UUIDs.

ONC RPC Services

ONC RPC services function similarly to DCE RCP services. However, the ONC RPC ALG uses TCP/UDP port 111 for port mapping services and uses the program number to identify protocols rather than the UUID. Support for stateful firewall and NAT services requires that you configure the ONC RPC portmap ALG on TCP port 111. The ONC RPC ALG uses the TCP protocol with application-specific program numbers.

FTP
FTP is the File Transfer Protocol, specified in RFC 959. In addition to the main control connection, data connections are also made for any data transfer between the client and the server, and the host, port, and direction are negotiated through the control channel. For non-passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects. There is an additional complication: FTP represents these addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number

Copyright 2011, Juniper Networks, Inc.

83

Junos 11.4 Services Interfaces Configuration Guide

might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets. Support for stateful firewall and NAT services requires that you configure the FTP ALG on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:

Automatically allocates data ports and firewall permissions for dynamic data connection Creates flows for the dynamically negotiated data connection Monitors the control connection in both active and passive modes Rewrites the control packets with the appropriate NAT address and port information

ICMP
The Internet Control Message Protocol (ICMP) is defined in RFC 792. The Junos stateful firewall service allows ICMP messages to be filtered by specific type or specific type code value. ICMP error packets that lack a specifically configured type and code are matched against any existing flow in the opposite direction to check for the legitimacy of the error packet. ICMP error packets that pass the filter matching are subject to NAT translation. The ICMP ALG always tracks ping traffic statefully using the ICMP sequence number. Each echo reply is forwarded only if there is an echo request with the corresponding sequence number. For any ping flow, only 20 echo requests can be forwarded without receiving an echo reply. When you configure dynamic NAT, the PING packet identifier is translated to allow additional hosts in the NAT pool to use the same identifier. Support for stateful firewall and NAT services requires that you configure the ICMP ALG if the protocol is needed. You can configure the ICMP type and code for additional filtering.

NetShow
The Microsoft protocol ms-streaming is used by NetShow, the Microsoft media server. This protocol supports several transport protocols: TCP, UDP, and HTTP. The client starts a TCP connection on port 1755 and sends the PORT command to the server. The server then starts UDP on that port to the client. Support for stateful firewall and NAT services requires that you configure the NetShow ALG on UDP port 1755.

RPC and RPC Portmap Services

The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying allowed program numbers. The ALG includes the RPC services listed in Table 9 on page 85:

84

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 9: Supported RPC Services

Name
rpc-mountd

Description
Network File Server (NFS) mount daemon for details, see the UNIX man page for rpc.mountd(8). Used as part of NFS. For details, see RFC 1094. See also RFC1813 for NFS v3. Network Information Service Plus (NIS+), designed to replace NIS; it is a default naming service for Sun Solaris and is not related to the old NIS. No protocol information is available. Network lock manager.

Comments
The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nfsprog

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nisplus

rpc-nlockmgr

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-nlockmgr service can be allowed or blocked based on RPC program 100021. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rstat service can be allowed or blocked based on RPC program 150001. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rwall service can be allowed or blocked based on RPC program 150008. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypbind service can be allowed or blocked based on RPC program 100007. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-yppasswd service can be allowed or blocked based on RPC program 100009. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypserv service can be allowed or blocked based on RPC program 100004. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypupdated service can be allowed or blocked based on RPC program 100028. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypxfrd service can be allowed or blocked based on RPC program 100069.

rpc-pcnfsd

Kernel statistics server. For details, see the UNIX man pages for rstatd and rpc.rstatd.

rpc-rwall

Used to write a message to users; for details, see the UNIX man page for rpc.rwalld.

rpc-ypbind

NIS binding process. For details, see the UNIX man page for ypbind.

rpc-yppasswd

NIS password server. For details, see the UNIX man page for yppasswd.

rpc-ypserv

NIS server. For details, see the UNIX man page for ypserv.

rpc-ypupdated

Network updating tool.

rpc-ypxfrd

NIS map transfer server. For details, see the UNIX man page for rpc.ypxfrd.

Copyright 2011, Juniper Networks, Inc.

85

Junos 11.4 Services Interfaces Configuration Guide

Support for stateful firewall and NAT services that use port mapping requires that you configure the RPC portmap ALG on TCP/UDP destination port 111 and the RPC ALG for both TCP and UDP. You can specify one or more rpc-program-number values to further restrict allowed RPC protocols.

RTSP
The Real-Time Streaming Protocol (RTSP) controls the delivery of data with real-time properties such as audio and video. The streams controlled by RTSP may use RTP, but it is not required. Media may be transmitted on the same RTSP control stream. This is an HTTP-like text-based protocol, but client and server maintain session information. A session is established using the SETUP message and terminated using the TEARDOWN message. The transport (the media protocol, address, and port numbers) is negotiated in the setup and the setup-response. Support for stateful firewall and NAT services requires that you configure the RTSP ALG for TCP port 554. The ALG monitors the control connection, opens flows dynamically for media (RTP/RTSP) streams, and performs NAT address and port rewrites.

SMB
Server message block (SMB) is a popular PC protocol that allows sharing of files, disks, directories, printers, and in some cases, COM ports across a network. SMB is a client/server, request-response-based protocol. Though there are some exceptions to this, most of the communication takes place using the request reply paradigm. Servers make file systems and resources available to clients on the network. Clients can send commands (smbs) to the server that allow them to access these shared resources. SMB can run over multiple protocols, including TCP/IP, NetBEUI, and IPX/SPX. In almost all cases, the NetBIOS interface is used. Microsoft is trying to rename SMB-based networking to Windows Networking and the protocol to CIFS. The SMB protocol is undocumented, although there is a public CIFS group. For more information, refer to the following link on CIFS: ftp://ftp.microsoft.com/developr/drg/CIFS/. The SMB name service uses well-known UDP and TCP port 137, without requiring a special ALG. For NetBIOS data tunneled through UDP port 138 or TCP port 139, you must configure the NetBIOS ALG. Support for stateful firewall and NAT services requires that you configure the NetBIOS ALG on UDP port 138 and TCP port 139. For SMB name services, both TCP and UDP port 137 must be opened, without a special ALG.

SNMP
SNMP is a communication protocol for managing TCP/IP networks, including both individual network devices and aggregated devices. The protocol is defined by RFC 1157. SNMP runs on top of UDP. The Junos stateful firewall service implements the SNMP ALG to inspect the SNMP type. SNMP does not enforce stateful flow. Each SNMP type needs to be specifically enabled. Full SNMP support of stateful firewall services requires that you configure the SNMP ALG on UDP port 161. This enables the SNMP get and get-next commands, as well as their response traffic in the reverse direction: UDP port 161 enables the SNMP get-response

86

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

command. If SNMP traps are permitted, you can configure them on UDP port 162, enabling the SNMP trap command.

SQLNet
The SQLNet protocol is used by Oracle SQL servers to execute SQL commands from clients, including load balancing and application-specific services. Support of stateful firewall and NAT services requires that you configure the SQLNet ALG for TCP port 1521. The ALG monitors the control packets, opens flows dynamically for data traffic, and performs NAT address and port rewrites.

TFTP
The Trivial File Transfer Protocol (TFTP) is specified in RFC 1350. The initial TFTP requests are sent to UDP destination port 69. Additional flows can be created to get or put individual files. Support of stateful firewall and NAT services requires that you configure the TFTP ALG for UDP destination port 69.

Traceroute
Traceroute is a tool for displaying the route that packets take to a network host. It uses the IP TTL field to trigger ICMP time-exceeded messages from routers or gateways. It sends UDP datagrams to destination ports that are believed to be not in use; destination ports are numbered using the formula: + nhops 1. The default base port is 33434. To support traceroute through the firewall, two types of traffic must be passed through:
1.

UDP probe packets (UDP destination port > 33000, IP TTL < 30)

2. ICMP response packets (ICMP type time-exceeded)

When NAT is applied, the IP address and port within the ICMP error packet also need to be changed. Support of stateful firewall and NAT services requires you to configure the Traceroute ALG for UDP destination port 33434 to 33450. In addition, you can configure the TTL threshold to prevent UDP flood attacks with large TTL values.

UNIX Remote-Shell Services

Three protocols form the basis for UNIX remote-shell services: ExecRemote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 512. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. LoginBetter known as rlogin; uses well-known TCP port 513. For details, see RFC 1282. No special firewall processing is required.

Copyright 2011, Juniper Networks, Inc.

87

Junos 11.4 Services Interfaces Configuration Guide

ShellRemote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 514. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. Support of stateful firewall services requires that you configure the Exec ALG on TCP port 512, the Login ALG on TCP port 513, and the Shell ALG on TCP port 514. NAT remote-shell services require that any dynamic source port assigned be within the port range 512 to 1023. If you configure a NAT pool, this port range is reserved exclusively for remote shell applications.

Verifying the Output of ALG Sessions

This section contains examples of successful output from ALG sessions and information on system log configuration. You can compare the results of your sessions to check whether the configurations are functioning correctly.

FTP Example on page 88 RTSP ALG Example on page 91 System Log Messages on page 93

FTP Example
This example analyzes the output during an active FTP session. It consists of four different flows; two are control flows and two are data flows. The example consists of the following parts:

Sample Output on page 88 FTP System Log Messages on page 89 Analysis on page 90 Troubleshooting Questions on page 90

Sample Output
The following is a complete sample output from the show services stateful-firewall conversations application-protocol ftp operational mode command:
user@host>show services stateful-firewall conversations application-protocol ftp Interface: ms-1/3/0, Service set: CLBJI1-AAF001 Conversation: ALG protocol: ftp Number of initiators: 2, Number of responders: 2 Flow State Dir TCP 1.1.79.2:14083 -> 2.2.2.2:21 Watch I NAT source 1.1.79.2:14083 -> 194.250.1.237:50118 TCP 1.1.79.2:14104 -> 2.2.2.2:20 Forward I NAT source 1.1.79.2:14104 -> 194.250.1.237:50119 TCP 2.2.2.2:21 -> 194.250.1.237:50118 Watch O NAT dest 194.250.1.237:50118 -> 1.1.79.2:14083 TCP 2.2.2.2:20 -> 194.250.1.237:50119 Forward O NAT dest 194.250.1.237:50119 -> 1.1.79.2:14104

Frm count 13 3 12 5

88

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

For each flow, the first line shows flow information, including protocol (TCP), source address, source port, destination address, destination port, flow state, direction, and frame count.

The state of a flow can be Watch, Forward, or Drop:

A Watch flow state indicates that the control flow is monitored by the ALG for information in the payload. NAT processing is performed on the header and payload as needed. A Forward flow forwards the packets without monitoring the payload. NAT is performed on the header as needed. A Drop flow drops any packet that matches the 5 tuple.

The frame count (Frm count) shows the number of packets that were processed on that flow.

The second line shows the NAT information.

source indicates source NAT. dest indicates destination NAT.

The first address and port in the NAT line are the original address and port being translated for that flow. The second address and port in the NAT line are the translated address and port for that flow.

FTP System Log Messages

System log messages are generated during an FTP session. For more information about system logs, see System Log Messages on page 93. The following system log messages are generated during creation of the FTP control flow:

Rule Accept system log:

Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, Match SFW accept rule-set:, rule: ftp, term: 1

Create Accept Flow system log:

Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, creating forward or watch flow

System log for data flow creation:

Oct 27 11:43:30 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_FTP_ACTIVE_ACCEPT: proto 6 (TCP) application: ftp, so-2/1/2.0:2.2.2.2:20 -> 1.1.1.2:50726, Creating FTP active mode forward flow

Copyright 2011, Juniper Networks, Inc.

89

Junos 11.4 Services Interfaces Configuration Guide

Analysis
Control Flows The control flows are established after the three-way handshake is complete.

Control flow from FTP client to FTP server. TCP destination port is 21.
TCP 13 NAT source 1.1.79.2:14083 -> 1.1.79.2:14083 2.2.2.2:21 -> Watch I

194.250.1.237:50118

Control flow from FTP server to FTP client. TCP source port is 21.
TCP 12 NAT dest 2.2.2.2:21 -> 194.250.1.237:50118 Watch -> O

194.250.1.237:50118

1.1.79.2:14083

Data Flows A data port of 20 is negotiated for data transfer during the course of the FTP control protocol. These two flows are data flows between the FTP client and the FTP server:
TCP NAT source TCP NAT dest 1.1.79.2:14104 -> 2.2.2.2:20 Forward I 1.1.79.2:14104 -> 194.250.1.237:50119 2.2.2.2:20 -> 194.250.1.237:50119 Forward O 194.250.1.237:50119 -> 1.1.79.2:14104 3 5

Troubleshooting Questions
1.

How do I know if the FTP ALG is active?

The ALG protocol field in the conversation should display ftp. There should be a valid frame count (Frm count) in the control flows. A valid frame count in the data flows indicates that data transfer has taken place.

2. What do I need to check if the FTP connection is established but data transfer does

not take place?

Most probably, the control connection is up, but the data connection is down. Check the conversations output to determine whether both the control and data flows are present.

3. How do I interpret each flow? What does each flow mean?

FTP control flow initiator flowFlow with destination port 21 FTP control flow responder flowFlow with source port ;21 FTP data flow initiator flowFlow with destination port 20 FTP data flow responder flowFlow with source port 20

90

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

RTSP ALG Example

The following is an example of an RTSP conversation. The application uses the RTSP protocol for control connection. Once the connection is set up, the media is sent using UDP protocol (RTP). This example consists of the following:

Sample Output on page 91 Analysis on page 91 Troubleshooting Questions on page 91

Sample Output
Here is the output from the show services stateful-firewall conversations operational mode command:
user@host# show services stateful-firewall conversations Interface: ms-3/2/0, Service set: svc_set Conversation: ALG protocol: rtsp Number of initiators: 5, Number of responders: 5 Flow State Dir TCP 1.1.1.3:58795 -> 2.2.2.2:554 Watch I UDP 1.1.1.3:1028 -> 2.2.2.2:1028 Forward I UDP 1.1.1.3:1029 -> 2.2.2.2:1029 Forward I UDP 1.1.1.3:1030 -> 2.2.2.2:1030 Forward I UDP 1.1.1.3:1031 -> 2.2.2.2:1031 Forward I TCP 2.2.2.2:554 -> 1.1.1.3:58795 Watch O UDP 2.2.2.2:1028 -> 1.1.1.3:1028 Forward O UDP 2.2.2.2:1029 -> 1.1.1.3:1029 Forward O UDP 2.2.2.2:1030 -> 1.1.1.3:1030 Forward O UDP 2.2.2.2:1031 -> 1.1.1.3:1031 Forward O

Frm count 7 0 0 0 0 5 6 0 3 0

Analysis
An RTSP conversation should consist of TCP flows corresponding to the RTSP control connection. There should be two flows, one in each direction, from client to server and from server to client:
TCP TCP

1.1.1.3:58795 -> 2.2.2.2:554 ->

2.2.2.2:554 Watch 1.1.1.3:58795 Watch

I O

7 5

The RTSP control connection for the initiator flow is sent from destination port 554. The RTSP control connection for the responder flow is sent from source port 554.

The UDP flows correspond to RTP media sent over the RTSP connection.

Troubleshooting Questions
1.

Media does not work when the RTSP ALG is configured. What do I do?

Check RTSP conversations to see whether both TCP and UDP flows exist. The ALG protocol should be displayed as rtsp.

Copyright 2011, Juniper Networks, Inc.

91

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The state of the flow is displayed as Watch, because the ALG processing is taking place and the client is essentially watching or processing payload corresponding to the application. For FTP and RTSP ALG flows, the control connections are always Watch flows.

2. How do I check for ALG errors?

You can check for errors by issuing the following command. Each ALG has a separate field for ALG packet errors.
user@host# show services stateful-firewall statistics extensive Interface: ms-3/2/0 Service set: svc_set New flows: Accepts: 1347, Discards: 0, Rejects: 0 Existing flows: Accepts: 144187, Discards: 0, Rejects: 0 Drops: IP option: 0, TCP SYN defense: 0 NAT ports exhausted: 0 Errors: IP: 0, TCP: 276 UDP: 0, ICMP: 0 Non-IP packets: 0, ALG: 0 IP errors: IP packet length inconsistencies: 0 Minimum IP header length check failures: 0 Reassembled packet exceeds maximum IP length: 0 Illegal source address: 0 Illegal destination address: 0 TTL zero errors: 0, Illegal IP protocol number (0 or 255): 0 Land attack: 0 Non-IPv4 packets: 0, Bad checksum: 0 Illegal IP fragment length: 0 IP fragment overlap: 0 IP fragment reassembly timeout: 0 Unknown: 0 TCP errors: TCP header length inconsistencies: 0 Source or destination port number is zero: 0 Illegal sequence number and flags combinations: 0 SYN attack (multiple SYN messages seen for the same flow): 276 First packet not a SYN message: 0 TCP port scan (TCP handshake, RST seen from server for SYN): 0 Bad SYN cookie response: 0 UDP errors: IP data length less than minimum UDP header length (8 bytes): 0 Source or destination port number is zero: 0 UDP port scan (ICMP error seen for UDP flow): 0 ICMP errors: IP data length less than minimum ICMP header length (8 bytes): 0 ICMP error length inconsistencies: 0 Duplicate ping sequence number: 0 Mismatched ping sequence number: 0 ALG errors: BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0 DNS: 0, Exec: 0, FTP: 0

92

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

ICMP: 0 Login: 0, NetBIOS: 0, NetShow: 0 RPC: 0, RPC portmap: 0 RTSP: 0, Shell: 0 SNMP: 0, SQLNet: 0, TFTP: 0 Traceroute: 0

System Log Messages

Enabling system log generation and checking the system log are also helpful for ALG flow analysis. This section contains the following:

System Log Configuration on page 93 System Log Output on page 94

System Log Configuration

You can configure the enabling of system log messages at a number of different levels in the Junos OS CLI. As shown in the following sample configurations, the choice of level depends on how specific you want the event logging to be and what options you want to include. For details on the configuration options, see the Junos OS System Basics Configuration Guide (system level) or the Junos OS Services Interfaces Configuration Guide (all other levels).
1.

At the topmost global level:

user@host# show system syslog file messages { any any; }

2. At the service set level:

user@host# show services service-set svc_set syslog { host local { services any; } } stateful-firewall-rules allow_rtsp; interface-service { service-interface ms-3/2/0; }
3. At the service rule level:

user@host# show services stateful-firewall rule allow_rtsp match-direction input-output; term 0 { from { applications junos-rtsp; } then { accept; syslog; }

Copyright 2011, Juniper Networks, Inc.

93

Junos 11.4 Services Interfaces Configuration Guide

System Log Output

System log messages are generated during flow creation, as shown in the following examples: The following system log message indicates that the ASP matched an accept rule:
Oct 25 16:11:37 (FPC Slot 3, PIC Slot 2) {svc_set}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: rtsp, ge-2/0/1.0:1.1.1.2:35595 -> 2.2.2.2:554, Match SFW accept rule-set: , rule: allow_rtsp, term: 0

For a complete listing of system log messages, see the Junos OS System Log Messages Reference.

Junos Default Groups

The Junos OS provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of your router. The junos-defaults group contains preconfigured statements that contain predefined values for common applications. Some of the statements must be referenced to take effect, such as applications like FTP or Telnet. Other statements are applied automatically, such as terminal settings. All of the preconfigured statements begin with the reserved name junos-.

NOTE: You can override the Junos default configuration values, but you cannot delete or edit them. If you delete a configuration, the defaults return when a new configuration is added. You cannot use the apply-groups statement with the Junos defaults group.

To view the full set of available preset statements from the Junos default group, issue the show groups junos-defaults configuration mode command. The following example displays a partial list of Junos default groups that use application protocols (ALGs).
user@host# show groups junos-defaults ... output for other groups defined at the [edit groups junos-defaults] hierarchy level ... applications { # File Transfer Protocol application junos-ftp { application-protocol ftp; protocol tcp; destination-port 21; } # Trivial File Transfer Protocol application junos-tftp { application-protocol tftp; protocol udp; destination-port 69; } # RPC port mapper on TCP

94

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-rpc-portmap-tcp { application-protocol rpc-portmap; protocol tcp; destination-port 111; } # RPC port mapper on UDP application junos-rpc-portmap-udp { application-protocol rpc-portmap; protocol udp; destination-port 111; } # IP Protocol application junos-ip { application-protocol ip; } # remote exec application junos-rexec { application-protocol exec; protocol tcp; destination-port 512; } # remote login application junos-rlogin { application-protocol login; protocol tcp; destination-port 513; } # remote shell application junos-rsh { application-protocol shell; protocol tcp; destination-port 514; } # Real-Time Streaming Protocol application junos-rtsp { application-protocol rtsp; protocol tcp; destination-port 554; } # Oracle SQL servers use this protocol to execute SQL commands # from clients, load balance, use application-specific servers, and so on. application junos-sqlnet { application-protocol sqlnet; protocol tcp; destination-port 1521; } # H.323 Protocol for audio/video conferencing protocol tcp; destination-port 1720; } # Internet Inter-ORB Protocol is used for CORBA applications. # The ORB protocol in Java virtual machine uses port 1975 as a default. protocol tcp; destination-port 1975; } # Internet Inter-ORB Protocol is used for CORBA applications.

Copyright 2011, Juniper Networks, Inc.

95

Junos 11.4 Services Interfaces Configuration Guide

# ORBIX is a CORBA framework from Iona Technologies that uses # port 3075 as a default. protocol tcp; destination-port 3075; } # This was the original RealPlayer protocol. # RTSP is more widely used by RealPlayer, protocol tcp; destination-port 7070; } # Traceroute application application junos-traceroute { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 30; } # Traceroute application that stops at device supporting firewall # (packets with ttl > 1 will be discarded). application junos-traceroute-ttl-1 { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 1; } # The full range of known RPC programs using UDP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-udp { application-protocol rpc; protocol udp; rpc-program-number 100001-400000; } # The full range of known RPC programs using TCP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-tcp { application-protocol rpc; protocol tcp; rpc-program-number 100001-400000; } # All ICMP traffic # This can be made more restrictive by specifying ICMP type and code. application junos-icmp-all { application-protocol icmp; } # ICMP ping; the echo reply is allowed upon return. application junos-icmp-ping { application-protocol icmp; icmp-type echo-request; } # Protocol used by Windows Media Server and Windows Media Player application junos-netshow { application-protocol netshow; protocol tcp; destination-port 1755; } # NetBIOS, the networking protocol used on Windows networks;

96

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

# includes name service port, both UDP and TCP. application junos-netbios-name-udp { application-protocol netbios; protocol udp; destination-port 137; } application junos-netbios-name-tcp { protocol tcp; destination-port 137; } # NetBIOS, the networking protocol used on Windows networks; # includes datagram service port. application junos-netbios-datagram { application-protocol netbios; protocol udp; destination-port 138; } # NetBIOS, the networking protocol used on Windows networks; # includes session service port. application junos-netbios-session { protocol tcp; destination-port 139; } # DCE-RPC port mapper on TCP application junos-dce-rpc-portmap { application-protocol dce-rpc-portmap; protocol tcp; destination-port 135; } # MS Exchange requires these three UUID values. application junos-dcerpc-endpoint-mapper-service { application-protocol dce-rpc; protocol tcp; uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa; } application junos-ssh { protocol tcp; destination-port 22; } application junos-telnet { protocol tcp; destination-port 23; } application junos-smtp { protocol tcp; destination-port 25; } application junos-dns-udp { protocol udp; destination-port 53; } application junos-dns-tcp { protocol tcp; destination-port 53; } application junos-tacacs {

Copyright 2011, Juniper Networks, Inc.

97

Junos 11.4 Services Interfaces Configuration Guide

protocol tcp; destination-port 49; } # TACACS Database Service application junos-tacacs-ds { protocol tcp; destination-port 65; } application junos-dhcp-client { protocol udp; destination-port 68; } application junos-dhcp-server { protocol udp; destination-port 67; } application junos-bootpc { protocol udp; destination-port 68; } application junos-bootps { protocol udp; destination-port 67; } application junos-http { protocol tcp; destination-port 80; } application junos-https { protocol tcp; destination-port 443; } # junos-algs-outbound defines a set of all applications # requiring an ALG. Useful for defining a rule for an untrusted # network to allow trusted network users to use all the # Junos-supported ALGs initiated from the trusted network. application-set junos-algs-outbound { application junos-ftp; application junos-tftp; application junos-rpc-portmap-tcp; application junos-rpc-portmap-udp; application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-rexec; application junos-rlogin; application junos-rsh; application junos-rtsp; application junos-sqlnet; application junos-traceroute; application junos-rpc-services-udp; application junos-rpc-services-tcp; application junos-icmp-all; application junos-netshow; application junos-netbios-name-udp;

98

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-netbios-datagram; application junos-dce-rpc-portmap; application junos-dcerpc-msexchange-directory-rfr; application junos-dcerpc-msexchange-information-store; application junos-dcerpc-msexchange-directory-nsp; } # junos-management-inbound represents the group of applications # that might need access to the trusted network from the untrusted # network for management purposes. # The set is intended for a UI to display management choices. # NOTE: It is not recommended that you use the entire set directly in # a firewall rule and open up firewall to all of these # applications. Also, you should always specify the source # and destination prefixes when using each application. application-set junos-management-inbound { application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-ssh; application junos-telnet; application junos-http; application junos-https; application junos-xnm-ssl; application junos-xnm-clear-text; application junos-icmp-ping; application junos-traceroute-ttl-1; } } } }

To reference statements available from the junos-defaults group, include the selected junos-default-name statement at the applicable hierarchy level. To configure application protocols, see Configuring Application Protocol Properties on page 72; for details about a specific protocol, see ALG Descriptions on page 81.

Examples: Referencing the Preset Statement from the Junos Default Group
The following example is a preset statement from the Junos default groups that is available for FTP in a stateful firewall:
[edit] groups { junos-defaults { applications { application junos-ftp { # Use FTP default configuration application-protocol ftp; protocol tcp; destination-port 21; } } }

To reference a preset Junos default statement from the Junos default groups, include the junos-default-name statement at the applicable hierarchy level. For example, to

Copyright 2011, Juniper Networks, Inc.

99

Junos 11.4 Services Interfaces Configuration Guide

reference the Junos default statement for FTP in a stateful firewall, include the junos-ftp statement at the [edit services stateful-firewall rule rule-name term term-name from applications] hierarchy level.
[edit] services { stateful-firewall { rule my-rule { term my-term { from { applications junos-ftp; #Reference predefined statement, junos-ftp, } } } } }

The following example shows configuration of the default Junos IP ALG:

[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications junos-ip; } then { accept; syslog; } } } } }

If you configure the IP ALG in the stateful firewall rule, it is matched by any IP traffic, but if there is any other more specific application that matches the same traffic, the IP ALG will not be matched. For example, in the following configuration, both the ICMP ALG and the IP ALG are configured, but traffic is matched for ICMP packets, because it is the more specific match.
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications [ junos-ip junos-icmp-all ]; } then { accept; syslog; }

100

Copyright 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

} } } }

Examples: Configuring Application Protocols

The following example shows an application protocol definition describing a special FTP application running on port 78:
[edit applications] application my-ftp-app { application-protocol ftp; protocol tcp; destination-port 78; timeout 100; # inactivity timeout for FTP service }

The following example shows a special ICMP protocol (application-protocol icmp) of type 8 (ICMP echo):
[edit applications] application icmp-app { application-protocol icmp; protocol icmp; icmp-type icmp-echo; }

The following example shows a possible application set:

[edit applications] application-set basic { http; ftp; telnet; nfs; icmp; }

The software includes a predefined set of well-known application protocols. The set includes applications for which the TCP and UDP destination ports are already recognized by stateless firewall filters.

Copyright 2011, Juniper Networks, Inc.

101

Junos 11.4 Services Interfaces Configuration Guide

102

Copyright 2011, Juniper Networks, Inc.

CHAPTER 5

Summary of Applications Configuration Statements

The following sections explain each of the applications configuration statements. The statements are organized alphabetically.

application
Syntax
application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; protocol type; rpc-program-number number; snmp-command command; source-port port-number; ttl-threshold number; uuid hex-value; } [edit applications], [edit applications application-set application-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure properties of an application and whether to include it in an application set.
application-nameIdentifier of the application.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Application Protocol Properties on page 72. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

103

Junos 11.4 Services Interfaces Configuration Guide

application-protocol
Syntax Hierarchy Level Release Information
application-protocol protocol-name; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. login options introduced in Junos OS Release 7.4. ip option introduced in Junos OS Release 8.2. Identify the application protocol name. Application protocols are also called application layer gateways (ALGs).
protocol-nameName of the protocol. The following protocols are supported: bootp dce-rpc dce-rpc-portmap dns exec ftp icmp ip login netbios netshow rpc rpc-portmap rtsp shell snmp sqlnet tftp traceroute

Description

Options

Usage Guidelines Required Privilege Level

See Configuring an Application Protocol on page 72. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

104

Copyright 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

application-set
Syntax
application-set application-set-name { application application-name; } [edit applications]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure one or more applications to include in an application set.
application-set-nameIdentifier of an application set.

See Configuring Application Sets on page 81. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
applications { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the applications used in services. See Application Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

105

Junos 11.4 Services Interfaces Configuration Guide

destination-port
Syntax Hierarchy Level Release Information Description
destination-port port-value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) destination port number.
port-valueIdentifier for the port. For a complete list, see Configuring Source and

Options

Destination Ports on page 77. Usage Guidelines Required Privilege Level See Configuring Source and Destination Ports on page 77. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

icmp-code
Syntax Hierarchy Level Release Information Description Options
icmp-code value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Internet Control Message Protocol (ICMP) code value.
valueThe ICMP code value. For a complete list, see Configuring the ICMP Code and

Type on page 75. Usage Guidelines Required Privilege Level See Configuring the ICMP Code and Type on page 75. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

106

Copyright 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

icmp-type
Syntax Hierarchy Level Release Information Description Options
icmp-type value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. ICMP packet type value.
valueThe ICMP type value, such as echo or echo-reply. For a complete list, see

Configuring the ICMP Code and Type on page 75. Usage Guidelines Required Privilege Level See Configuring the ICMP Code and Type on page 75. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

inactivity-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-timeout seconds; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Inactivity timeout period, in seconds.
secondsLength of time the application is inactive before it times out.

Default: 30 seconds Usage Guidelines Required Privilege Level See Configuring the Inactivity Timeout Period on page 80. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

107

Junos 11.4 Services Interfaces Configuration Guide

learn-sip-register
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
learn-sip-register; [edit applications application application-name]

Statement introduced in Junos OS Release 7.4. Activate SIP register to accept potential incoming SIP calls. See Configuring SIP on page 72. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

108

Copyright 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

protocol
Syntax Hierarchy Level Release Information Description Options
protocol type; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Networking protocol type or number.
typeNetworking protocol type. The following text values are supported: ah egp esp gre icmp igmp ipip ospf pim rsvp tcp udp vrrp

NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions.

Usage Guidelines Required Privilege Level

See Configuring the Network Protocol on page 74. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

109

Junos 11.4 Services Interfaces Configuration Guide

rpc-program-number
Syntax Hierarchy Level Release Information Description Options
rpc-program-number number; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Remote procedure call (RPC) or Distributed Computing Environment (DCE) value.
numberRPC or DCE program value.

Range: 100,000 through 400,000 Usage Guidelines Required Privilege Level See Configuring an RPC Program Number on page 80. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

sip-call-hold-timeout
Syntax Hierarchy Level Release Information Description Options
sip-call-hold-timeout seconds; [edit applications application application-name]

Statement introduced in Junos OS Release 7.4. Timeout period for SIP calls placed on hold, in seconds.
secondsLength of time the application holds a SIP call open before it times out.

Default: 7200 seconds Range: 0 through 36,000 seconds (10 hours) Usage Guidelines Required Privilege Level See Configuring SIP on page 72. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

110

Copyright 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

snmp-command
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
snmp-command command; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. SNMP command format.

commandSupported commands are SNMP get, get-next, set, and trap.

See Configuring an SNMP Command for Packet Matching on page 80. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-port
Syntax Hierarchy Level Release Information Description Options
source-port port-number; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Source port identifier.

port-valueIdentifier for the port. For a complete list, see Configuring Source and

Destination Ports on page 77. Usage Guidelines Required Privilege Level See Configuring Source and Destination Ports on page 77. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

111

Junos 11.4 Services Interfaces Configuration Guide

ttl-threshold
Syntax Hierarchy Level Release Information Description
ttl-threshold number; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Specify the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.
numberTTL threshold value.

Options Usage Guidelines Required Privilege Level

See Configuring the TTL Threshold on page 80. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

uuid
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
uuid hex-value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Specify the Universal Unique Identifier (UUID) for DCE RPC objects.
hex-valueHexadecimal value.

See Configuring a Universal Unique Identifier on page 81. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

112

Copyright 2011, Juniper Networks, Inc.

CHAPTER 6

Stateful Firewall Services Configuration Guidelines

To configure stateful firewall services, include the stateful-firewall statement at the [edit services] hierarchy level:
[edit services] stateful-firewall { rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { (accept | discard | reject); allow-ip-options [ values ]; syslog; } } } rule-set rule-set-name { [ rule rule-names ]; } }

This chapter contains the following sections:

Configuring Stateful Firewall Rules on page 114 Configuring Stateful Firewall Rule Sets on page 118 Examples: Configuring Stateful Firewall Rules on page 118

Copyright 2011, Juniper Networks, Inc.

113

Junos 11.4 Services Interfaces Configuration Guide

Configuring Stateful Firewall Rules

To configure a stateful firewall rule, include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level:
[edit services stateful-firewall] rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address address <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { (accept | discard | reject); allow-ip-options [ values ]; syslog; } } }

Each stateful firewall rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded. The from statement is optional in stateful firewall rules.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The then statement is mandatory in stateful firewall rules. The following sections explain how to configure the components of stateful firewall rules:

Configuring Match Direction for Stateful Firewall Rules on page 114 Configuring Match Conditions in Stateful Firewall Rules on page 115 Configuring Actions in Stateful Firewall Rules on page 116

Configuring Match Direction for Stateful Firewall Rules

Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level:
[edit services stateful-firewall rule rule-name] match-direction (input | output | input-output);

114

Copyright 2011, Juniper Networks, Inc.

Chapter 6: Stateful Firewall Services Configuration Guidelines

If you configure match-direction input-output, sessions initiated from both directions might match this rule. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it. With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed. Rules in this service set are considered in sequence until a match is found. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered. Most packets result in the creation of bidirectional flows.

Configuring Match Conditions in Stateful Firewall Rules

To configure stateful firewall match conditions, include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
[edit services stateful-firewall rule rule-name term term-name] from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; }

The source address and destination address can be either IPv4 or IPv6. You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. You can use the wildcard value any-unicast, which denotes matching all unicast addresses. Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule. For an example, see Examples: Configuring Stateful Firewall Rules on page 118. If you omit the from term, the stateful firewall accepts all traffic and the default protocol handlers take effect:

Copyright 2011, Juniper Networks, Inc.

115

Junos 11.4 Services Interfaces Configuration Guide

User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow. IP creates a unidirectional flow.

You can also include application protocol definitions you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Protocol Properties on page 72.

To apply one or more specific application protocol definitions, include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level. To apply one or more sets of application protocol definitions you have defined, include the application-sets statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.

NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.

Configuring Actions in Stateful Firewall Rules

To configure stateful firewall actions, include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
[edit services stateful-firewall rule rule-name term term-name] then { (accept | discard | reject); allow-ip-options [ values ]; syslog; }

You must include one of the following three possible actions:

acceptThe packet is accepted and sent on to its destination. discardThe packet is not accepted and is not processed further. rejectThe packet is not accepted and a rejection message is returned; UDP sends an

ICMP unreachable code and TCP sends RST. Rejected packets can be logged or sampled. You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. This statement overrides any syslog setting included in the service set or interface default configuration.

116

Copyright 2011, Juniper Networks, Inc.

Chapter 6: Stateful Firewall Services Configuration Guidelines

Configuring IP Option Handling

You can optionally configure the firewall to inspect IP header information by including the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. When you configure this statement, all packets that match the criteria specified in the from statement are subjected to additional matching criteria. A packet is accepted only when all of its IP option types are configured as values in the allow-ip-options statement. If you do not configure allow-ip-options, only packets without IP header options are accepted. The additional IP header option inspection applies only to the accept and reject stateful firewall actions. This configuration has no effect on the discard action. When the IP header inspection fails, reject frames are not sent; in this case, the reject action has the same effect as discard. If an IP option packet is accepted by the stateful firewall, Network Address Translation (NAT) and intrusion detection service (IDS) are applied in the same way as to packets without IP option headers. The IP option configuration appears only in the stateful firewall rules; NAT applies to packets with or without IP options. When a packet is dropped because it fails the IP option inspection, this exception event generates both IDS event and system log messages. The event type depends on the first IP option field rejected. Table 10 on page 117 lists the possible values for the allow-ip-options statement. You can include a range or set of numeric values, or one or more of the predefined IP option settings. You can enter either the option name or its numeric equivalent. For more information, refer to http://www.iana.org/assignments/ip-parameters.

Table 10: IP Option Values

IP Option Name
any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp

Numeric Value
0 130 136 131 7 148 137 68

Comment
Any IP option

Copyright 2011, Juniper Networks, Inc.

117

Junos 11.4 Services Interfaces Configuration Guide

Configuring Stateful Firewall Rule Sets

The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule:
[edit services stateful-firewall] rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

Examples: Configuring Stateful Firewall Rules

The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:
[edit services] stateful-firewall { rule Rule1 { match-direction input; term 1 { from { application-sets Applications; } then { accept; } } term accept { then { accept; } } } rule Rule2 { match-direction output; term Local { from { source-address { 10.1.3.2/32; } } then { accept;

118

Copyright 2011, Juniper Networks, Inc.

Chapter 6: Stateful Firewall Services Configuration Guidelines

} } } }

The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.
[edit services stateful-firewall] rule my-firewall-rule { match-direction input-output; term term1 { from { source-address 10.1.3.2/32; application-sets my-application-group; } then { reject; syslog; } } term term2 { from { destination-address 10.2.3.2/32; applications http; } then { accept; } } }

The following example shows use of source and destination prefix lists. This requires two separate configuration items. You configure the prefix list at the [edit policy-options] hierarchy level:
[edit] policy-options { prefix-list p1 { 1.1.1.1/32; 2.2.2.0/24; } prefix-list p2 { 3.3.3.3/32; 4.4.4.0/24; } }

You reference the configured prefix list in the stateful firewall rule:
[edit] services { stateful-firewall { rule r1 {

Copyright 2011, Juniper Networks, Inc.

119

Junos 11.4 Services Interfaces Configuration Guide

match-direction input; term t1 { from { source-prefix-list { p1; } destination-prefix-list { p2; } } then { accept; } } } } }

This is equivalent to the following configuration:

[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { source-address { 1.1.1.1/32; 2.2.2.0/24; } destination-address { 3.3.3.3/32; 4.4.4.0/24; } } then { accept; } } } } }

You can use the except qualifier with the prefix lists, as in the following example. In this case, the except qualifier applies to all prefixes included in prefix list p2.
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { source-prefix-list { p1;

120

Copyright 2011, Juniper Networks, Inc.

Chapter 6: Stateful Firewall Services Configuration Guidelines

} destination-prefix-list { p2 except; } } then { accept; } } } } }

For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see the configuration examples. Related Documentation

Example: BOOTP and Broadcast Addresses on page 70 Example: NAT Between VRFs Configuration on page 67 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Service Interfaces Configuration on page 61 Example: Configuring the uKernel Service and the Services SDK on Two PICs

Copyright 2011, Juniper Networks, Inc.

121

Junos 11.4 Services Interfaces Configuration Guide

122

Copyright 2011, Juniper Networks, Inc.

CHAPTER 7

Summary of Stateful Firewall Configuration Statements

The following sections explain each of the stateful firewall services statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

123

Junos 11.4 Services Interfaces Configuration Guide

allow-ip-options
Syntax Hierarchy Level Release Information Description
allow-ip-options [ values ]; [edit services stateful-firewall rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Configure how the stateful firewall handles IP header information. This statement is optional.
valueCan be a set or range of numeric values, or one or more of the following predefined

Options

option types. You can enter either the option name or its numeric equivalent.
Option Name
any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp

Numeric Value
0 130 8 3 7 148 9 4

Usage Guidelines Required Privilege Level

See Configuring Actions in Stateful Firewall Rules on page 116. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

124

Copyright 2011, Juniper Networks, Inc.

Chapter 7: Summary of Stateful Firewall Configuration Statements

application-sets
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
applications-sets set-name; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more target application sets.
set-nameName of the target application set.

See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
applications [ application-names ]; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more applications to which the stateful firewall services apply.
application-nameName of the target application.

See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

125

Junos 11.4 Services Interfaces Configuration Guide

destination-address
Syntax Hierarchy Level Release Information
destination-address (address | any-unicast) <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. any-unicast and except options introduced in Junos OS Release 7.6. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the destination address for rule matching.
addressDestination IPv4 or IPv6 address or prefix value. any-unicastMatch all unicast packets. except(Optional) Exclude the specified address, prefix, or unicast packets from rule

Description Options

matching. Usage Guidelines Required Privilege Level See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

destination-address-range
Syntax Hierarchy Level Release Information
destination-address-range low minimum-value high maximum-value <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the destination address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Exclude the specified address range from rule matching.

Description Options

Usage Guidelines Required Privilege Level

See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

126

Copyright 2011, Juniper Networks, Inc.

Chapter 7: Summary of Stateful Firewall Configuration Statements

destination-prefix-list
Syntax Hierarchy Level Release Information Description
destination-prefix-list list-name <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the destination prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

Copyright 2011, Juniper Networks, Inc.

127

Junos 11.4 Services Interfaces Configuration Guide

from
Syntax
from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } [edit services stateful-firewall rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify input conditions for a stateful firewall term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Stateful Firewall Rules on page 114. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output | input-output); [edit services stateful-firewall rule rule-name]

Statement introduced before Junos OS Release 7.4. Specify the direction in which the rule match is applied.
inputApply the rule match on the input side of the interface. outputApply the rule match on the output side of the interface. input-outputApply the rule match bidirectionally.

Usage Guidelines Required Privilege Level

See Configuring Stateful Firewall Rules on page 114. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

128

Copyright 2011, Juniper Networks, Inc.

Chapter 7: Summary of Stateful Firewall Configuration Statements

rule
Syntax
rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { (accept | discard | reject); syslog; } } } [edit services stateful-firewall], [edit services stateful-firewall rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Stateful Firewall Rules on page 114. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

129

Junos 11.4 Services Interfaces Configuration Guide

rule-set
Syntax
rule-set rule-set-name { [ rule rule-names ]; } [edit services stateful-firewall]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

See Configuring Stateful Firewall Rule Sets on page 118. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services stateful-firewall { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic.
stateful-firewallIdentifies the stateful firewall set of rules statements.

See Stateful Firewall. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

130

Copyright 2011, Juniper Networks, Inc.

Chapter 7: Summary of Stateful Firewall Configuration Statements

source-address
Syntax Hierarchy Level Release Information
source-address (address | any-unicast) <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. any-unicast and except options introduced in Junos OS Release 7.6. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Source address for rule matching.
addressSource IPv4 or IPv6 address or prefix value. any-unicastAny unicast packet. except(Optional) Exclude the specified address, prefix, or unicast packets from rule

Description Options

matching. Usage Guidelines Required Privilege Level See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-address-range
Syntax Hierarchy Level Release Information
source-address-range low minimum-value high maximum-value <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Source address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Exclude the specified address, prefix, or unicast packets from rule

Description Options

matching. Usage Guidelines Required Privilege Level See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

131

Junos 11.4 Services Interfaces Configuration Guide

source-prefix-list
Syntax Hierarchy Level Release Information Description
source-prefix-list list-name <except>; [edit services stateful-firewall rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the source prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Match Conditions in Stateful Firewall Rules on page 115. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

syslog
Syntax Hierarchy Level Release Information Description
syslog; [edit services stateful-firewall rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Enable system logging. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting overrides any syslog statement setting included in the service set or interface default configuration. See Configuring Actions in Stateful Firewall Rules on page 116. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

132

Copyright 2011, Juniper Networks, Inc.

Chapter 7: Summary of Stateful Firewall Configuration Statements

term
Syntax
term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { (accept | discard | reject); syslog; } } [edit services stateful-firewall rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define the stateful firewall term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Stateful Firewall Rules on page 114. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

133

Junos 11.4 Services Interfaces Configuration Guide

then
Syntax
then { (accept | discard | reject); syslog; } [edit services stateful-firewall rule rule-name term term-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Define the stateful firewall term actions. You can configure the router to accept, discard, or reject the targeted traffic. The other actions are optional.
acceptAccept the traffic and send it on to its destination. discardDo not accept traffic or process it further. rejectDo not accept the traffic and return a rejection message. Rejected traffic can be

Options

logged or sampled. The remaining statement is explained separately. Usage Guidelines Required Privilege Level Related Documentation See Configuring Actions in Stateful Firewall Rules on page 116. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

134

Copyright 2011, Juniper Networks, Inc.

CHAPTER 8

Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines

Till now, all services run only on the Juniper microkernel software platform. However, some services will now be deployed on the Embedded Junos software platform. This allows such services to be coupled with third-party applications. Starting with Junos OS Release 9.5, the stateful firewall service has been implemented using the embedded Junos Application Framework (eJAF). The stateful firewall plug-in described in the following sections supports many of the features of the existing stateful firewall service that runs on the Juniper microkernel. This chapter contains the following sections:

Loading the Stateful Firewall Plug-In on page 135 Configuring Memory for the Stateful Firewall Plug-In on page 137 Configuring rsh, rlogin, rexec for Stateful Firewall on page 137

Loading the Stateful Firewall Plug-In

As of Junos OS Release 9.5, a stateful firewall plug-in is provided as part of the jbundle package. To load this plug-in on the PIC, include the package jservices-sfw statement at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. For example:
user@host# show chassis fpc 0 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 7; object-cache-size 512; package jservicessfw; #Loads stateful firewall plug-in. policy-db-size 64; } } } } }

Copyright 2011, Juniper Networks, Inc.

135

Junos 11.4 Services Interfaces Configuration Guide

You can load both the jservices-sfw package and a Junos SDK application package on the same PIC. The following example demonstrates the stateful firewall plug-in coexisting with a providers plug-in:
[edit] services { service-set sset { stateful-firewall-rules rule1; interface-service { service-interface ms-0/0/0; } extension-service customer-plugin; service-order { forward-flow [ stateful-firewall customer-plugin ]; } } stateful-firewall { rule rule1 { match-direction input-output; term term1 { from { applications junos-ftp; } then { accept; } } } rule rule2 { match-direction input; term term1 { from { source-address { 192.1.1.2/32; } then { reject; syslog; } } } } }

The following stateful firewall operational commands support the ms- interface:

show services stateful-firewall flowsDisplay stateful firewall flow table entries. show services stateful-firewall statisticsDisplay stateful firewall statistics. For this

command, only rule and ALG statistics are given. In the extensive option, other statistics appear but do not populate correctly; those values are all zeroes.

clear services stateful-firewall flowsRemove established flows from the flow table.

136

Copyright 2011, Juniper Networks, Inc.

Chapter 8: Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines

The commands are described in the Junos OS System Basics and Services Command Reference. Related Documentation

Configuring Memory for the Stateful Firewall Plug-In on page 137 extension-provider on page 142

Configuring Memory for the Stateful Firewall Plug-In

When configuring the stateful firewall internal plug-in, some questions remain regarding the upper limit to specify for the policy-db-size, object-cache-size, and forwarding-db-size statements when the application needs to use a large number of rules, causing the total memory required to approach the size of the object cache configured. The following limits, which are specific to the stateful firewall configuration, await additional review:

Maximum number of terms (with one rule per term) per service set: 1200 Maximum number of service sets per Multiservices PIC: 4000 (Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers), 6000 (Juniper Networks MX Series 3D Universal Edge Routers and M120 Multiservice Edge Routers) Maximum object cache size: 1280 MB (Multiservices 400 PICs and DPCs), 512 MB (Multiservices 100 PICs) Maximum policy database size: Still to be determined.

If the policy database is set too small, an error message is logged in the router message file even though the commit may appear to be successful. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. The remedial action is to increase the size of the policy database. Related Documentation

extension-provider on page 142

Configuring rsh, rlogin, rexec for Stateful Firewall

Some implementations of the rsh, rlogin, rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. By default, the stateful firewall does not allow this authentication flow to go through. To open the authentication flow, include the applications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level:
[edit] services { stateful-firewall { rule rule1 { term term1 { from { (source-address | destination-address); applications junos-ident; }

Copyright 2011, Juniper Networks, Inc.

137

Junos 11.4 Services Interfaces Configuration Guide

then { accept; } } } } }

To allow Kerberos-enabled rsh, rlogin, rexec through the stateful firewall, configure the following additional applications and include them in the stateful firewall terms:
[edit] applications { application test-kerberos-kshell { Protocol tcp; destination-port kshell; } application test kerberos-klogin { protocol tcp; destination-port klogin; } } services { stateful-firewall { rule rule1 { term term1 { from { applications [kerberos-klogin kerberos-kshell]; } then { accept; } } } } }

Related Documentation

Configuring Memory for the Stateful Firewall Plug-In on page 137

138

Copyright 2011, Juniper Networks, Inc.

CHAPTER 9

Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements

The following sections explain stateful firewall statements used in SDK applications. The statements are organized alphabetically.

control-cores
Syntax Hierarchy Level
control-cores control-number; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Release Information Description

Statement introduced in Junos OS Release 9.0. Configure control cores. Any cores not configured as either control or data cores are treated as user cores. When the number of control cores is changed, the PIC reboots.
control-numberNumber of control cores. At least one core must be a control core.

Options

Range: 1 through 8 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

data-cores on page 140

Copyright 2011, Juniper Networks, Inc.

139

Junos 11.4 Services Interfaces Configuration Guide

data-cores
Syntax Hierarchy Level
data-cores data-number; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Release Information Description

Statement introduced in Junos OS Release 9.0. Configure data cores. Any cores not configured as either data or control cores are treated as user cores. When the number of data cores is changed, the PIC reboots.
data-numberNumber of data cores. Although it is not mandatory to dedicate any cores

Options

as data cores, it is advisable, depending on the nature of the application, to dedicate a minimum of five as data cores to achieve good performance. Range: 0 through 7 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

control-cores on page 139

data-flow-affinity
Syntax
data-flow-affinity { hash-key (layer-3 | layer-4); } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.5. Enable flow affinity distribution for packets over data CPUs on the PIC. Once enabled, the default behavior distributing data packets changes from a round-robin distribution to a flow affinity distribution based on a hash distribution. Adding or deleting this statement causes the PIC to reboot. The statements are explained separately.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

140

Copyright 2011, Juniper Networks, Inc.

Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements

destination
Syntax Hierarchy Level
destination destination; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-providersyslog facility]

Release Information Description

Statement introduced in Junos OS Release 10.1. Configure where log messages go. By default, all messages go to the /var/log directory on the Routing Engine. Enhancements to the existing infrastructure make debugging on the Multiservices PIC easier by giving the user the option of redirecting log messages. When the syslog destination statement is configured to redirect the log messages, you can use the set system syslog command, a command available in the native Junos OS CLI, to override the syslog settings made on the Multiservices PIC.
destinationChoose one of the following options:

Options

routing-engineForward log messages to the Routing Engine. pic-consoleForward log messages to the console of the PIC.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

extension-provider on page 142

Copyright 2011, Juniper Networks, Inc.

141

Junos 11.4 Services Interfaces Configuration Guide

extension-provider
Syntax
extension-provider { control-cores control-number; data-cores data-number; data-flow-affinity { hash-key (layer-3 | layer-4); } forwarding-db-size size; object-cache-size size; package package-name; policy-db-size size; syslog { facility { severity; destination destination; } } wired-process-mem-size mem-size; } [edit chassis fpc slot-number pic pic-number adaptive-services service-package]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.0. Configure an application on a PIC. When the extension-provider statement is first configured, the PIC reboots. The statements are explained separately.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

142

Copyright 2011, Juniper Networks, Inc.

Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements

forwarding-db-size
Syntax Hierarchy Level
forwarding-db-size size; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the size of the forwarding database (FDB). When this setting is changed, the PIC reboots.

NOTE: You need to enable the forwarding-options sampling statement for the FDB to be created.

Options

sizeSize of the FDB, in megabytes (MB). The size of the FDB and the size of the policy

database together must be smaller than the size of the object cache. Range: 0 through 12879 MB Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

policy-db-size on page 146 wired-process-mem-size on page 148 object-cache-size on page 145

Copyright 2011, Juniper Networks, Inc.

143

Junos 11.4 Services Interfaces Configuration Guide

hash-key
Syntax Hierarchy Level
hash-key (layer-3 | layer-4); [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider data-flow-affinity]

Release Information Description

Statement introduced in Junos OS Release 10.2. Set the hashing distribution of flow affinity. This is an optional setting. Once the data-flow-affinity statement is enabled, you may need to choose the hashing distribution. Modifying this statement causes the PIC to reboot. If you do not configure the hash-key statement, the hashing distribution is 5-tuple hashing, or layer-4.
layer-33-tuple hashing (source IP address, destination IP address, and IP protocol). layer-45-tuple hashing (3-tuple plus source and destination TCP or UDP ports).

Default

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

extension-provider on page 142

144

Copyright 2011, Juniper Networks, Inc.

Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements

object-cache-size
Syntax Hierarchy Level
object-cache-size value; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Description Options

Configure the size of the object cache. When this setting is changed, the PIC reboots.
valueAmount of object cache, in MB. Only values in increments of 128 MB are allowed.

Range: For Multiservices 100 PIC, range is 128 MB through 512 MB. If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB, the maximum value for this statement is 128 MB. Range: For Multiservices 400 PIC, range is 128 MB through 1280 MB. If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB, the maximum value for this statement is 512 MB. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

forwarding-db-size on page 143 policy-db-size on page 146 wired-process-mem-size on page 148

package (Loading on PIC)

Syntax Hierarchy Level
package package-name; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Release Information Description

Statement introduced in Junos OS Release 9.1. Identify a package to be loaded on the PIC. When a package is added or removed, the PIC reboots.
package-nameName of the package to be loaded on the PIC. There can be up to eight

Options

packages loaded on a PIC; however, only one data package is allowed per PIC. An error message is displayed if more than eight packages are specified. Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

145

Junos 11.4 Services Interfaces Configuration Guide

policy-db-size
Syntax Hierarchy Level
policy-db-size size; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Description

Configure the size of the policy database. When this setting is changed, the PIC reboots.

NOTE: At least one data core must be configured to configure the size of the policy database.

Options

sizeSize of the policy database, in megabytes (MB). The size of the forwarding database

and the size of the policy database together must be smaller than the size of the object cache. Range: 0 through 1279 MB Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

forwarding-db-size on page 143 object-cache-size on page 145 wired-process-mem-size on page 148

146

Copyright 2011, Juniper Networks, Inc.

Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements

syslog
Syntax
syslog { facility { severity; destination destination; } } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.2. Options daemon and kernel (for facility) introduced in Junos OS Release 9.5. Enable PIC system logging to record or view system log messages on a specific PIC. The system log information is passed to the kernel for logging in the /var/log directory.
facilityGroup of messages that are either generated by the same software process or

Description

Options

concern a similar condition or activity. Possible values include the following: daemon, external, kernel, and pfe.
severityClassification of effect on functioning. Possible values are the following options:

anyInclude all severity levels. noneDisable logging of the associated facility to a destination. emergencySystem panic or other condition that causes the routing platform to stop

functioning.

alertConditions that require immediate correction, such as a corrupted system

database.

criticalCritical conditions, such as hard errors. errorError conditions that generally have less serious consequences than errors in

the emergency, alert, and critical levels.

warningConditions that warrant monitoring. noticeConditions that are not errors but might warrant special handling. infoEvents or nonerror conditions of interest.

The remaining statement is explained separately. Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

147

Junos 11.4 Services Interfaces Configuration Guide

wired-process-mem-size
Syntax Hierarchy Level
wired-process-mem-size mem-size; [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider]

Description

Configure the size of the reserved wired process memory. You can also configure object cache. If this setting is changed, the PIC reboots.
megabytesSize of the reserved wired process memory, in MB. The only size you can set

Options

for this statement is 512 MB. Default: 512 MB Range: 0 through 512 MB Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

forwarding-db-size on page 143 object-cache-size on page 145 policy-db-size on page 146 wired-process-mem-size on page 148

148

Copyright 2011, Juniper Networks, Inc.

CHAPTER 10

Carrier-Grade NAT Configuration Guidelines

To configure Network Address Translation (NAT) services, include the nat statement at the [edit services] hierarchy level:
[edit services] nat { ipv6-multicast-interfaces (all | interface-name) { disable; } pool nat-pool-name { address ip-prefix</prefix-length>; address-range low minimum-value high maximum-value; mapping-timeout seconds; pgcp { hint [ hint-strings ]; ports-per-session ports; remotely-controlled; transport [ transport-protocols ]; } port (automatic | range low minimum-value high maximum-value) { preserve-parity; preserve-range; secured-port-block-allocation { active-block-timeout timeout-seconds; block-size block-size; max-blocks-per-user max-blocks; } } random-allocation; } } rule rule-name { match-direction (input | output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>;

Copyright 2011, Juniper Networks, Inc.

149

Junos 11.4 Services Interfaces Configuration Guide

source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { no-translation; translated { address-pooling paired; destination-pool nat-pool-name; destination-prefix destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type ndpoint-independent; mapping-type endpoint-independent; overload-pool overload-pool-name; overload-prefix overload-prefix; source-pool nat-pool-name; source-prefix source-prefix; translation-type { (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64); } use-dns-map-for-destination-translation; } syslog; } } } rule-set rule-set-name { [ rule rule-names ]; } }

This chapter includes the following sections:

Configuring Addresses and Ports for Use in NAT Rules on page 151 Configuring NAT Rules on page 156 Configuring NAT Rule Sets on page 161 Configuring Static Source Translation in IPv4 Networks on page 162 Configuring Static Source Translation in IPv6 Networks on page 165 Configuring Dynamic Source Address and Port Translation in IPv4 Networks on page 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks on page 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks on page 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks on page 174 Configuring Static Destination Address Translation in IPv4 Networks on page 177 Configuring Port Forwarding for Static Destination Address Translation on page 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks on page 182 Configuring NAT-PT on page 187

150

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 189 Configuring Port Forwarding for Static Destination Address Translation on page 190 Examples: Configuring NAT Rules on page 193 Example: NAT 44 CGN Configurations on page 223 Example: NAT Between VRFs Configuration on page 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion on page 229

Configuring Addresses and Ports for Use in NAT Rules

For information about configuring translated addresses, see the following sections:

Configuring Pools of Addresses and Ports on page 151 Configuring Address Pools for Network Address Port Translation on page 152 Specifying Destination and Source Prefixes on page 155 Requirements for NAT Addresses on page 155

Configuring Pools of Addresses and Ports

You can use the pool statement to define the addresses (or prefixes), address ranges, and ports used for Network Address Translation (NAT). To configure the information, include the pool statement at the [edit services nat] hierarchy level:
[edit services nat] pool nat-pool-name { address ip-prefix</prefix-length>; address-range low minimum-value high maximum-value; port (automatic | range low minimum-value high maximum-value); preserve-parity; preserve-range { } }

To configure pools for traditional NAT, specify either a destination pool or a source pool. With static source NAT and dynamic source NAT, you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool. With static destination NAT, you can also specify multiple address prefixes and address ranges in a single term. Multiple destination NAT terms can share a destination NAT pool. However, the netmask or range for the from address must be smaller than or equal to the netmask or range for the destination pool address. If you define the pool to be larger than required, some addresses will not be used. For example, if you define the pool size as 100 addresses and the rule specifies only 80 addresses, the last 20 addresses in the pool are not used. For constraints on specific translation types, see Configuring Actions in NAT Rules on page 159.

Copyright 2011, Juniper Networks, Inc.

151

Junos 11.4 Services Interfaces Configuration Guide

With source static NAT, the prefixes and address ranges cannot overlap between separate pools. In an address range, the low value must be a lower number than the high value. When multiple address ranges and prefixes are configured, the prefixes are depleted first, followed by the address ranges. When you specify a port for dynamic source NAT, address ranges are limited to a maximum of 65,000 addresses, for a total of (65,000 x 65,535) or 4,259,775,000 flows. A dynamic NAT pool with no address port translation supports up to 65,535 addresses. There is no limit on the pool size for static source NAT.

Preserve Range and Preserve Parity

You can configure your carrier-grade NAT (CGN) to preserve the range or parity of the packet source port when it allocates a source port for an outbound connection. You can configure the preserve parity and preserve range options under the NAT pool definition by including the preserve-range and preserve-parity configuration statements at the [edit services nat pool poolname port hierarchy level.

Preserve rangeRFC 4787, Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, defines two ranges: 0 through 1023, and 1024 through 65,535. When the preserve-range knob is configured and the incoming port falls into one of these ranges, CGN allocates a port from that range only. However, if there is no available port in the range, the port allocation request fails and that session is not created. The failure is reflected on counters and system logging, but no Internet Control Message Protocol (ICMP) message is generated. If this knob is not configured, allocation is based on the configured port range without regard to the port range that contains the incoming port. The exception is some application-level gateways (ALGs), such as hello, that have special zones. Preserve parityWhen the preserve-parity knob is configured, CGN allocates a port with the same even or odd parity as the incoming port. If the incoming port number is odd or even, the outgoing port number should correspondingly be odd or even. If a port number of the desired parity is not available, the port allocation request fails, the session is not created, and the packet is dropped.

Configuring Address Pools for Network Address Port Translation

With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each. The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.

152

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

The Junos OS provides several alternatives for allocating ports:

Round-Robin Allocation on page 153 Port Block Allocation on page 153 Sequential on page 154 Additional Options for NAPT on page 154

Round-Robin Allocation
To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.

The first connection is allocated to the address:port 9.9.99.1:3333. The second connection is allocated to the address:port 9.9.99.2:3333. The third connection is allocated to the address:port 9.9.99.3:3333. The fourth connection is allocated to the address:port 9.9.99.4:3333. The fifth connection is allocated to the address:port 9.9.99.5:3333. The sixth connection is allocated to the address:port 9.9.99.6:3333. The seventh connection is allocated to the address:port 9.9.99.7:3333. The eighth connection is allocated to the address:port 9.9.99.8:3333. The ninth connection is allocated to the address:port 9.9.99.9:3333. The tenth connection is allocated to the address:port 9.9.99.10:3333. The eleventh connection is allocated to the address:port 9.9.99.11:3333. The twelfth connection is allocated to the address:port 9.9.99.12:3333. Wraparound occurs and the thirteenth connection is allocated to the address:port 9.9.99.1:3334.

Port Block Allocation

With port block allocation, carriers track their subscribers using the IP address (RADIUS or DHCP log). If they use CGN, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which is part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers. The most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.

Copyright 2011, Juniper Networks, Inc.

153

Junos 11.4 Services Interfaces Configuration Guide

To configure port block allocation, include the secured-port-block-allocation statement at the [edit services nat pool pool-name port hierarchy level. You can then specify the following configurable options:

block-size max-blocks-per-user active-block-timeout

Sequential
With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.

NOTE: This legacy implementation provides backward compatibility.

The NAT pool called napt in the following configuration example uses the sequential implementation:
pool napt { address-range low 9.9.99.1 high 9.9.99.3; address-range low 9.9.99.4 high 9.9.99.6; address-range low 9.9.99.8 high 9.9.99.10; address-range low 9.9.99.12 high 9.9.99.13; port { range low 3333 high 3334; } }

In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 9.9.99.4:3333, is allocated only when all ports for all the addresses in the first range have been used.

The first connection is allocated to the address:port 9.9.99.1:3333. The second connection is allocated to the address:port 9.9.99.1:3334. The third connection is allocated to the address:port 9.9.99.2:3333. The fourth connection is allocated to the address:port 9.9.99.2:3334, and so on.

Additional Options for NAPT

The following options are available for NAPT.

Preserving parityUse the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.

154

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Preserving rangeUse the preserve-range command to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This appleis to control sessions, not data sessions.

Specifying Destination and Source Prefixes

You can directly specify the destination or source prefix used in NAT without configuring a pool. To configure the information, include the rule statement at the [edit services nat] hierarchy level:
[edit services nat] rule rule-name { term term-name { then { translated { destination-prefix prefix; } } } }

Requirements for NAT Addresses

You must configure a specific address, a prefix, or the address-range boundaries:

The following addresses, while valid in inet.0, cannot be used for NAT translation:

0.0.0.0/32 127.0.0.0/8 (loopback) 128.0.0.0/16 (martian) 191.255.0.0/16 (martian) 192.0.0.0/24 (martian) 223.255.255.0/24 (martian) 224.0.0.0/4 (multicast) 240.0.0.0/4 (reserved) 255.255.255.255 (broadcast)

You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. Destination translation cannot be configured by this method. For more information, see Examples: Configuring NAT Rules.. When you configure static source NAT, the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address

Copyright 2011, Juniper Networks, Inc.

155

Junos 11.4 Services Interfaces Configuration Guide

prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. Any pool addresses that are not used by the source-address prefix range are left unused. Pools cannot be shared.

NOTE: When you include a NAT configuration that changes IP addresses, it might affect forwarding path features elsewhere in your router configuration, such as source class usage (SCU), destination class usage (DCU), filter-based forwarding, or other features that target specific IP addresses or prefixes. NAT configuration might also affect routing protocols operation, because the protocol peering, neighbor, and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC.

Configuring NAT Rules

To configure a NAT rule, include the rule rule-name statement at the [edit services nat] hierarchy level:
[edit services nat] rule rule-name { match-direction (input | output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { no-translation; translated { address-pooling paired; destination-pool nat-pool-name; destination-prefix destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type endpoint-independent; mapping-type endpoint-independent; overload-pool overload-pool-name; overload-prefix overload-prefix; source-pool nat-pool-name; source-prefix source-prefix; translation-type {

156

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

(basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44); } use-dns-map-for-destination-translation; } syslog; } } }

Each rule must include a match-direction statement that specifies the direction in which the match is applied. In addition, each NAT rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The following sections explain how to configure the components of NAT rules:

Configuring Match Direction for NAT Rules on page 157 Configuring Match Conditions in NAT Rules on page 158 Configuring Actions in NAT Rules on page 159

Configuring Match Direction for NAT Rules

Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:
[edit services nat rule rule-name] match-direction (input | output);

The match direction is used with respect to the traffic flow through the Multiservices DPC and Multiservices PICs. When a packet is sent to the PIC, direction information is carried along with it. The packet direction is determined based on the following criteria:

Copyright 2011, Juniper Networks, Inc.

157

Junos 11.4 Services Interfaces Configuration Guide

With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the Multiservices DPC or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC or DPC, the packet direction is output. For more information about inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the Multiservices DPC and Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

Configuring Match Conditions in NAT Rules

To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:
[edit services nat rule rule-name term term-name] from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; }

To configure traditional NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. For an example, see Examples: Configuring Stateful Firewall Rules on page 118. You can include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Protocol Properties on page 72:

To apply one or more specific application protocol definitions, include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level. To apply one or more sets of application protocol definitions that you have defined, include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level.

158

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions. When matched rules include more than one ALG, the more specific ALG takes effect; for example, if the stateful firewall rule includes TCP and the NAT rule includes FTP, the NAT rule takes precedence. You can configure ALGs for ICMP and trace route under stateful firewall and NAT. By default, NAT can restore IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for NAT configurations.

Configuring Actions in NAT Rules

To configure NAT actions, include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level:
[edit services nat rule rule-name term term-name] then { no-translation; syslog; translated { destination-pool nat-pool-name; destination-prefix destination-prefix; source-pool nat-pool-name; source-prefix source-prefix; translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44); } } }

The no-translation statement allows you to specify addresses that you want excluded from NAT. The syslog statement enables you to record an alert in the system logging facility. The destination-pool, destination-prefix, source-pool, and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level; for more information, see Configuring Addresses and Ports for Use in NAT Rules on page 151. The translation-type statement specifies the type of NAT used for source or destination traffic. The options are basic-nat-pt, basic-nat44, basic-nat66, dnat-44, dynamic-nat44, napt-44, napt-66, napt-pt, and stateful-nat64 . For more information, see Network Address Translation Overview on page 48.

Copyright 2011, Juniper Networks, Inc.

159

Junos 11.4 Services Interfaces Configuration Guide

The implementation details of the nine options of the translation-type statement are as follows:

basic-nat44This option implements the static translation of source IP addresses

without port mapping. You must configure the from source-address statement in the match condition for the rule. The size of the address range specified in the statement must be the same as or smaller than the source pool. You must specify either a source pool or a destination prefix. The referenced pool can contain multiple addresses but you cannot specify ports for translation.

NOTE: In an interface service set, all packets destined for the source address specified in the match condition are automatically routed to the services PIC, even if no service set is associated with the interface.

basic-nat66This option implements the static translation of source IP addresses

without port mapping in IPv6 networks. The configuration is similar to the basic-nat44 implementation, but with IPv6 addresses.

basic-nat-ptThis option implements translation of addresses of IPv6 hosts, as they

originate sessions to the IPv4 hosts in an external domain and vice versa. This option is always implemented with DNS ALG. You must define the source and destination pools of IPv4 addresses. You must configure one rule and define two terms. Configure the IPv6 addresses in the from statement in both the term statements. In the then statement of the first term within the rule, reference both the source and destination pools and configure dns-alg-prefix. Configure the source prefix in the then statement of the second term within the same rule.

dnat-44This option implements static translation of destination IP addresses without

port mapping. The size of the pool address space must be greater than or equal to the destination address space. You must specify a name for the destination pool statement. The referenced pool can contain multiple addresses, ranges, or prefixes, as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. You must include exactly one destination-address value at the [edit services nat rule rule-name term term-name from] hierarchy level; if it is a prefix, the size must be less than or equal to the pool prefix size. Any addresses in the pool that are not matched in the destination-address value remain unused, because a pool cannot be shared among multiple terms or rules.

dynamic-nat44This option implements dynamic translation of source IP addresses

without port mapping. You must specify a source-pool name. The referenced pool must include an address configuration (for address-only translation). The dynamic-nat44 address-only option supports translating up to 16,777,216 addresses to a smaller size pool. The requests from the source address range are assigned to the addresses in the pool until the pool is used up, and any additional requests are rejected. A NAT address assigned to a host is used for all concurrent sessions from that host. The address is released to the pool only after all the sessions for that host expire. This feature enables the router to share a few public IP addresses between several private hosts. Because all the private hosts might not simultaneously create sessions, they can share a few public IP addresses.

160

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

napt-44This option implements dynamic translation of source IP addresses with

port mapping. You must specify a name for the source-pool statement. The referenced pool must include a port configuration. If the port is configured as automatic or a port range is specified, then it implies that network address and port translation (NAPT) is used.

napt-66This option implements dynamic address translation of source IP addresses

with port mapping for IPv6 addresses. The configuration is similar to the napt-44 implementation, but with IPv6 addresses.

napt-ptThis option implements dynamic address and port translation for source and

static translation of destination IP address. You must specify a name for the source-pool statement. The referenced pool must include a port configuration (for NAPT). Additionally, you must configure two rules, one for the DNS traffic and the other for the rest of the traffic. The rule meant for the DNS traffic should be DNS ALG enabled and the dns-alg-prefix statement should be configured. Moreover, the prefix configured in the dns-alg-prefix statement must be used in the second rule to translate the destination IPv6 addresses to IPv4 addresses.

stateful-nat64This option implements dynamic address and port translation for

source IP addresses and prefix removal translation for destination IP addresses. You must specify the IPv4 addresses used for translation at the [edit services nat pool] hierarchy level. This pool must be referenced in the rule that translates the IPv6 addresses to IPv4.

NOTE: When configuring NAT, if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule, the traffic is dropped:

Addresses specified in the from destination-address statement when you are using destination translation Addresses specified in the source NAT pool when you are using source translation

For more information on NAT methods, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.

Configuring NAT Rule Sets

The rule-set statement defines a collection of NAT rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services nat] hierarchy level with a rule statement for each rule:
rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding

Copyright 2011, Juniper Networks, Inc.

161

Junos 11.4 Services Interfaces Configuration Guide

action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules match the packet, no NAT action is performed on the packet. If a packet is destined to a NAT pool address, it is dropped.

Configuring Static Source Translation in IPv4 Networks

To configure the translation type as basic-nat44, you must configure the NAT pool and rule, service set with service interface, and trace options. This topic includes the following tasks:
1.

Configuring the NAT Pool and Rule on page 162

2. Configuring the Service Set for NAT on page 163 3. Configuring Trace Options on page 164

Configuring the NAT Pool and Rule

To configure the NAT pool, rule, and term:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool name address address

In the following example, the pool name is src_pool and the address is 10.10.10.2/32.
[edit services nat] user@host# set pool src_pool address 10.10.10.2/32
3. Configure the NAT rule and the match direction.

[edit services nat] user@host# set rule rule-name match-direction match-direction

In the following example, the NAT rule name is rule-basic-nat44 and the match direction is input.
[edit services nat] user@host# set rule rule-basic-nat44 match-direction input
4. Configure the source address in the from statement.

[edit services nat] user@host# set rule rule-basic-nat44 term term-name from from

In the following example, the term name is t1 and the input condition is source-address 3.1.1.2/32.
[edit services nat] user@host# set rule rule-basic-nat44 term t1 from source-address 3.1.1.2/32
5. Configure the NAT term action and properties of the translated traffic.

[edit services nat]

162

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

user@host# set rule rule-basic-nat44 term t1 then term-action translated-property

In the following example, the term action is translated and the property of the translated traffic is source-pool src_pool.
[edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated source-pool src_pool
6. Configure the translation type.

[edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type translation-type

In the following example, the translation type is basic-nat44.

[edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type basic-nat44
7. Verify the configuration by using the show command at the [edit services nat] hierarchy

level.
[edit services] user@host# show nat { pool src_pool { address 10.10.10.2/32; } rule rule-basic-nat44 { match-direction input; term t1 { from { source-address { 3.1.1.2/32; } } then { translated { source-pool src_pool; translation-type { basic-nat44; } } } } } }

Configuring the Service Set for NAT

To configure the service set for NAT:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set.

Copyright 2011, Juniper Networks, Inc.

163

Junos 11.4 Services Interfaces Configuration Guide

[edit services] user@host# edit service-set service-set-name

In the following example, the service set name is s1.

[edit services] user@host# edit service-set s1
3. For the s1 service set, set the reference to the NAT rules configured at the [edit services

nat] hierarchy level. [edit services service-set s1] user@host# set nat-rules rule-name

In the following example, the rule name is rule-basic-nat44.

[edit services service-set s1] user@host# set nat-rules rule-basic-nat44
4. Configure the service interface.

[edit services service-set s1] user@host# set interface-service service-interface service-interface-name

In the following example, the service interface name is ms-1/2/0.

[edit services service-set s1] user@host# set interface-service service-interface ms-1/2/0

NOTE: If you have a Trio-based line card, you can configure an inline-services interface on that card:
[edit] user@host# set interfaces si-0/0/0 [edit services service-set s1] user@host# set interface-service service-interface si-0/0/0
5. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show service-set s1 { nat-rules rule-basic-nat44; interface-service { service-interface ms-1/2/0; } }

Configuring Trace Options

To configure the trace options at the [edit services adaptive-services-pics] hierarchy level:
1.

In configuration mode, go to the [edit services adaptive-services-pics] hierarchy level.

[edit] user@host# edit services adaptive-services-pics

2. Configure the trace options.

164

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
3. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show adaptive-services-pics { traceoptions { flag all; }

Configuring Static Source Translation in IPv6 Networks

To configure the translation type as basic-nat66, you must configure the NAT pool and rule, service set with service interface, and trace options. This topic includes the following tasks:
1.

Configuring the NAT Pool and Rule on page 165

2. Configuring the Service Set for NAT on page 167 3. Configuring Trace Options on page 167

Configuring the NAT Pool and Rule

To configure the NAT pool, rule, and term:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool name address address

In the following example, the pool name is src_pool and the address is 10.10.10.2/32.
[edit services nat] user@host# set pool src_pool address 10.10.10.2/32
3. Configure the NAT rule and the match direction.

[edit services nat] user@host# set rule rule-name match-direction match-direction

In the following example, the rule name is rule-basic-nat66 and the match direction is input.
[edit services nat] user@host# set rule rule-basic-nat66 match-direction input
4. Configure the source address in the from statement.

Copyright 2011, Juniper Networks, Inc.

165

Junos 11.4 Services Interfaces Configuration Guide

[edit services nat] user@host# set rule rule-basic-nat66 term term-name from from

In the following, the term name is t1 and the input condition is source-address 10:10:10::0/96.
[edit services nat] user@host# set rule rule-basic-nat66 term t1 from source-address 10:10:10::0/96
5. Configure the NAT term action and properties of the translated traffic.

[edit services nat] user@host# set rule rule-basic-nat66 term t1 then term-action translated-property

In the following example, the term action is translated and the property of the translated traffic is source-pool src_pool.
[edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated source-pool src_pool
6. Configure the translation type.

[edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type translation-type

In the following example, the translation type is basic-nat66.

[edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type basic-nat66
7. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show nat { pool src_pool { address 10.10.10.2/32; } rule rule-basic-nat66 { match-direction input; term t1 { from { source-address { 10:10:10::0/96; } } then { translated { source-pool src_pool; translation-type { basic-nat66; } } } } } }

166

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring the Service Set for NAT

To configure the service set for NAT:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set.

[edit services] user@host# edit service-set service-set-name

In the following example, the service set name is s1.

[edit services] user@host# edit service-set s1
3. For the s1 service set, set the reference to the NAT rules configured at the [edit services

nat] hierarchy level. [edit services service-set s1] user@host# set nat-rules rule-name

In the following example, the rule name is rule-basic-nat66.

[edit services service-set s1] user@host# set nat-rules rule-basic-nat66
4. Configure the service interface.

[edit services service-set s1] user@host# set interface-service service-interface service-interface-name

In the following example, the service interface name is sp-1/2/0.

[edit services service-set s1] user@host# set interface-service service-interface sp-1/2/0
5. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show service-set s1 { nat-rules rule-basic-nat66; interface-service { service-interface sp-1/2/0; } }

Configuring Trace Options

To configure the trace options at the [edit services adaptive-services-pics] hierarchy level:
1.

In configuration mode, go to the [edit services adaptive-services-pics] hierarchy level.

[edit] user@host# edit services adaptive-services-pics

Copyright 2011, Juniper Networks, Inc.

167

Junos 11.4 Services Interfaces Configuration Guide

2. Configure the trace options.

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
3. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show adaptive-services-pics { traceoptions { flag all; } }

Configuring Dynamic Source Address and Port Translation in IPv4 Networks

Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv4 networks. To configure NAPT, you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv4 addresses. To configure the NAPT in IPv4 networks:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set and NAT rule.

[edit services] user@host# set service-set service-set-name nat-rules rule-name

In the following example, the name of the service set is s1 and the name of the NAT rule is rule-napt-44.
[edit services] user@host# set service-set s1 nat-rules rule-napt-44
3. Go to the [interface-service] hierarchy level of the service set.

[edit services] user@host# edit service-set s1 interface-service

4. Configure the service interface.

[edit services service-set s1 interface service] user@host# set service-interface service-interface-name

In the following example, the name of the service interface is ms-0/1/0.

168

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

NOTE: If the service interface is not present in the router, or the specified interface is not functional, the following command can result in an error.

[edit services service-set s1 interface service] user@host# set service-interface ms-0/1/0

5. Go to the [edit services nat] hierarchy level. Issue the command from the top of the

services hierarchy, or use the top keyword.

[edit services service-set s1 interface service] user@host# top edit services nat
6. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool-name address address

In the following example, the name of the pool is napt-pool and the address is 10.10.10.0.
[edit services nat] user@host# set pool napt-pool address 10.10.10.0
7. Configure the port.

[edit services nat] user@host# set pool pool-name port port-type

In the following example, the port type is selected as automatic.

[edit services nat] user@host# set pool napt-pool port automatic
8. Configure the rule and the match direction.

[edit services nat] user@host# set rule rule-name match-direction match-direction

In the following example, the name of the rule is rule-napt-44 and the match direction is input.
[edit services nat] user@host# set rule rule-napt-44 match-direction input
9. Configure the term, the action for the translated traffic, and the translation type.

[edit services nat] user@host# set rule rule-name term term-name then translated translated-action translation-type translation- type

In the following example, the name of the term is t1, the action for the translated traffic is translated, the name of the source pool is napt-pool, and the translation type is napt-44.
[edit services nat] user@host# set rule rule-napt-44 match-direction input term t1 then translated source-pool napt-pool translation-type napt-44
10. Go to the [edit services adaptive-services-pics] hierarchy level. In the command, the

top keyword ensures that the command is run from the top of the hierarchy.

Copyright 2011, Juniper Networks, Inc.

169

Junos 11.4 Services Interfaces Configuration Guide

[edit services nat] user@host# top edit services adaptive-services-pics

11. Configure the trace options.

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is configured as all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
12. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show service-set s1 { nat-rules rule-napt-44; interface-service { service-interface ms-0/1/0; } } nat { pool napt-pool { address 10.10.10.0/32; port { automatic; } } rule rule-napt-44 { match-direction input; term t1 { then { translated { source-pool napt-pool; translation-type { napt-44; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Related Documentation

Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196

Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks
A number of configuration options provide you with greater flexibility and control when you configure dynamic source address and port translation. The include the following:

170

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

address poolingAssigning the same external address for all sessions originating from the same internal host. Address pooling applies when you use a pool of addresses. It does not imply anything about with port assignment and does not specify what connections to accept from the outside.

BEST PRACTICE: If a Session Initiation Protocol (SIP) client is sending Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, it is expected that they come from the same IP address, even after they go through NAT. Otherwise, an alternate scheme should have been negotiated beforehand. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) will benefit from address pooling paired. Use Cases for Address Pooling

Instant MessagingThe chat and control sessions of some IM clients should arrive from the same public source address. If they dont, the server will reject them. For example, when a particular chat client is first started, it authenticates with the chat server to identify the user. When the user starts a chat window, a new session is established. If the chat session originates from a source address that is different from the authentication session, the server rejects the chat session; it is not recognized as an authenticated session. SSLCertain websites such as online banking require that all connections from a given host (SSL or not) come from the same IP address.

Configuration with Address Pooling Enabled

rule r1-address-pooling { match-direction input; term t1 { from { applications [junos-sip junos-rtsp]; } then { translated { source-pool p1; translation-type { napt-44; } address-pooling paired; } } } }

endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF)EIM creates address and port mapping from a private network to the public network. EIF

Copyright 2011, Juniper Networks, Inc.

171

Junos 11.4 Services Interfaces Configuration Guide

is the exact opposite; it creates mappings from a public IP and port address to a private IP address and port.

NOTE: EIF can be configured only when EIM is configured.

For example, a host in private network opens an internet connection with source IP address and port as P1:p1 to a server. When a napt-44 rule with EIM and EIF enabled is matched for this session, a translated address and port, N1:n1, is allocated to this session and because EIM is enabled, the following mapping is created: P1:p1 ---> N1:n1 Any new connections to same or different server in the outside network that re-use same private address and port are translated to N1:n1. In addition, because EIF is configured, we also create another mapping for the inbound traffic: N1:n1 ---> P1:p1

BEST PRACTICE: EIM is no longer widely used because many applications can now traverse NAT and receive inbound connections over the same outbound connection and applications that need ALGs are still prevalent. If EIM is needed, it should be on a per application basis. In other words, only enable EIM for the applications that need it, as shown in the following example.
rule sip-eim { match-direction input; term t1 { from { applications junos-sip; } then { translated { source-pool p1; translation-type { source dynamic; } mapping-type endpoint-independent; } } } }

172

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring Dynamic Source Address and Port Translation for IPv6 Networks
Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv6 networks. For information about configuring NAPT in IPv4 networks, see Configuring Dynamic Source Address and Port Translation in IPv4 Networks on page 168. To configure NAPT, you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv6 addresses. To configure NAPT in IPv6 networks:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Define the pool of IPv6 source addresses that must be used for dynamic translation.

For NAPT, also specify port numbers when configuring the source pool.
[edit services nat] user@host# set pool pool name address IPv6 source addresses user@host# set pool pool name port source ports

For example:
[edit services nat] user@host# set pool IPV6-NAPT-Pool address 2002::1/96 user@host# set pool IPV6-NAPT-Pool port automatic
3. Define a NAT rule for translating the source addresses. To do this, set the

match-direction statement of the rule as input. In addition, define a term that uses napt-66 as the translation type for translating the addresses of the pool defined in

the previous step.

[edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated translation-type napt-66

For example:
[edit services nat] user@host# set rule IPV6-NAPT-Rule match-direction input user@host# set rule IPV6-NAPT-Rule term t1 then translated source-pool IPV6-NAPT-Pool user@host# set rule IPV6-NAPT-Rule term t1 then translated translation-type napt-66
4. Enter the up command to navigate to the [edit services] hierarchy level.

[edit services nat] user@host# up

5. Define a service set to specify the services interface that must be used, and reference

the NAT rule implemented for NAPT translation.

Copyright 2011, Juniper Networks, Inc.

173

Junos 11.4 Services Interfaces Configuration Guide

[edit services] user@host# set service-set service-set name interface- service service-interface services interface user@host# set service-set service-set name nat-rules rule name

For example:
[edit services] user@host# set service-set IPV6-NAPT-ServiceSet interface- service service-interface ms-0/1/0 user@host# set service-set IPV6-NAPT-ServiceSet nat-rules IPV6-NAPT-Rule
6. Define the trace options for the adaptive services PIC.

[edit services] user@host# set adaptive-services-pics traceoptions flag tracing parameter

For example:
[edit services] user@host# set adaptive-services-pics traceoptions flag all

Related Documentation

Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197

Configuring Dynamic Address-Only Source Translation in IPv4 Networks

In IPv4 networks, dynamic address translation (dynamic NAT) is a mechanism to dynamically translate the destination traffic without port mapping. To use dynamic NAT, you must specify a source pool name, which includes an address configuration. To configure dynamic NAT in IPv4 networks:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set and NAT rule.

[edit services] user@host# set service-set service-set-name nat-rules rule-name

In the following example, the name of the service set is s1, and the name of the NAT rule is rule-dynamic-nat44.
[edit services] user@host# set service-set s1 nat-rules rule-dynamic-nat44
3. Go to the [interface-service] hierarchy level for the service set.

[edit services] user@host# edit service-set s1 interface-service

4. Configure the service interface.

[edit services service-set s1 interface-service] user@host# set service-interface service-interface-name

174

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

In the following example, the name of the service interface is ms-0/1/0.

NOTE: If the service interface is not present in the router, or the specified interface is not functional, the following command can result in an error.

[edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0

5. Go to the [edit services nat] hierarchy level. Issue the following command from the

top of the services hierarchy, or use the top keyword.

[edit services service-set s1 interface-service] user@host# top edit services nat
6. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool-name address address

In the following example, the name of the pool is source-dynamic-pool, and the address is 10.10.10.0.
[edit services nat] user@host# set pool source-dynamic-pool address 10.10.10.0
7. Configure the rule, match direction, term, and source address.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from source-address address

In the following example, the name of the rule is rule-dynamic-nat44, the match direction is input, the name of the term is t1, and the source address is 3.1.1.0.
[edit services nat] user@host# set rule rule-dynamic-nat44 match-direction input term t1 from source-address 3.1.1.0
8. Go to the [edit rule rule-dynamic-nat-44 term t1] hierarchy level.

[edit services nat] user@host# edit rule rule-dynamic-nat44 term t1

9. Configure the source pool and the translation type.

[edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool src-pool-name translation-type translation-type

In the following example, the name of the source pool is source-dynamic-pool and the translation type is dynamic-nat44.
[edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool source-dynamic-pool translation-type dynamic-nat44
10. Go to the [edit services adaptive-services-pics] hierarchy level. In the following

command, the top keyword ensures that the command is run from the top of the hierarchy.

Copyright 2011, Juniper Networks, Inc.

175

Junos 11.4 Services Interfaces Configuration Guide

[edit services nat rule rule-dynamic-nat44 term t1] user@host# top edit services adaptive-services-pics
11. Configure the trace options.

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is configured as all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
12. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44; interface-service { service-interface ms-0/1/0; } } nat { pool source-dynamic-pool { address 10.1.1.0/24; } rule rule-dynamic-nat44 { match-direction input; term t1 { from { source-address { 3.1.1.0/24; } } then { translated { destination-pool source-dynamic-pool; translation-type { dynamic-nat44; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Related Documentation

Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198

176

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring Static Destination Address Translation in IPv4 Networks

In IPv4 networks, destination address translation is a mechanism used to implement address translation for destination traffic without port mapping. To use destination address translation, the size of the pool address space must be greater than or equal to the destination address space. You must specify a name for the destination-pool statement, which can contain multiple addresses, ranges, or prefixes, as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. To configure destination address translation in IPv4 networks:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set and the NAT rule.

[edit services] user@host# set service-set service-set-name nat-rules rule-name

In the following example, the name of the service set is s1 and the name of the NAT rule is rule-dnat44.
[edit services] user@host# set service-set s1 nat-rules rule-dnat44
3. Go to the [interface-service] hierarchy level of the service set.

[edit services] user@host# edit service-set s1 interface-service

4. Configure the service interface.

[edit services service-set s1 interface-service] user@host# set service-interface service-interface-name

In the following example, the name of the service interface is ms-0/1/0.

NOTE: If the service interface is not present in the router, or the specified interface is not functional, the following command can result in an error.

[edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0

5. Go to the [edit services nat] hierarchy level. Issue the following command from the

top of the services hierarchy, or use the top keyword.

[edit services service-set s1] user@host# top edit services nat
6. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool-name address address

Copyright 2011, Juniper Networks, Inc.

177

Junos 11.4 Services Interfaces Configuration Guide

In the following example, dest-pool is used as the pool name and 4.1.1.2 as the address.
user@host# set pool dest-pool address 4.1.1.2
7. Configure the rule, match direction, term, and destination address.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address

In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 20.20.20.20.
[edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20
8. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.

[edit services nat] user@host# edit rule rule-dnat44 term t1

9. Configure the destination pool and the translation type.

[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name translation-type translation-type

In the following example, the destination pool name is dest-pool, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool translation-type dnat-44
10. Go to the [edit services adaptive-services-pics] hierarchy level. In the following

command, the top keyword ensures that the command is run from the top of the hierarchy.
[edit services nat rule rule-dnat44 term t1] user@host# top edit services adaptive-services-pics
11. Configure the trace options.

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is configured as all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
12. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show service-set s1 { nat-rules rule-dnat44; interface-service { service-interface ms-0/1/0; } } nat {

178

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

pool dest-pool { address 4.1.1.2/32; } rule rule-dnat44 { match-direction input; term t1 { from { destination-address { 20.20.20.20/32; } } then { translated { destination-pool dest-pool; translation-type { dnat-44; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Related Documentation

Example: Configuring Static Destination Address Translation on page 199

Configuring Port Forwarding for Static Destination Address Translation

Starting with Junos OS Release 11.4, you can map an external IP address and port with an IP address and port in a private network. This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. Port forwarding works only with the FTP application-level gateway (ALG). Port forwarding is not supported with endpoint-independent mapping (EIM), endpoint-independent filtering (EIF), or address pooling-paired (AP-P). Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure. To configure destination address translation in IPv4 networks:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Configure the NAT pool with an address.

[edit services nat] user@host# set pool pool-name address address

In the following example, dest-pool is used as the pool name and 4.1.1.2 as the address.
user@host# set pool dest-pool address 4.1.1.2

Copyright 2011, Juniper Networks, Inc.

179

Junos 11.4 Services Interfaces Configuration Guide

3. Configure the rule, match direction, term, and destination address.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address

In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 20.20.20.20.
[edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20
4. Configure the destination port range.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low

In the following example, the upper port range is 50 and the lower port range is 20.
[edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20
5. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.

[edit services nat] user@host# edit rule rule-dnat44 term t1

6. Configure the destination pool.

[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name

In the following example, the destination pool name is dest-pool, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool
7. Configure the mapping for port forwarding and the translation type.

[edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type

In the following example, the port forwarding map name is map1, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44
8. Go to the [edit services nat port-forwarding map1] hierarchy level.

[edit services nat] user@host# edit port-forwarding map1

9. Configure the mapping for port forwarding.

[edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id

180

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

In the following example, the destination port is 45 and the translated port is 23.
[edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45

NOTE: Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

The destination port should not overlap the port range configured for NAT.

10. Verify the configuration by using the show command at the [edit services nat] hierarchy

level.
[edit services] user@host# show nat { pool dest-pool { address 4.1.1.2/32; } rule rule-dnat44 { match-direction input; term t1 { from { destination-address { 20.20.20.20/32; } destination-port { range low 20 high 50; } } then { port-forwarding-mappings map1; translated { destination-pool dest-pool; translation-type { dnat-44; } } } } } port-forwarding map1 { destined-port 45; translated-port 23; } }

Copyright 2011, Juniper Networks, Inc.

181

Junos 11.4 Services Interfaces Configuration Guide

NOTE:

A similar configuration is possible with twice NAT for IPv4. See Example: Configuring Port Forwarding with Twice NAT on page 215. Port forwarding and stateful firewall can be configured together. Stateful firewall has precedence over port forwarding.

Related Documentation

Example: Configuring Static Destination Address Translation on page 199

Configuring Translation Type for Translation Between IPv6 and IPv4 Networks
To configure the translation type as basic-nat-pt, you must configure the DNS ALG application, NAT pools and rules, a service set with a service interface, and trace options. This topic includes the following tasks:
1.

Configuring the DNS ALG Application on page 182

2. Configuring the NAT Pool and NAT Rule on page 183 3. Configuring the Service Set for NAT on page 186 4. Configuring Trace Options on page 187

Configuring the DNS ALG Application

To configure the DNS ALG application:
1.

In configuration mode, go to the [edit applications] hierarchy level.

[edit] user@host# edit applications

2. Configure the ALG to which the DNS traffic is destined at the [edit applications]

hierarchy level. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term.
[edit applications] user@host# set application application-name application-protocol application-protocol

In the following example, the application name is dns-alg and application protocol is dns.
[edit applications] user@host# set application dns-alg application-protocol dns
3. Verify the configuration by using the show command at the [edit applications] hierarchy

level.
[edit applications] user@host# show application dns-alg { application-protocol dns; }

182

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring the NAT Pool and NAT Rule

To configure the NAT pool and NAT rule:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Configure the NAT pool and its address.

[edit services nat] user@host# set pool pool-name address address

In the following example, the name of the NAT pool is p1 and the address is 10.10.10.2/32.
[edit services nat] user@host# set pool p1 address 10.10.10.2/32
3. Configure the source pool and its address.

[edit services nat] user@host# set pool source-pool-name address address

In the following example, the name of the source pool is src_pool0 and the source pool address is 20.1.1.1/32.
[edit services nat] user@host# set pool src_pool0 address 20.1.1.1/32
4. Configure the destination pool and its address.

[edit services nat] user@host# set pool destination-pool-name address address

In the following example, the name of the destination pool is dst_pool0 and the destination pool address is 50.1.1.2/32.
[edit services nat] user@host# set pool dst_pool0 address 50.1.1.2/32
5. Configure the rule and the match direction.

[edit services nat] user@host# set rule rule-name match-direction match-direction

In the following example, the rule name is rule-basic-nat-pt and the match direction is input.
[edit services nat] user@host# set rule basic-nat-pt match-direction input
6. Configure the term and the input conditions for the NAT term.

[edit services nat] user@host# set rule rule-basic-nat-pt term term from from

In the following example, the term is t1 and the input conditions are source-address 2000::2/128, destination-address 4000::2/128, and applications dns_alg.
[edit services nat]

Copyright 2011, Juniper Networks, Inc.

183

Junos 11.4 Services Interfaces Configuration Guide

user@host# set rule rule-basic-nat-pt term t1 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from destination-address 4000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from applications dns_alg
7. Configure the NAT term action and the properties of the translated traffic.

[edit services nat] user@host# set rule rule-basic-nat-pt term t1 then term-action translated-property

In the following example, the term action is translated and the properties of the translated traffic are source-pool src_pool0, destination-pool dst_pool0, and dns-alg-prefix 10:10:10::0/96.
[edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated source-pool src_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated destination-pool dst_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated dns-alg-prefix 10:10:10::0/96
8. Configure the translation type.

[edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type translation-type

In the following example, the translation type is basic-nat-pt.

[edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type basic-nat-pt
9. Configure another term and the input conditions for the NAT term.

[edit services nat] user@host# set rule rule-basic-nat-pt term term-name from from

In the following example, the term name is t2 and the input conditions are source-address 2000::2/128 and destination-address 10:10:10::0/96.
[edit services nat] user@host# set rule rule-basic-nat-pt term t2 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t2 from destination-address 10:10:10::0/96
10. Configure the NAT term action and the property of the translated traffic.

[edit services nat] user@host# set rule rule-basic-nat-pt term t2 then term-action translated-property

In the following example, the term action is translated and the property of the translated traffic is source-prefix 19.19.19.1/32.
[edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated source-prefix 19.19.19.1/32

184

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

11. Configure the translation type.

[edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type translation-type

In the following example, the translation type is basic-nat-pt.

[edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type basic-nat-pt
12. Verify the configuration by using the show command at the [edit services nat] hierarchy

level.
[edit services nat] user@host# show pool p1 { address 10.10.10.2/32; } pool src_pool0 { address 20.1.1.1/32; } pool dst_pool0 { address 50.1.1.2/32; } rule rule-basic-nat-pt { match-direction input; term t1 { from { source-address { 2000::2/128; } destination-address { 4000::2/128; } applications dns_alg; } then { translated { source-pool src_pool0; destination-pool dst_pool0; dns-alg-prefix 10:10:10::0/96; translation-type { basic-nat-pt; } } } } term t2 { from { source-address { 2000::2/128; } destination-address { 10:10:10::0/96; } } then { translated { source-prefix 19.19.19.1/32;

Copyright 2011, Juniper Networks, Inc.

185

Junos 11.4 Services Interfaces Configuration Guide

translation-type { basic-nat-pt; } } } } }

Configuring the Service Set for NAT

To configure the service set for NAT:
1.

In configuration mode, go to the [edit services] hierarchy level.

[edit] user@host# edit services

2. Configure the service set.

[edit services] user@host# edit service-set service-set-name

In the following example, the name of the service set is ss_dns.

[edit services] user@host# edit service-set ss_dns
3. Configure the service set with NAT rules.

[edit services service-set ss_dns] user@host# set nat-rules rule-name

In the following example, the rule name is rule-basic-nat-pt.

[edit services service-set ss_dns] user@host# set nat-rules rule-basic-nat-pt
4. Configure the service interface.

[edit services service-set ss_dns] user@host# set interface-service service-interface service-interface-name

In the following example, the name of service interface is sp-1/2/0.

[edit services service-set ss_dns] user@host# set interface-service service-interface sp-1/2/0
5. Verify the configuration by using the show services command from the [edit] hierarchy

level.
[edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt; interface-service { service-interface sp-1/2/0; } }

186

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring Trace Options

To configure the trace options at the [edit services adaptive-services-pics] hierarchy level:
1.

In configuration mode, go to the [edit services adaptive-services-pics] hierarchy level.

[edit] user@host# edit services adaptive-services-pics

2. Configure the trace options.

[edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is all.

[edit services adaptive-services-pics] user@host# set traceoptions flag all
3. Verify the configuration by using the show command at the [edit services] hierarchy

level.
[edit services] user@host# show adaptive-services-pics { traceoptions { flag all; } }

Configuring NAT-PT
To configure Network Address TranslationProtocol Translation (NAT-PT), you must configure a Domain Name System application-level gateway (DNS ALG) application to map addresses returned in the DNS response to an IPv6 address. DNS ALG is used with NAT-PT to facilitate name-to-address mapping. When configuring NAT-PT, network address translation can either be an address-only translation or an address and port translation. The Junos OS implementation is described in RFC 2766 and RFC 2694. Before you begin configuring NAT-PT with DNS ALG, you must have the following configured:

NAT with two rules or one rule and two terms. The first NAT rule or term ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the first rule. The second rule or term is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG application. A service set that references the first NAT rule or term and a multiservices interface.

Copyright 2011, Juniper Networks, Inc.

187

Junos 11.4 Services Interfaces Configuration Guide

To configure NAT-PT with DNS ALG:

1.

Configure the DNS session that processes packets to the DNS server: a. Configure the ALG to which the DNS traffic is destined at the [edit applications] hierarchy level. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term.
[edit applications] user@host# set application application-name application-protocol application-protocol

For example:
[edit applications] user@host# set application dns_alg application-protocol dns

b. Reference the ALG in the first NAT rule or term.

[edit services nat rule rule-name term term-name] user@host# set from applications application-name

In the following example, the application name is dns_alg.

[edit services nat rule rule1 term term1] user@host# set from applications dns_alg

c. Define the DNS ALG pool or prefix for mapping IPv4 addresses to IPv6 addresses.
[edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix user@host# set then translated dns-alg-pool dns-alg-pool

The following example shows the configuration of the 96-bit prefix for mapping IPv4 address to IPv6 addresses.
[edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96

The following sample output shows the minimum configuration of the application.
[edit applications] user@host# show application dns_alg { application-protocol dns; }

The following sample output shows the minimum configuration of the first NAT rule.
[edit services nat] user@host# show rule rule1 { applications dns_alg; } then { translated { dns-alg-prefix 10:10:10::0/96; } } }

188

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} }

The following sample output shows the minimum configuration of the second NAT rule.
[edit services nat] user@host# show rule rule2 { term term1 { from { destination-address { 10:10:10::c0a8:108/128; } } then { translated { source-prefix 19.19.19.1/32; } } } } }

Related Documentation

Network Address Translation Overview on page 48 Example: Configuring NAT-PT on page 202 dns-alg-prefix on page 246 dns-alg-pool on page 246

Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4)
Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP, several IPv6-only clients can share the same public IPv4 server address. To allow sharing of the IPv4 server address, stateful NAT64 translates incoming IPv6 packets into IPv4, and vice versa. To configure stateful NAT64, you must configure a rule at the [edit services nat] hierarchy level for translating the source address dynamically and the destination address statically. To configure stateful NAT64:
1.

In configuration mode, go to the [edit services nat] hierarchy level:

[edit] user@host# edit services nat

2. Define the pool of source addresses to be used for dynamic translation.

[edit services nat] user@host# set pool pool name address source addresses user@host# set pool pool name port source ports

For example:

Copyright 2011, Juniper Networks, Inc.

189

Junos 11.4 Services Interfaces Configuration Guide

[edit services nat] user@host# set pool src-pool-nat64 address 203.0.113.0/24 user@host# set pool src-pool-nat64 port automatic
3. Define a NAT rule for translating the source addresses. Set the match-direction

statement of the rule as input. Then define a term that uses stateful-nat64 as the translation type for translating the addresses of the pool defined in the previous step.
[edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name from source-address source address user@host# set rule rule name term term name from destination-address destination address user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated destination-prefix destination prefix user@host# set rule rule name term term name then translated translation-type stateful-nat64

For example:
[edit services nat] user@host# set rule stateful-nat64 match-direction input user@host# set rule stateful-nat64 term t1 from source-address 2001:DB8::0/96 user@host# set rule stateful-nat64 term t1 from destination-address 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated source-pool src-pool-nat64 user@host# set rule stateful-nat64 term t1 then translated destination-prefix 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated translation-type stateful-nat64

Related Documentation

Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201

Configuring Port Forwarding for Static Destination Address Translation

Starting with Junos OS Release 11.4, you can map an external IP address and port with an IP address and port in a private network. This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. Port forwarding works only with the FTP application-level gateway (ALG). Port forwarding is not supported with endpoint-independent mapping (EIM), endpoint-independent filtering (EIF), or address pooling-paired (AP-P). Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure. To configure destination address translation in IPv4 networks:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

[edit] user@host# edit services nat

2. Configure the NAT pool with an address.

190

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

[edit services nat] user@host# set pool pool-name address address

In the following example, dest-pool is used as the pool name and 4.1.1.2 as the address.
user@host# set pool dest-pool address 4.1.1.2
3. Configure the rule, match direction, term, and destination address.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address

In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 20.20.20.20.
[edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20
4. Configure the destination port range.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low

In the following example, the upper port range is 50 and the lower port range is 20.
[edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20
5. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.

[edit services nat] user@host# edit rule rule-dnat44 term t1

6. Configure the destination pool.

[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name

In the following example, the destination pool name is dest-pool, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool
7. Configure the mapping for port forwarding and the translation type.

[edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type

In the following example, the port forwarding map name is map1, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44
8. Go to the [edit services nat port-forwarding map1] hierarchy level.

[edit services nat] user@host# edit port-forwarding map1

Copyright 2011, Juniper Networks, Inc.

191

Junos 11.4 Services Interfaces Configuration Guide

9. Configure the mapping for port forwarding.

[edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id

In the following example, the destination port is 45 and the translated port is 23.
[edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45

NOTE: Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

The destination port should not overlap the port range configured for NAT.

10. Verify the configuration by using the show command at the [edit services nat] hierarchy

level.
[edit services] user@host# show nat { pool dest-pool { address 4.1.1.2/32; } rule rule-dnat44 { match-direction input; term t1 { from { destination-address { 20.20.20.20/32; } destination-port { range low 20 high 50; } } then { port-forwarding-mappings map1; translated { destination-pool dest-pool; translation-type { dnat-44; } } } } } port-forwarding map1 { destined-port 45; translated-port 23; } }

192

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

NOTE:

A similar configuration is possible with twice NAT for IPv4. See Example: Configuring Port Forwarding with Twice NAT on page 215. Port forwarding and stateful firewall can be configured together. Stateful firewall has precedence over port forwarding.

Related Documentation

Example: Configuring Static Destination Address Translation on page 199

Examples: Configuring NAT Rules

This section provides the following configuration examples. For additional examples that combine NAT configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see Examples: Services Interfaces Configuration.

Example: Configuring Static Source Translation on page 193 Example: Configuring Dynamic Source Address and Port Translation on page 195 Example: Configuring Dynamic Address-only Source Translation on page 197 Example: Configuring Static Destination Address Translation on page 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks on page 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201 Example: Configuring Source Dynamic and Destination Static Translation on page 201 Example: Configuring NAT-PT on page 202 Example: Configuring Port Forwarding with Twice NAT on page 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT on page 216 Example: Configuring an Oversubscribed Pool with No Fallback on page 217 Example: Assigning Addresses from a Dynamic Pool for Static Use on page 217 Example: Configuring NAT Rules Without Defining a Pool on page 218 Example: Preventing Translation of Specific Addresses on page 219 Example: Configuring NAT for Multicast Traffic on page 219

Example: Configuring Static Source Translation

Example: Configuring Static Source Translation in an IPv4 Network on page 193 Example: Configuring Static Source Translation in an IPv6 Network on page 194 Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges on page 195

Example: Configuring Static Source Translation in an IPv4 Network

The following configuration sets up one-to-one mapping between a private subnet and a public subnet.

Copyright 2011, Juniper Networks, Inc.

193

Junos 11.4 Services Interfaces Configuration Guide

[edit] user@host# show services service-set s1 { nat-rules rule-basic-nat44; interface-service { service-interface ms-1/2/0; } } nat { pool src_pool { address 10.10.10.2/32; } rule rule-basic-nat44 { match-direction input; term t1 { from { source-address { 3.1.1.2/32; } } then { translated { source-pool src_pool; translation-type { basic-nat44; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Example: Configuring Static Source Translation in an IPv6 Network

The following example configures the translation type as basic-nat66.
[edit] user@host# show services service-set s1 { nat-rules rule-basic-nat66; interface-service { service-interface sp-1/2/0; } } nat { pool src_pool { address 10.10.10.2/32; } rule rule-basic-nat66 { match-direction input; term t1 { from { source-address { 10:10:10::0/96;

194

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} } then { translated { source-pool src_pool; translation-type { basic-nat66; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges
The following configuration creates a static pool with an address prefix and an address range and uses static source NAT translation.
[edit services nat] pool p1 { address 30.30.30.252/30; address-range low 20.20.20.1 high 20.20.20.2; } rule r1 { match-direction input; term { from { source-address { 10.10.10.252/30; } } then { translated { source-pool p1; translation-type basic-nat44; } } } }

Example: Configuring Dynamic Source Address and Port Translation

Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network on page 196 Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197

Copyright 2011, Juniper Networks, Inc.

195

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network
The following example configures dynamic source (address and port) translation, or NAPT.
[edit services nat] pool public { address-range low 192.16.2.1 high 192.16.2.32; port automatic; } rule Private-Public { match-direction input; term Translate { then { translated { source-pool public; translation-type napt-44; } } } }

NOTE: The only difference between the configurations for dynamic address-only source translation and NAPT is the inclusion of the port statement for NAPT.

Example: Configuring Dynamic Source Translation for an IPv4 Network

The following example configures the translation type as napt-44.
[edit services] user@host# show service-set s1 { nat-rules rule-napt-44; interface-service { service-interface ms-0/1/0; } } nat { pool napt-pool { address 10.10.10.0/32; port { automatic; } } rule rule-napt-44 { match-direction input; term t1 { then { translated { source-pool napt-pool; translation-type { napt-44; }

196

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} } } } } adaptive-services-pics { traceoptions { flag all; } }

Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network
The following example configures dynamic source (address and port) translation or NAPT for an IPv6 network.
[edit services] user@host# show service-set IPV6-NAPT-ServiceSet { nat-rules IPV6-NAPT-Rule; interface-service { service-interface ms-0/1/0; } } nat { pool IPV6-NAPT-Pool { address 2002::1/96; port automatic; } rule IPV6-NAPT-Rule { match-direction input; term term1 { then { translated { source-pool IPV6-NAPT-Pool; translation-type { napt-66; } } } } } } adaptive-services-pics { traceoptions { flag all; } } }

Example: Configuring Dynamic Address-only Source Translation

Example: Configuring Dynamic Address-Only Source Translation on page 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198

Copyright 2011, Juniper Networks, Inc.

197

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Dynamic Address-Only Source Translation

The following example configures dynamic address-only source translation.
[edit services nat] pool public { address-range low 192.16.2.1 high 192.16.2.32; } rule Private-Public { match-direction input; term Translate { then { translated { source-pool public; translation-type dynamic-nat44 ; } } } }

Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network

The following example configures the translation type as dynamic-nat44.
[edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44; interface-service { service-interface ms-0/1/0; } } nat { pool source-dynamic-pool { address 10.1.1.0/24; } rule rule-dynamic-nat44 { match-direction input; term t1 { from { source-address { 3.1.1.0/24; } } then { translated { destination-pool source-dynamic-pool; translation-type { dynamic-nat44; } } } } } } adaptive-services-pics { traceoptions { flag all;

198

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} }

Example: Configuring Static Destination Address Translation

The following example configures the translation type as dnat-44.
[edit services] user@host# show service-set s1 { nat-rules rule-dnat44; interface-service { service-interface ms-0/1/0; } } nat { pool dest-pool { address 4.1.1.2/32; } rule rule-dnat44 { match-direction input; term t1 { from { destination-address { 20.20.20.20/32; } } then { translated { destination-pool dest-pool; translation-type { dnat-44; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

Example: Configuring NAT in Mixed IPv4 and IPv6 Networks

Example: Configuring the Translation Type Between IPv6 and IPv4 Networks on page 199

Example: Configuring the Translation Type Between IPv6 and IPv4 Networks
The following example configures the translation type as basic-nat-pt.
[edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt; interface-service { service-interface sp-1/2/0; }

Copyright 2011, Juniper Networks, Inc.

199

Junos 11.4 Services Interfaces Configuration Guide

} nat { pool p1 { address 10.10.10.2/32; } pool src_pool0 { address 20.1.1.1/32; } pool dst_pool0 { address 50.1.1.2/32; } rule rule-basic-nat-pt { match-direction input; term t1 { from { source-address { 2000::2/128; } destination-address { 4000::2/128; } applications dns_alg; } then { translated { source-pool src_pool0; destination-pool dst_pool0; dns-alg-prefix 10:10:10::0/96; translation-type { basic-nat-pt; } } } } term t2 { from { source-address { 2000::2/128; } destination-address { 10:10:10::0/96; } } then { translated { source-prefix 19.19.19.1/32; translation-type { basic-nat-pt; } } } } } } adaptive-services-pics { traceoptions { flag all; } }

200

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4)
The following example configures dynamic source address (IPv6-to-IPv4) and static destination address (IPv6-to-IPv4) translation:
[edit services] user@host# show nat { pool src-pool-nat64 { address 203.0.113.0/24; port { automatic; } } rule stateful-nat64 { match-direction input; term t1 { from { source-address { 2001:db8::0/96; } destination-address { 64:ff9b::/96; } } then { translated { source-pool src-pool-nat64; destination-prefix 64:ff9b::/96; translation-type { stateful-nat64; } } } } } }

Example: Configuring Source Dynamic and Destination Static Translation

In the following configuration, term1 configures source address translation for traffic from any private address to any public address. The translation is applied for all services. term2 performs destination address translation for Hypertext Transfer Protocol (HTTP) traffic from any public address to the servers virtual IP address. The virtual server IP address is translated to an internal IP address.
[edit services nat] rule my-nat-rule { match-direction input; term my-term1 { from { source-address private; destination-address public; } then { translated {

Copyright 2011, Juniper Networks, Inc.

201

Junos 11.4 Services Interfaces Configuration Guide

source-pool my-pool; # pick address from a pool translation-type napt-44; # dynamic NAT with port translation } } } term my-term2 { from { destination-address 192.168.137.3; # my servers virtual address application http; } then { translated { destination-pool nat-pool-name; translation-type dnat-44; # static destination NAT } } } }

Example: Configuring NAT-PT

A Domain Name System application-level gateway (DNS ALG) is used with Network Address Translation-Protocol Translation (NAT-PT) to facilitate name-to-address mapping. You can configure the DNS ALG to map addresses returned in the DNS response to an IPv6 address. When you configure NAT-PT with DNS ALG support, you must configure two NAT rules or one rule with two terms. In this example, you configure two rules. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG. Then, you must configure a service set, and then apply the service set to the interfaces. This example describes how to configure NAT-PAT with DNS ALG:

Requirements on page 202 Overview and Topology on page 202 Configuration of NAT-PT with DNS ALGs on page 204

Requirements
This example uses the following hardware and software components:

Junos OS Release 11.2 A multiservices interface (ms-)

Overview and Topology

The following scenario shows the process of NAT-PT with DNS ALG when a laptop in an IPv6-only domain requests access to a server in an IPv4-only domain.

202

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Figure 6: Configuring DNS ALGs with NAT-PT Network Topology

Packet header: SA: 2000::2/128 DA: 4000::2/128 Payload: Request AAAA record for www.example.com 6 Step 1: SA: 2000::2/128 translated to 40.1.1.1/32 DA: 4000::2/128 translated to 50.1.1.1/32 Payload: The AAAA request is translated to an A request Step 2: SA: 50.1.1.1/32 translated to 4000::2/128 DA: 40.1.1.1/32 translated to 2000:2/128 Laptop address: 2000::2/128 DNS server address: 4000::2/128 Payload: The A response translated to an IPv6 address Step 3: SA: 2000::2/128 translated to 40.1.1.1/32 DA: 10.10.10::1.1.1.1 translated to 1.1.1.1 www.example.com 1.1.1.1 Packet header: SA: 50.1.1.1/32 DA: 40.1.1.1/32 Payload: A response www.example.com = 1.1.1.1 IPv4 Domain

IPv6 Domain

DNS Server 50.1.1.1/32

NAT DNS ALG session http: session SA = source address DA = destination address

The Juniper Networks router in the center of the illustration performs address translation in two steps. When the laptop requests a session with the www.example.com server that is in an IPv4-only domain, the Juniper Networks router performs the following:

Translates the IPv6 laptop and DNS server addresses into IPv4 addresses. Translates the AAAA request from the laptop into an A request so that the DNS server can provide the IPv4 address.

When the DNS server responds with the A request, the Juniper Networks router performs the following:

Translates the IPv4 DNS server address back into an IPv6 address. Translates the A request back into a AAAA request so that the laptop now has the 96-bit IPv6 address of the www.example.com server.

After the laptop receives the IPv6 version of the www.example.com server address, the laptop initiates a second session using the 96-bit IPv6 address to access that server. The Juniper Networks router performs the following:

Translates the laptop IPv4 address directly into its IPv4 address. Translates the 96-bit IPv6 www.example.com server address into its IPv4 address.

Copyright 2011, Juniper Networks, Inc.

203

g017486

Junos 11.4 Services Interfaces Configuration Guide

Configuration of NAT-PT with DNS ALGs

To configure NAT-PT with DNS ALG , perform the following tasks:

Configuring the Application-Level Gateway on page 204 Configuring the NAT Pools on page 205 Configuring the DNS Server Session: First NAT Rule on page 206 Configuring the HTTP Session: Second NAT Rule on page 209 Configuring the Service Set on page 211 Configuring the Stateful Firewall Rule on page 212 Configuring Interfaces on page 213

Configuring the Application-Level Gateway Step-by-Step Procedure Configure the DNS application as the ALG to which the DNS traffic is destined. The DNS application protocol closes the DNS flow as soon as the DNS response is received. When you configure the DNS application protocol, you must specify the UDP protocol as the network protocol to match in the application definition. To configure the DNS application:
1.

In configuration mode, go to the [edit applications] hierarchy level:

user@host# edit applications

2.

Define the application name and specify the application protocol to use in match conditions in the first NAT rule.
[edit applications] user@host# set application application-name application-protocol protocol-name

For example:
[edit applications] user@host# set application dns_alg application-protocol dns
3.

Specify the protocol to match, in this case UDP.

[edit applications] user@host# set application application-name protocol type

For example:
[edit applications] user@host# set application dns_alg protocol udp
4.

Define the UDP destination port for additional packet matching, in this case the domain port.
[edit applications] user@host# set application application-name destination-port value

For example:
[edit applications] user@host# set application dns_alg destination-port 53

204

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Results

[edit applications] user@host# show application dns_alg { application-protocol dns; protocol udp; destination-port 53; }

Configuring the NAT Pools Step-by-Step Procedure In this configuration, you configure two pools that define the addresses (or prefixes) used for NAT. These pools define the IPv4 addresses that are translated into IPv6 addresses. The first pool includes the IPv4 address of the source. The second pool defines the IPv4 address of the DNS server. To configure NAT pools:
1.

In configuration mode, go to the [edit services nat] hierarchy level.

user@host# edit services nat

2.

Specify the name of the first pool and the IPv4 source address (laptop).
[edit services nat] user@host# set pool nat-pool-name address ip-prefix

For example:
[edit services nat] user@host# set pool pool1 address 40.1.1.1/32
3.

Specify the name of the second pool and the IPv4 address of the DNS server.
[edit services nat] user@host# set pool nat-pool-name address ip-prefix

For example:
[edit services nat] user@host# set pool pool2 address 50.1.1.1/32

Results

The following sample output shows the configuration of NAT pools:

[edit services nat] user@host# show pool pool1 { address 40.1.1.1/32; } pool pool2 { address 50.1.1.1/32; }

Copyright 2011, Juniper Networks, Inc.

205

Junos 11.4 Services Interfaces Configuration Guide

Configuring the DNS Server Session: First NAT Rule Step-by-Step Procedure The first NAT rule is applied to DNS traffic going to the DNS server. This rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The DNS application was configured in Configuring the DNS ALG Application on page 182. In addition, you must specify the direction in which traffic is matched, the source address of the laptop, the destination address of the DNS server, and the actions to take when the match conditions are met. To configure the first NAT rule:
1.

In configuration mode, go to the {edit services nat] hierarchy level.

user@host# edit services nat

2.

Specify the name of the NAT rule.

[edit services nat] user@host# edit rule rule-name

For example:
[edit services nat] user@host# edit rule rule1
3.

Specify the name of the NAT term.

[edit services nat rule rule-name] user@host# edit term term-name

For example:
[edit services nat rule rule1] user@host# edit term term1
4.

Define the match conditions for this rule.

Specify the IPv6 source address of the device (laptop) attempting to access an IPv4 address.
[edit services nat rule rule-name term term-name] user@host# set from source-address source-address

For example:
[edit services nat rule rule1 term term1] user@host# set from source-address 2000::2/128

Specify the IPv6 destination address of the DNS server.

[edit services nat rule rule-name term term-name] user@host# set from destination-address prefix

For example:
[edit services nat rule rule1 term term1] user@host# set from destination-address 4000::2/128

Reference the DNS application to which the DNS traffic destined for port 53 is applied.

206

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

[edit services nat rule rule1 term term1] user@host# set from applications application-name

In this example, the application name configured in the Configuring the DNS Application step is dns_alg:
[edit services nat rule rule1 term term1] user@host# set from applications dns_alg
5.

Define the actions to take when the match conditions are met. The source and destination pools you configured in Configuring the NAT Pools are applied here.

Apply the NAT pool configured for source translation.

[edit services nat rule rule-name term term-name] user@host# set then translated source-pool nat-pool-name

For example:
[edit services nat rule rule1 term term1] user@host# set then translated source-pool pool1

Apply the NAT pool configured for destination translation.

[edit services nat rule rule-name term term-name] user@host# set then translated destination-pool nat-pool-name

For example:
[edit services nat rule rule1 term term1] user@host# set then translated source-pool pool2
6.

Define the DNS ALG 96-bit prefix for IPv4-to-IPv6 address mapping.
[edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix

For example:
[edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96
7.

Specify the type of NAT used for source and destination traffic.
[edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt

For example:
[edit services nat rule rule1 term term1] user@host# set then translated translation-type basic-nat-pt

NOTE: In this example, since NAT is achieved using address-only translation, the basic-nat-pt translation type is used. To achieve NAT using address and port translation (NAPT), use the napt-pt translation type.

8.

Specify the direction in which to match traffic that meets the rule conditions.

Copyright 2011, Juniper Networks, Inc.

207

Junos 11.4 Services Interfaces Configuration Guide

[edit services nat rule rule-name] user@host# set match-direction (input | output)

For example:
[edit services nat rule rule1] user@host# set match-direction input
9.

Configure system logging to record information from the services interface to the /var/log directory.
[edit services nat rule rule-name term term-name] user@host# set then syslog

For example:
[edit services nat rule rule1 term term1] user@host# set then syslog

Results

The following sample output shows the configuration of the first NAT rule that goes to the DNS server.
[edit services nat] user@host# show rule rule1 { match-direction input; term term1 { from { source-address { 2000::2/128; } destination-address { 4000::2/128; } applications dns_alg; } then { translated { source-pool pool1; destination-pool pool2; dns-alg-prefix 10:10:10::0/96; translation-type { basic-nat-pt; } } syslog; } } }

208

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring the HTTP Session: Second NAT Rule Step-by-Step Procedure The second NAT rule is applied to destination traffic going to the IPv4 server www.example.com). This rule ensures that NAT sessions are destined to the address mapped by the DNS ALG. For this rule to work, you must configure the DNS ALG address map that correlates the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule. In addition, you must specify the direction in which traffic is matched: the IPv4 address for the IPv6 source address (laptop), the 96-bit prefix to prepend to the IPv4 destination address (www.example.com), and the translation type. To configure the second NAT rule:
1.

In configuration mode, go to the following hierarchy level.

user@host# edit services nat

2.

Specify the name of the NAT rule and term.

[edit services nat] user@host# edit rule rule-name term term-name

For example:
[edit services nat] user@host# edit rule rule2 term term1
3.

Define the match conditions for this rule:

Specify the IPv6 address of the device attempting to access the IPv4 server.
[edit services nat rule rule-name term term-name] user@host# set from source-address source-address

For example:
[edit services nat rule rule2 term term1] user@host# set from source-address 2000::2/128

Specify the 96-bit IPv6 prefix to prepend to the IPv4 server address.
[edit services nat rule rule-name term term-name] user@host# set from destination-address prefix

For example:
[edit services nat rule rule2 term term1] user@host# set from destination-address 10:10:10::c0a8:108/128
4.

Define the actions to take when the match conditions are met.

Specify the prefix for the translation of the IPv6 source address.
[edit services nat rule rule-name term term-name] user@host# set then translated source-prefix source-prefix

For example:
[edit services nat rule rule2 term term1] user@host# set then translated source-prefix 19.19.19.1/32

Copyright 2011, Juniper Networks, Inc.

209

Junos 11.4 Services Interfaces Configuration Guide

5.

Specify the type of NAT used for source and destination traffic.
[edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt

For example:
[edit services nat rule rule2 term term1] user@host# set then translated translation-type basic-nat-pt

NOTE: In this example, since NAT is achieved using address-only translation, the basic-nat-pt translation type is used. To achieve NAT using address and port translation (NAPT), you must use the napt-pt translation type.

6.

Specify the direction in which to match traffic that meets the conditions in the rule.
[edit services nat rule rule-name] user@host# set match-direction (input | output)

For example:
[edit services nat rule rule2] user@host# set match-direction input

Results

The following sample output shows the configuration of the second NAT rule:
[edit services nat] user@host# show rule rule2 { match-direction input; term term1 { from { source-address { 2000::2/128; } destination-address { 10:10:10::c0a8:108/128; } } then { translated { source-prefix 19.19.19.1/32; translation-type { basic-nat-pt; } } } } }

210

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring the Service Set Step-by-Step Procedure This service set is an interface service set used as an action modifier across the entire services (ms-) interface. Stateful firewall and NAT rule sets are applied to traffic processed by the services interface. To configure the service set:
1.

In configuration mode, go to the [edit services] hierarchy level.

user@host# edit services

2.

Define a service set.

[edit services] user@host# edit service-set service-set-name

For example:
[edit services] user@host# edit service-set ss
3.

Specify properties that control how system log messages are generated for the service set.
[edit services service-set ss] user@host# set syslog host local services severity-level

The example below includes all severity levels.

[edit services service-set ss user@host# set syslog host local services any
4.

Specify the stateful firewall rule included in this service set.

[edit services service-set ss] user@host# set stateful-firewall-rules rule1 severity-level

The example below references the stateful firewall rule defined in Configuring the Stateful Firewall Rule.
[edit services service-set ss user@host# set stateful-firewall-rules rule1
5.

Define the NAT rules included in this service set.

[edit services service-set ss] user@host# set nat-rules rule-name

The example below references the two rules defined in this configuration example.
[edit services service-set ss user@host# set nat-rules rule1 user@host# set nat-rules rule2
6.

Configure an adaptive services interface on which the service is to be performed.

[edit services service-set ss] user@host# set interface-service service-interface interface-name

For example:
[edit services service-set ss

Copyright 2011, Juniper Networks, Inc.

211

Junos 11.4 Services Interfaces Configuration Guide

user@host# interface-service service-interface ms-2/0/0

Only the device name is needed, because the router software manages logical unit numbers automatically. The services interface must be an adaptive services interface for which you have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level in the Configuring Interfaces step. Results The following sample output shows the configuration of the service set:
[edit services] user@host# show service-set ss { syslog { host local { services any; } } stateful-firewall-rules rule1; nat-rules rule1; nat-rules rule2; interface-service { service-interface ms-2/0/0; } }

Configuring the Stateful Firewall Rule Step-by-Step Procedure This example uses a stateful firewall to inspect packets for state information derived from past communications and other applications. The NAT-PT router checks the traffic flow matching the direction specified by the rule, in this case both input and output. When a packet is sent to the services (ms-) interface, direction information is carried along with it. To configure the stateful firewall rule:
1.

In configuration mode, go to the [edit services stateful firewall] hierarchy level.

user@host# edit services stateful firewall

2.

Specify the name of the stateful firewall rule.

[edit services stateful-firewall] user@host# edit rule rule-name

For example:
[edit services stateful-firewall] user@host# edit rule rule1
3.

Specify the direction in which traffic is to be matched.

[edit services stateful-firewall rule rule-name] user@host# set match-direction (input | input-output | output)

For example:
[edit services stateful-firewall rule rule1] user@host# set match-direction input-output
4.

Specify the name of the stateful firewall term.

212

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

[edit services stateful-firewall rule rule-name] user@host# edit term term-name

For example:
[edit services stateful-firewall rule rule1] user@host# edit term term1
5.

Define the terms that make up this rule.

[edit services stateful-firewall rule rule-name term term-name] user@host# set then accept

For example:
[edit services stateful-firewall rule rule1 term term1] user@host# set then accept

Results

The following sample output shows the configuration of the services stateful firewall.
[edit services] user@host# show stateful-firewall { rule rule1 { match-direction input-output; term term1 { then { accept; } } } }

Configuring Interfaces Step-by-Step Procedure After you have defined the service-set, you must apply services to one or more interfaces installed on the router. In this example, you configure one interface on which you apply the service set for input and output traffic. When you apply the service set to an interface, it automatically ensures that packets are directed to the services (ms-) interface. To configure the interfaces:
1.

In configuration mode, go to the [edit interfaces] hierarchy level.

user@host# edit interfaces

2.

Configure the interface on which the service set is applied to automatically ensure that packets are directed to the services (ms-) interface.

For IPv4 traffic, specify the IPv4 address.

[edit interfaces] user@host# set ge-1/0/9 unit 0 family inet address 30.1.1.1/24

Apply the service set defined in the Configuring the Service Set step.
[edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 service input service-set ss user@host# set ge-1/0/9 unit 0 family inet6 service output service-set ss

Copyright 2011, Juniper Networks, Inc.

213

Junos 11.4 Services Interfaces Configuration Guide

For IPv6 traffic, specify the IPv6 address.

[edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 address 2000::1/64

3.

Specify the interface properties for the services interface that performs the service.
[edit interfaces] user@host# set ms-2/0/0 services-options syslog host local services any user@host# set ms-2/0/0 unit 0 family inet user@host# set ms-2/0/0 unit 0 family inet6

Results

The following sample output shows the configuration of the interfaces for this example.
[edit interfaces] user@host# show ge-1/0/9 { unit 0 { family inet { address 30.1.1.1/24; } family inet6 { service { input { service-set ss; } output { service-set ss; } } address 2000::1/64; } } } ms-2/0/0 { services-options { syslog { host local { services any; } } } unit 0 { family inet; family inet6; } }

Related Documentation

Network Address Translation Overview on page 48 Configuring NAT-PT on page 187 Configuring Service Sets to be Applied to Services Interfaces on page 568 Example: Configuring the uKernel Service and the Services SDK on Two PICs dns-alg-prefix on page 246

214

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

dns-alg-pool on page 246

Example: Configuring Port Forwarding with Twice NAT

The following example configures port forwarding with twice-napt-44 as the translation type. The example also has stateful firewall and multiple port maps configured.
[edit services] user@host# show service-set in { syslog { host local { services any; } } stateful-firewall-rules r; nat-rules r; interface-service { service-interface sp-10/0/0.0; } } stateful-firewall { rule r { match-direction input; term t { from { destination-port { range low 1 high 57000; } } then { reject; } } } } nat { pool x { address 12.0.0.2/32; } rule r { match-direction input; term t { from { destination-address { 14.0.0.2/32; } destination-port { range low 10 high 20000; } } then { port-forwarding-mappings y; translated { destination-pool x; translation-type { twice-napt-44; } }

Copyright 2011, Juniper Networks, Inc.

215

Junos 11.4 Services Interfaces Configuration Guide

} } } port-forwarding y { destined-port 45; translated-port 23; destined-port 55; translated-port 33; destined-port 65; translated-port 43; } } adaptive-services-pics { traceoptions { file sp-trace; flag all; } }

NOTE:

Stateful firewall has precedence over port forwarding. In this example, for instance, no traffic destined to any port between 1 and 57000 will be translated. Up to 32 port maps can be configured.

Related Documentation

Configuring Port Forwarding for Static Destination Address Translation on page 179

Example: Configuring an Oversubscribed Pool with Fallback to NAPT

The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. When the addresses in the source pool (src-pool) are exhausted, NAT is provided by the NAPT overload pool (pat-pool).
[edit services nat] pool src-pool { address-range low 192.16.2.1 high 192.16.2.10; } pool pat-pool { address-range low 192.2.11 high 192.16.2.12; port automatic; } rule myrule { match-direction input; term myterm { from { source-address 10.150.1.0/24; } then { translated { source-pool src-pool; overload-pool pat-pool;

216

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

translation-type napt-44; } } } }

Example: Configuring an Oversubscribed Pool with No Fallback

The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. Sessions from the first 10 host sessions are assigned an address from the pool on a first-come, first-served basis, and any additional requests are rejected. Each host with an assigned NAT can participate in multiple sessions.
[edit services nat] pool my-pool { address-range low 10.10.10.1 high 10.10.10.10; } rule src-nat { match-direction input; term t1 { from { source-address 192.168.1.0/24; } then { translated { translation-type dynamic-nat44; source-pool my-pool; } } } }

Example: Assigning Addresses from a Dynamic Pool for Static Use

The following configuration statically assigns a subset of addresses that are configured as part of a dynamic pool (dynamic-pool) to two separate static pools (static-pool and static-pool2).
[edit services nat] pool dynamic-pool { address 20.20.10.0/24; } pool static-pool { address-range low 20.20.10.10 high 10.20.10.12; } pool static-pool2 { address 20.20.10.15/32; } rule src-nat { match-direction input; term t1 { from { source-address 30.30.30.0/24; }

Copyright 2011, Juniper Networks, Inc.

217

Junos 11.4 Services Interfaces Configuration Guide

then { translation-type dynamic-nat44; source-pool dynamic-pool; } } term t2 { from { source-address 10.10.10.2; } then { translation-type basic-nat44; source-pool static-pool; } } term t3 { from { source-address 10.10.10.10; } then { translation-type basic-nat44; source-pool static-pool2; } } }

Example: Configuring NAT Rules Without Defining a Pool

The following configuration performs NAT using the source prefix 20.20.10.0/24 without defining a pool.
[edit services nat] rule src-nat { match-direction input; term t1 { then { translation-type dynamic-nat44; source-prefix 20.20.10.0/24; } } }

The following configuration performs NAT using the destination prefix 20.20.10.0/32 without defining a pool.
[edit services nat] rule src-nat { match-direction input; term t1 { from { destination-address 10.10.10.10/32; then { translation-type dnat44; destination-prefix 20.20.10.0/24; } } }

218

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Example: Preventing Translation of Specific Addresses

The following configuration specifies that NAT is not performed on incoming traffic from the source address 192.168.20.24/32. Dynamic NAT is performed on all other incoming traffic.
[edit services nat] pool my-pool { address-range low 10.10.10.1 high 10.10.10.16; port-automatic; } rule src-nat { match-direction input; term t0 { from { source-address 192.168.20.24/32; } then { no-translation; } } term t1 { then { translated { translation-type dynamic-nat44; source-pool my-pool; } } } }

Example: Configuring NAT for Multicast Traffic

Figure 7 on page 219 illustrates the network setup for the following configuration, which allows IP multicast traffic to be sent to the Multiservices PIC.

Figure 7: Configuring NAT for Multicast Traffic

Rendezvous Point Configuration on page 219 Router 1 Configuration on page 222

Rendezvous Point Configuration

On the rendezvous point (RP), all incoming traffic from the multicast source at 192.168.254.0/27 is sent to the static NAT pool mcast_pool, where its source is translated to 20.20.20.0/27. The service set nat_ss is a next-hop service set that allows IP multicast

Copyright 2011, Juniper Networks, Inc.

219

Junos 11.4 Services Interfaces Configuration Guide

traffic to be sent to the Multiservices DPC or Multiservices PIC. The inside interface on the PIC is ms-1/1/0.1 and the outside interface is ms-1/1/0.2.
[edit services] nat { pool mcast_pool { address 20.20.20.0/27; } rule nat_rule_1 { match-direction input; term 1 { from { source-address 192.168.254.0/27; } } then { translated { source-pool mcast_pool; translation-type basic-nat44; } syslog; } } } service-set nat_ss { allow-multicast; nat-rules nat_rule_1; next-hop-service { inside-service-interface ms-1/1/0.1; outside-service-interface ms-1/1/0.2; } }

The Gigabit Ethernet interface ge-0/3/0 carries traffic out of the RP to Router 1. The multiservices interface ms-1/1/0 has two logical interfaces: unit 1 is the inside interface for next-hop services and unit 2 is the outside interface for next-hop services. Multicast source traffic comes in on the Fast Ethernet interface fe-1/2/1, which has the firewall filter fbf applied to incoming traffic.
[edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10.10.1.1/30; } } } ms-1/1/0 { unit 0 { family inet; } unit 1 { family inet; service-domain inside; }

220

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

unit 2 { family inet; service-domain outside; } } fe-1/2/1 { unit 0 { family inet { filter { input fbf; } address 192.168.254.27/27; } } }

Multicast packets can only be directed to the Multiservices DPC or the Multiservices PIC using a next-hop service set. In the case of NAT, you must also configure a VRF. Therefore, the routing instance stage is created as a dummy forwarding instance. To direct incoming packets to stage, you configure filter-based forwarding through a firewall filter called fbf, which is applied to the incoming interface fe-1/2/1. A lookup is performed in stage.inet.0, which has a multicast static route that is installed with the next hop pointing to the PICs inside interface. All multicast traffic matching this route is sent to the PIC.
[edit firewall] filter fbf { term 1 { then { routing-instance stage; } } }

The routing instance stage forwards IP multicast traffic to the inside interface ms-1/1/0.1 on the Multiservices DPC or Multiservices PIC:
[edit] routing-instances stage { instance-type forwarding; routing-options { static { route 224.0.0.0/4 next-hop ms-1/1/0.1; } } }

You enable OSPF and Protocol Independent Multicast (PIM) on the Fast Ethernet and Gigabit Ethernet logical interfaces over which IP multicast traffic enters and leaves the RP. You also enable PIM on the outside interface (ms-1/1/0.2) of the next-hop service set.
[edit protocols] ospf { area 0.0.0.0 { interface fe-1/2/1.0 { passive;

Copyright 2011, Juniper Networks, Inc.

221

Junos 11.4 Services Interfaces Configuration Guide

} interface lo0.0; interface ge-0/3/0.0; } } pim { rp { local { address 10.255.14.160; } } interface fe-1/2/1.0; interface lo0.0; interface ge-0/3/0.0; interface ms-1/1/0.2; }

As with any filter-based forwarding configuration, in order for the static route in the forwarding instance stage to have a reachable next hop, you must configure routing table groups so that all interface routes are copied from inet.0 to the routing table in the forwarding instance. You configure routing tables inet.0 and stage.inet.0 as members of fbf_rib_group, so that all interface routes are imported into both tables.
[edit routing-options] interface-routes { rib-group inet fbf_rib_group; } rib-groups fbf_rib_group { import-rib [ inet.0 stage.inet.0 ]; } multicast { rpf-check-policy no_rpf; }

Reverse path forwarding (RPF) checking must be disabled for the multicast group on which source NAT is applied. You can disable RPF checking for specific multicast groups by configuring a policy similar to the one in the example that follows. In this case, the no_rpf policy disables RPF check for multicast groups belonging to 224.0.0.0/4.
[edit policy-options] policy-statement no_rpf { term 1 { from { route-filter 224.0.0.0/4 orlonger; } then reject; } }

Router 1 Configuration
The Internet Group Management Protocol (IGMP), OSPF, and PIM configuration on Router 1 is as follows. Because of IGMP static group configuration, traffic is forwarded out fe-3/0/0.0 to the multicast receiver without receiving membership reports from host members.

222

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

[edit protocols] igmp { interface fe-3/0/0.0 { } } ospf { area 0.0.0.0 { interface fe-3/0/0.0 { passive; } interface lo0.0; interface ge-7/2/0.0; } pim { rp { static { address 10.255.14.160; } } interface fe-3/0/0.0; interface lo0.0; interface ge-7/2/0.0; } }

The routing option creates a static route to the NAT pool, mcast_pool, on the RP.
[edit routing-options] static { route 20.20.20.0/27 next-hop 10.10.1.1; }

Example: NAT 44 CGN Configurations

This example describes how to implement several NAT configurations.

Hardware and Software Requirements on page 223 Overview on page 224 Basic NAT44 Configuration on page 224

Hardware and Software Requirements

This example requires the following hardware:

An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A domain name server (DNS)

Copyright 2011, Juniper Networks, Inc.

223

Junos 11.4 Services Interfaces Configuration Guide

This example uses the following software:

Junos OS Release 11.4 or higher

Overview
This example shows a complete CGN NAT44 configuration and advanced options.

Basic NAT44 Configuration

Chassis Configuration
Step-by-Step Procedure To configure the service PIC (FPC 5 Slot 0) with the Layer 3 service package:
1.

Go to the edit chassis hierarchy level.

user@host# edit chassis

2.

Configure the layer 3 service package.

[edit chassis] user@host# set fpc 5 pic 0 adaptive-services service-package layer-3

Configuring the Interfaces

Step-by-Step Procedure To configure interfaces to the private network and the public Internet.
1.

Define the interface to the private network.

user@host# edit interfaces ge-1/3/5 [edit interfaces ge-1/3/5] user@host# set description Private user@host# edit unit 0 family inet [edit interfaces ge-1/3/5 unit 0 family inet] user@host# set service input service-set ss2 user@host# set service output service-set ss2 user@host# set address 9.0.0.1/24

2.

Define the interface to the public Internet.

user@host# edit interfaces ge-1/3/6 [edit interfaces ge-1/3/6] user@host# set description Public user@host# set unit 0 family inet address 128.0.0.1/24

3.

Define the service interface for NAT processing.

user@host# edit interfaces ge-5/0/0 [edit interfaces ge-5/0/0] user@host# set unit 0 family inet

Results

user@host# show interfaces ge-1/3/5 description Private; unit 0 { family inet { service { input { service-set sset2;

224

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} output { service-set sset2; } } address 9.0.0.1/24; } } } user@host# show interfaces ge-1/3/6 description Public:; unit 0 { family inet { address 128.0.0.1/24; } } user@host# show interfaces ge-5/0/0 unit 0 { family inet; }

Configuring NAT with Port Translation

Step-by-Step Procedure To configure source-only dynamic NAT with port translation:
1.

Configure the NAT pool.

user@host# edit services nat [edit services nat] user@host# set pool p1 address 129.0.0.0/24 user@host# set pool p1 port automatic random-allocation

2.

Configure the NAT rule.

[edit services nat] host# edit rule r1 host# set match-direction input host# set term t1 from source-address 10.0.0.0/16 host# set term t1 from source-address 10.1.0.0/16 host# set term t1 then translated source-pool p1 translation-type dynamic-nat44

Results

user@host# show services nat pool p1 { address 129.0.0.0/24; } rule r1 { match-direction input; term t1 { from { source-address { 10.0.0.0/16; 10.1.0.0/16; }

Copyright 2011, Juniper Networks, Inc.

225

Junos 11.4 Services Interfaces Configuration Guide

} then { translated { source-pool p1; translation-type { dynamic-nat44; } } } } }

Configuring the Service Set

Step-by-Step Procedure To configure the service set:
1.

Configure a service set.

user@host# edit services service-set ss2

2.

Specify the NAT rule to be used.

[edit services service-set ss2} host# set nat-rules r1

3.

Specify the interface service.

[edit services service-set ss2} host# set interface-service service-interface sp-5/0/0

Results

user@host# show services service-sets sset2 nat-rules r1; interface-service { service-interface sp-5/0/0; }

Example: NAT Between VRFs Configuration

The following example configuration enables NAT between VRFs with overlapping private addresses, using distinct public addresses for the source and destination NAT in this scenario:

A host in vrf-a traverses 10.58.16.201 to reach 10.58.0.2 in vrf-b. A host in vrf-b traverses 10.58.16.101 to reach 10.58.0.2 in vrf-a.
[edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10.58.0.1/24; service { input service-set vrf-a-svc-set; output service-set vrf-a-svc-set; } }

226

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

} } ge-0/3/0 { unit 0 { family inet { address 10.58.0.1/24; service { input service-set vrf-b-svc-set; output service-set vrf-b-svc-set; } } } } sp-1/3/0 { unit 0 { family inet; } unit 10 { family inet; service-domain inside; } unit 20 { family inet; service-domain inside; } } [edit policy-options] policy-statement test-policy { term t1 { then reject; } } [edit routing-instances] vrf-a { interface ge-0/2/0.0; interface sp-1/3/0.10; instance-type vrf; route-distinguisher 10.1.1.1:1; vrf-import test-policy; vrf-export test-policy; routing-options { static { route 0.0.0.0/0 next-table inet.0; } } } vrf-b { interface ge-0/3/0.0; interface sp-1/3/0.20; instance-type vrf; route-distinguisher 10.2.2.2:2; vrf-import test-policy; vrf-export test-policy; routing-options { static { route 0.0.0.0/0 next-table inet.0;

Copyright 2011, Juniper Networks, Inc.

227

Junos 11.4 Services Interfaces Configuration Guide

} } } [edit services] stateful-firewall { rule allow-all { match-direction input-output; term t1 { then { accept; } } } } nat { pool vrf-a-src-pool { address 10.58.16.100; port automatic; } pool vrf-a-dst-pool { address 10.58.0.2; } rule vrf-a-input { match-direction input; term t1 { then { translated { source-pool vrf-a-src-pool; translation-type napt-44; } } } } rule vrf-a-output { match-direction output; term t1 { from { destination-address 10.58.16.101; } then { translated { destination-pool vrf-a-dst-pool; translation-type destination static; } } } } pool vrf-b-src-pool { address 10.58.16.200; port automatic; } pool vrf-b-dst-pool { address 10.58.0.2; } rule vrf-b-input { match-direction input;

228

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

term t1 { then { translated { source-pool vrf-b-src-pool; translation-type source dynamic; } } } } rule vrf-b-output { match-direction output; term t1 { from { destination-address 10.58.16.201; } then { translated { destination-pool vrf-b-dst-pool; translation-type destination static; } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all; nat-rules vrf-a-input; nat-rules vrf-a-output; interface-service { service-interface sp-1/3/0.10; } } service-set vrf-b-svc-set { stateful-firewall-rules allow-all; nat-rules vrf-b-input; nat-rules vrf-b-output; interface-service { service-interface sp-1/3/0.20; } }

Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion

This example configures Stateful NAT64 on an MX Series 3D Universal Edge router with a Services DPC. The configuration replicates the example flow found in draft-ietf-behave-v6v4-xlate-stateful-12, Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers, July 2010. This example contains the following sections:

Requirements on page 230 Implementation on page 230

Copyright 2011, Juniper Networks, Inc.

229

Junos 11.4 Services Interfaces Configuration Guide

Configuration on page 230 Verifying NAT64 Operation on page 234

Requirements
This functionality requires the following hardware:

An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A name server with DNS64

Implementation
In Junos OS Release 10.2, Juniper Networks implemented stateful NAT64 in its Services Physical Interface Card (PIC) and Services Dense Port Concentrator (DPC). The system steers IPv6 packets coming from IPv6-only hosts to a Services DPC where the packets are translated to IPv4 according to the configuration. In the reverse path, the system sends IPv4 packets to the Services DPC where additional system processes reverse the translation and send the corresponding IPv6 packet back to the client.

Configuration Overview and Topology

Figure 8 on page 230 shows an MX Series router, R2, implementing NAT64 with two Gigabit Ethernet interfaces and a Services DPC. The interface connected to the IPv4 network is ge-1/3/6, and the interface connected to the IPv6 network is ge-1/3/5. Also shown is a local name server with DNS64 functionality, which the system uses as part of the translation process. The local name server is configured with the /96 prefix assigned to the local NAT64 router.

Figure 8: NAT64 Topology

Name server (with DNS64) IPv6 network IPv4 network

Host 1 R2

Host 2

2001: DB8::1 ge-1/3/5

192.0.2.1 ge-1/3/6
g040627

NAT64

Configuration
To configure stateful NAT64 involves the following tasks:

Configuring the PIC and the Interfaces on page 231 Configuring the NAT64 Pool on page 232 Configuring the Service Set on page 233

230

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Configuring the PIC and the Interfaces

Step-by-Step Procedure To configure the PIC and interfaces on Router R2:
1.

Edit the chassis configuration to enable a Layer 3 service package. The service package with its associated service package (sp-) interface is used to manipulate traffic before it is delivered to its destination. For details about configuring packages, see the Junos OS Services Interfaces Configuration Guide. Configure the service package at the [edit chassis fpc pic adaptive-services] hierarchy level. This example assumes that the PIC is in FPC 5, slot 0.
[edit chassis] fpc 5 { pic 0 { adaptive-services { service-package layer-3; } } }

2.

3.

Configure the ge-1/3/5 interface connected to the IPv6 network. a. Include the family inet (IPv4) and family inet6 (IPv6) statements at the [edit interfaces interface-name unit unit-number] hierarchy level. b. Include the IPv6 address at the [edit interfaces unit unit-number family inet6 address] hierarchy level. c. Configure a service set at the [edit interfaces interface-name unit unit-number family service input service-set] and the [edit interfaces interface-name unit unit-number family service output service-set] hierarchy levels.
[edit interfaces] ge-1/3/5 { description "IPv6-only domain"; unit 0 { family inet; family inet6 { service { input { service-set set_0; } output { service-set set_0; } } address 2001:DB8::1/64; } } }

4.

Configure the ge-1/3/6 interface connected to the IPv4 network. a. Include the family inet statement at the [edit interfaces unit unit-number] hierarchy level.

Copyright 2011, Juniper Networks, Inc.

231

Junos 11.4 Services Interfaces Configuration Guide

b. Include the IPv4 address at the [edit interfaces unit unit-number family inet] hierarchy level.
[edit interfaces] ge-1/3/6 { description "Internet-IPv4 domain"; unit 0 { family inet { address 192.0.1.1/16; } } }
5.

Configure the services interface, in this example, sp-5/0/0. This example configures a system log for any services on the local host. The service package associated with this interface was configured in Step 2. Specify both the IPv4 and IPv6 address families at the [edit interfaces interface-name unit unit-number] hierarchy level. The service set you configure in Configuring the Service Set on page 233 is associated with this interface.
[edit interfaces] sp-5/0/0 { services-options { syslog { host local { services any; log-prefix XXXXXXXX; } } } unit 0 { family inet; family inet6; } }

Configuring the NAT64 Pool

Step-by-Step Procedure Use this procedure to configure the NAT64 router, Router R2, with the /96 prefix to represent IPv4 addresses in the IPv6 address space. IPv6 packets addressed to a destination address containing the /96 prefix are then routed to the IPv6 interface of the NAT router. You also configure one or more IPv4 transport addresses for the NAT pool. This example shows how to configure the network address translation for the IPv4 address 203.0.113.1/32. It also shows how to configure the IPv6 prefix 64:FF9B::/96.
1.

Configure an IPv4 transport address for the pool at the [edit services nat pool pool-name] hierarchy level.
[edit services nat] pool src-pool-nat64 { address 203.0.113.0/24; port automatic; }

232

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

2.

Configure a NAT rule to translate the packets from the IPv6 network. NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. In this example, only one rule is required to accomplish the address translation. The rule selects all traffic coming from the source address on the IPv6 network, 2001:DB8::1/128. The transport address configured in Step 1 is then specified for the translation using the /96 prefix. Configure the rule at the [edit services nat rule rule-name] hierarchy level as follows:
[edit services nat rule] rule nat64 { match-direction input; term t1 { from { source-address { 2001:DB8::0/96; } destination-address { 64:FF9B::/96; } } then { translated { source-pool src-pool-nat64; destination-prefix 64:FF9B::/96; translation-type { stateful-nat64; } } } } }

Configuring the Service Set

Step-by-Step Procedure To configure the service set for the NAT service on Router R2, you must associate the previously configured rule (nat64) and service interface (sp-5/0/0) with the service set. You also include a system log configuration. To configure these settings at the [edit services service-set service-set-name] hierarchy level:
1.

Configure the system log.

[edit services service-set set_0] syslog { host local { services any; log-prefix XXXSVC-SETYYY; } }

Copyright 2011, Juniper Networks, Inc.

233

Junos 11.4 Services Interfaces Configuration Guide

2.

Associate the NAT rule and the service interface with the service set at the [edit services service-set service-set-name] hierarchy level.
[edit services ] service-set { nat-rules nat64; interface-service { service-interface sp-5/0/0; } }

3.

On Router R2, commit the configuration.

user@R2> commit check configuration check succeeds user@R2> commit

Verifying NAT64 Operation

You can use the following features to verify your NAT64 configuration:

CLI commands on the router Logging

You can also use a test tool that can generate IPv6 flows directed to the MX Series router, using the well-known prefix (64:FF9B::/96) as the destination. NAT64-related commands leverage the existing commands for NAPT44. Among others, you can use the following CLI commands to verify your NAT64 configuration:

show services stateful-firewall flows show services stateful-firewall conversations show services nat pool detail show services stateful-firewall statistics extensive

In this example:

In the input direction, the IPv4 destination address is fetched from the IPv6 destination address whose prefix matches the destination-prefix configured from the specified prefix length. In the reverse or output direction, the IPv4 address is suffixed to the destination-prefix at the prefix length specified.

To confirm the NAT64 configuration, perform these tasks:

Display NAT64 Flows on page 235 Display NAT64 Conversations on page 236 Display Global NAT Pool-Related Statistics on page 237

234

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

Check System Logs on page 237 Verify That NAT64 Conversations Take Place on page 238

Display NAT64 Flows

Purpose Display and verify that the NAT64 flows are created and contain correct network address translation. To display the NAT64 flows on Router R2, use the show services stateful-firewall flows command.

Action

user@R2> show services stateful-firewall flows Interface: sp-5/0/0, Service set: set_0 Flow State TCP 2001:db8::4:1160 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1160 -> 203.0.113.1: NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 2001:db8::2:1166 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1166 -> 203.0.113.1:1420 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1413 Forward NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203.0.113.1:1413 -> 2001:db8::4:1167 TCP 2001:db8::3:1123 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1123 -> 203.0.113.1:1385 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1376 Forward NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1376 -> 2001:db8::3:1120 TCP 2001:db8::3:1136 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1136 -> 203.0.113.1:1424 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 2001:db8::4:1146 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1146 -> 203.0.113.1:1350 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 2001:db8::3:1110 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1110 -> 203.0.113.1:1346 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1428 Forward NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1428 -> 2001:db8::4:1172 TCP 192.0.2.1:80 -> 203.0.113.1:1393 Forward NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.0.113.1:1393 -> 2001:db8::2:1157 TCP 192.0.2.1:80 -> 203.0.113.1:1346 Forward NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1346 -> 2001:db8::3:1110 TCP 2001:db8::2:1148 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1148 -> 203.0.113.1:1366 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1363 Forward

Dir I

Frm count 5

Meaning

In the sample output, the NAT source and NAT destination addresses of the Input (I) and Output (O) directions are displayed. The NAT64 flows listed in this output are in no specific order.

Copyright 2011, Juniper Networks, Inc.

235

Junos 11.4 Services Interfaces Configuration Guide

Display NAT64 Conversations

Purpose Action Display and verify that the NAT64 conversations (collections of related flows) are correct. To display NAT64 conversations on Router R2, use the show services stateful-firewall conversations command. In contrast to the flows command that reports all flows in no specific order, the output of the conversations command groups the flows that belong to a conversation for easy troubleshooting of communication between a specific pair of hosts.

user@R2> show services stateful-firewall conversations Interface: sp-5/0/0, Service set: set_0 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::3:1188 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1188 -> 203.0.113.1:1580 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1580 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21303 NAT dest 203.0.113.1:1580 -> 2001:db8::3:1188 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::4:1213 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1213 -> 203.0.113.1:1551 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1551 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1551 -> 2001:db8::4:1213 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::3:1169 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1169 -> 203.0.113.1:1523 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1523 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.0.113.1:1523 -> 2001:db8::3:1169 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::2:1233 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1233 -> 203.0.113.1:1621 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1621 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1621 -> 2001:db8::2:1233 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::2:1218 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1218 -> 203.0.113.1:1575

Frm count 5

Frm count 5

Frm count 5

Frm count 5

Frm count 5

236

Copyright 2011, Juniper Networks, Inc.

Chapter 10: Carrier-Grade NAT Configuration Guidelines

NAT dest TCP

64:ff9b::c000:201:80 -> 192.0.2.1:80 192.0.2.1:80 -> 203.0.113.1:1575 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1575 -> 2001:db8::2:1218

Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::4:1220 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1220 -> 203.0.113.1:1572 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1572 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.113.1:1572 -> 2001:db8::4:1220 Conversation: ALG protocol: tcp Number of initiators: 1, Number of responders: 1 Flow State Dir TCP 2001:db8::2:1211 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1211 -> 203.0.113.1:1554 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.1:80 TCP 192.0.2.1:80 -> 203.0.113.1:1554 Forward O NAT source 192.0.2.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203.0.113.1:1554 -> 2001:db8::2:1211

Frm count 5

Frm count 5

Meaning

The sample output displays the NAT64 conversations between specific pairs of hosts.

Display Global NAT Pool-Related Statistics

Purpose Action Display and verify global NAT statistics related to pool usage. To display global NAT pool-related statistics on Router R2, use the show services nat pool detail command. You normally use this command in conjunction with the show services stateful-firewall flows command used in Display NAT64 Flows on page 235, which displays the source and output of the translation.

user@R2> show services nat pool detail Interface: sp-5/0/0, Service set: set_0 NAT pool: src-pool-nat64, Translation type: dynamic Address range: 203.0.113.1-203.0.113.254 Port range: 512-65535, Ports in use: 102, Out of port errors: 0, Max ports used: 192 NAT pool: _jpool_nat64_t1_, Translation type: static Address range: 0.100.255.155-0.100.255.154

Meaning

The sample output displays relevant statistics and information about the NAT64 pools.

Check System Logs

Purpose Check the system logs because the system creates detailed logs as sessions are created and deleted.

Copyright 2011, Juniper Networks, Inc.

237

Junos 11.4 Services Interfaces Configuration Guide

Action

When a session is created based on the example setup, two logs are provided. The first log indicates the rule and term that the packet matched. The second log indicates the flow creation.
user@R2> show log messages Oct 21 22:14:14 H1 (FPC Slot 5, PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: any, ge-1/3/5.0:2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80, creating forward or watch flow ; source address and port translate to 203.0.113.1:1593 ; destination address translates to 192.0.2.1

When the sessions end, the system creates a log indicating the NAT pool address and port release in addition to the delete flow log, as follows:
Oct 21 22:14:17 H1 (FPC Slot 5, PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]:ASP_NAT_POOL_RELEASE: natpool release 203.0.113.1:1593[1] Oct 21 22:14:17 H1 (FPC Slot 5, PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_DELETE_FLOW: proto 6 (TCP) application: any, (null)(null)2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80, deleting forward or watch flow ; source address and port translate to 203.0.113.1:1593 ; destination address translates to 192.0.2.1

Meaning

The sample output displays the log messages that can be seen when a session is created and when a session ends.

Verify That NAT64 Conversations Take Place

Purpose Verify that the NAT64 conversations are taking place. Current support for application-layer gateway (ALG) is limited to ICMP and traceroute. To verify that the NAT64 conversations are occuring on Router R2, use the show services stateful-firewall conversations command. The following is sample output for an ICMP echo test (ping).

Action

user@R2> show services stateful-firewall conversations Interface: sp-5/0/0, Service set: set_0 Conversation: ALG protocol: icmpv6 Number of initiators: 1, Number of responders: 1 Flow State ICMPV6 2001:db8::2 ->64:ff9b::c000:201 Watch NAT source 2001:db8::2 -> 203.0.113.1 NAT dest 64:ff9b::c000:201 -> 192.0.2.1 ICMP 192.0.2.1 -> 203.0.113.1 Watch NAT source 192.0.2.1 -> 64:ff9b::c000:201 NAT dest 203.0.113.1 -> 2001:db8::2

Dir I

Frm count 21

21

Meaning

The sample output displays the results of the ICMP echo test.

Related Documentation

Stateful NAT64 Overview Example: Configuring Dual-Stack Lite for IPv6 Access

238

Copyright 2011, Juniper Networks, Inc.

CHAPTER 11

Summary of Carrier-Grade NAT Configuration Statements

The following sections explain each of the Network Address Translation (NAT) statements. The statements are organized alphabetically.

address
Syntax Hierarchy Level Release Information
address ip-prefix</prefix-length>; [edit services nat pool nat-pool-name]

Statement introduced before Junos OS Release 7.4. prefix option enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the NAT pool prefix value.
prefixSpecify an IPv4 or IPv6 prefix value.

Description Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Addresses and Ports for Use in NAT Rules on page 151

Copyright 2011, Juniper Networks, Inc.

239

Junos 11.4 Services Interfaces Configuration Guide

address-allocation
Syntax Hierarchy Level Release Information Description
address-allocation round-robin; [edit services nat pool pool-name]

Statement introduced in Junos OS Release 11.2. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring Addresses and Ports for Use in NAT Rules on page 151

address-pooling
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
address-pooling paired; [edit services nat rule rule-name term term-name then translated]

Statement introduced in JUNOS Release 10.1. Specify the NAT address pooling behavior.
pairedCurrently, the only valid setting specifies paired address pooling behavior.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

240

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

address-range
Syntax Hierarchy Level Release Information
address-range low minimum-value high maximum-value; [edit services nat pool nat-pool-name]

Statement introduced before Junos OS Release 7.4. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the NAT pool address range.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range.

Description Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Addresses and Ports for Use in NAT Rules on page 151

application-sets
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
applications-sets set-name; [edit services nat rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more target application sets.
set-nameName of the target application set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

Copyright 2011, Juniper Networks, Inc.

241

Junos 11.4 Services Interfaces Configuration Guide

applications
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
applications [ application-names ]; [edit services nat rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more application protocols to which the NAT services apply.
application-nameName of the target application.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

destination-address
Syntax Hierarchy Level Release Information
destination-address (address | any-unicast) <except>; [edit services nat rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. any-unicast and except options introduced in Junos OS Release 7.6. address option enhanced to support IPv6 and addresses in Junos OS Release 8.5. Specify the destination address for rule matching.
addressDestination IPv4 or IPv6 address or prefix value. any-unicastAny unicast packet. except(Optional) Prevent the specified address, prefix, or unicast packets from being

Description Options

translated. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

242

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

destination-address-range
Syntax Hierarchy Level Release Information
destination-address-range low minimum-value high maximum-value <except>; [edit services nat rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the destination address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Prevent the specified address range from being translated.

Description Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

destination-pool
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
destination-pool nat-pool-name; [edit services nat rule rule-name term term-name then translated]

Statement introduced before Junos OS Release 7.4. Specify the destination address pool for translated traffic.
nat-pool-nameDestination pool name.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

Copyright 2011, Juniper Networks, Inc.

243

Junos 11.4 Services Interfaces Configuration Guide

destination-port range
Syntax Hierarchy Level Release Information Description Options
destination-port range high | low; [edit services nat rule rule-name term term-name from]

Statement introduced in Junos OS Release 11.4. Specify the destination port range for rule matching.
highUpper limit of port range for matching. lowLower limit of port range for matching.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Port Forwarding for Static Destination Address Translation on page 179

destination-prefix
Syntax Hierarchy Level Release Information
destination-prefix destination-prefix; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 7.6. destination-prefix option enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the destination prefix for translated traffic.
destination-prefixIPv4 or IPv6 destination prefix value.

Description Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

244

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

destination-prefix-list
Syntax Hierarchy Level Release Information Description
destination-prefix-list list-name <except>; [edit services nat rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the destination prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

Junos OS Routing Policy Configuration Guide

destined-port
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
destined-port port id; [edit services nat port-forwarding map-name]

Statement introduced in Junos OS Release 11.4. Specify the port from where traffic has to be forwarded.
port idThe destination port number from where traffic will be forwarded.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

port-forwarding on page 255 translated-port on page 266

Copyright 2011, Juniper Networks, Inc.

245

Junos 11.4 Services Interfaces Configuration Guide

dns-alg-pool
Syntax Hierarchy Level Release Information Description Required Privilege Level
dns-alg-pool dns-alg-pool; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 10.4. Specify the Network Address Translation (NAT) pool for destination translation. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

dns-alg-prefix
Syntax Hierarchy Level Release Information Description
dns-alg-prefix dns-alg-prefix; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 10.4. Set the Domain Name System (DNS) application-level gateway (ALG) 96-bit prefix for mapping IPv4 addresses to IPv6 addresses. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

filtering-type
Syntax Hierarchy Level Release Information Description Options
filtering-type endpoint-independent; [edit services nat rule rule-name term term-name then translated]

Statement introduced in JUNOS Release 10.1. Specify the NAT filtering behavior for sessions initiated from outside to inside.
endpoint-independentCurrently, the only valid setting specifies endpoint-independent

filtering behavior. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

246

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

from
Syntax
from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } [edit services nat rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify input conditions for the NAT term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rules on page 156

Copyright 2011, Juniper Networks, Inc.

247

Junos 11.4 Services Interfaces Configuration Guide

hint
Syntax Hierarchy Level Release Information Description
hint [ hint-strings ]; [edit services nat pool nat-pool-name pgcp]

Statement introduced in Junos OS Release 9.0. Configure a hint that enables the border gateway function (BGF) to choose a NAT pool by direction rather than by virtual interface. The BGF matches the configured hint with a termination hint located in the Direction field of a nonstandard termination ID. When no hint is configured, the BGF can choose any NAT pool associated with the virtual interface.
hint-stringAlphanumeric string of up to three characters that the BGF uses to match

Default

Options

with a termination hint located in the Direction field of a nonstandard termination ID. You can also include underscores (_) and hyphens (-) within the string. To specify a list of hints, use the format: [ hint xx hint yy ]. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

248

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

ipv6-multicast-interfaces
Syntax
ipv6-multicast-interfaces (all | interface-name) { disable; } [edit services nat], [edit services softwire]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.1. Enable multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery.
allEnable filters on all interfaces. disableDisable filters on the specified interfaces. interface-nameEnable filters on a specific interface only.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring IPv6 Multicast Filters on page 151 Configuring IPv6 Multicast Interfaces on page 868

mapping-type
Syntax Hierarchy Level Release Information Description Options
mapping-type endpoint-independent; [edit services nat rule rule-name term term-name then translated]

Statement introduced in JUNOS Release 10.1. Specify the source NAT mapping type.
endpoint-independentCurrently, the only valid setting specifies endpoint-independent

mapping behavior. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

Copyright 2011, Juniper Networks, Inc.

249

Junos 11.4 Services Interfaces Configuration Guide

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output); [edit services nat rule rule-name]

Statement introduced before Junos OS Release 7.4. Specify the direction in which the rule match is applied.
inputApply the rule match on input. outputApply the rule match on output.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rules on page 156

no-translation
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
no-translation; [edit services nat rule rule-name term term-name then]

Statement introduced in Junos OS Release 7.6. Specify that traffic is not to be translated. none interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

250

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

overload-pool
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
overload-pool overload-pool-name; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 7.6. Specify an address pool that can be used if the source pool becomes exhausted.
overload-pool-nameName of the overload pool.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

overload-prefix
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
overload-prefix overload-prefix; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 7.6. Specify the prefix that can be used if the source pool becomes exhausted.
overload-prefixPrefix value.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

Copyright 2011, Juniper Networks, Inc.

251

Junos 11.4 Services Interfaces Configuration Guide

pgcp
Syntax
pgcp { hint [ hint-strings ]; ports-per-session ports; remotely-controlled; transport [ transport-protocols ]; } [edit services nat pool nat-pool-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.4. remotely-controlled and ports-per-session statements added in Junos OS Release 8.5. hint statement added in Junos OS Release 9.0. Specify that the NAT pool is used exclusively by the BGF. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

252

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

pool
Syntax
pool nat-pool-name { address ip-prefix</prefix-length>; address-allocation round-robin; address-range low minimum-value high maximum-value; mapping-timeout seconds; pgcp { hint [ hint-strings ]; ports-per-session ports; remotely-controlled: transport [ transport-protocols ]; } port (automatic | range low minimum-value high maximum-value) { preserve-parity; preserve-range; secured-port-block-allocation { active-block-timeout timeout-seconds; block-size block-size; max-blocks-per-user max-blocks; } } } [edit services nat]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. pgcp statement added in Junos OS Release 8.4. remotely-controlled and ports-per-session statements added in Junos OS Release 8.5. hint statement added in Junos OS Release 9.0. address-allocation statement added in Junos OS Release 11.2. Specify the NAT name and properties.
nat-pool-nameIdentifier for the NAT address pool.

Description Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Addresses and Ports for Use in NAT Rules on page 151

Copyright 2011, Juniper Networks, Inc.

253

Junos 11.4 Services Interfaces Configuration Guide

port
Syntax
port (automatic | range low minimum-value high maximum-value) { preserve-parity; preserve-range; secured-port-block-allocation { active-block-timeout timeout-seconds; block-size block-size; max-blocks-per-user max-blocks; } } [edit services nat pool nat-pool-name] port statement introduced before Junos OS Release 7.4. random-allocation statement introduced in Junos OS Release 9.3.

Hierarchy Level Release Information

Description

Specify the NAT pool port or range. You can configure an automatically assigned port or specify a range with minimum and maximum values.
automaticRouter-assigned port. minimum-valueLower boundary for the port range. maximum-valueUpper boundary for the port range. preserve-parityAllocate ports with same parity as the original port. preserve-rangePreserve privileged port range after translation.

Options

Other options are described separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Addresses and Ports for Use in NAT Rules on page 151

254

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

port-forwarding
Syntax
port-forwarding map-name { destined-port; translated-port; } [edit services nat]

Hierarchy Level Release Information Description Options Required Privilege Level

Statement introduced in Junos OS Release 11.4. Specify the mapping for port forwarding.
map-nameIdentifier for the port forwarding map.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

port-forwarding-mappings
Syntax Hierarchy Level Release Information Description
port-forwarding-mappings map-name; [edit services nat rule rule-name term term-name then]

Statement introduced in Junos OS Release 11.4. Specify the name for mapping port forwarding in a Network Address Translation configuration.
map-nameIdentifier for the port forwarding mapping.

Options Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

255

Junos 11.4 Services Interfaces Configuration Guide

ports-per-session
Syntax Hierarchy Level Release Information Description
ports-per-session ports; [edit services nat pool nat-pool-name pgcp]

Statement introduced in Junos OS Release 8.4. Configure the number of ports required to support Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP), Real-Time Streaming Protocol (RTSP), and forward error correction (FEC) for voice and video flows on the Multiservices PIC.
number-of-portsNumber of ports to enable: 2 or 4 for combined voice and video services.

Options

Default: 2 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

remotely-controlled
Syntax Hierarchy Level Release Information Description
remotely-controlled; [edit services nat pool nat-pool-name pgcp]

Statement introduced in Junos OS Release 8.5. Configure the addresses and ports in a NAT pool to be remotely controlled by the gateway controller. interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

256

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

rule
Syntax
rule rule-name { match-direction (input | output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } then { no-translation; translated { address-pooling paired; destination-pool nat-pool-name; destination-prefix destination-prefix; destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type endpoint-independent; mapping-type endpoint-independent; overload-pool overload-pool; overload-prefix overload-prefix; source-pool nat-pool-name; source-prefix source-prefix; translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44); } } syslog; } } } [edit services nat], [edit services nat rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that make up this rule.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rules on page 156

Copyright 2011, Juniper Networks, Inc.

257

Junos 11.4 Services Interfaces Configuration Guide

rule-set
Syntax
rule-set rule-set-name { [ rule rule-names ]; } [edit services nat]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rule Sets on page 161

258

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

secured-port-block-allocation
Syntax
secured-port-block-allocation { active-block-timeout timeout-seconds; block-size block-size; max-blocks-per-user max-blocks; } [edit services nat pool pool-name port]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.2. When you use block allocation, one or more blocks of ports in a NAT pool address range are available for assignment to a subscriber.
block-sizeNumber of ports included in a block.

Options

Default: 128 Range: 64 to 64,512

max-blocksMaximum number of blocks that can be allocated to a user.

Default: 8 Range: 1 to 2,048

timeout-secondsInterval, in seconds, during which a block is active. After timeout, a new

block is allocated, even if ports are available in the active block. Default: 0The default timeout of the active block is 0 (infinite). In this case, the active block transitions to inactive only when it runs out of ports and a new block is allocated. Any inactive block without any ports in use will be freed to the NAT pool. Range: Any value greater than or equal to 120. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Addresses and Ports for Use in NAT Rules on page 151

Copyright 2011, Juniper Networks, Inc.

259

Junos 11.4 Services Interfaces Configuration Guide

services
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
services nat { .. } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic.
natIdentifies the NAT set of rules statements.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Network Address Translation

source-address
Syntax Hierarchy Level Release Information
source-address (address | any-unicast) <except>; [edit services nat rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. any-unicast and except options introduced in Junos OS Release 7.6. address option enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the source address for rule matching.
addressSource IPv4 or IPv6 address or prefix value. any-unicastAny unicast packet. except(Optional) Prevent the specified address or unicast packets from being translated.

Description Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

260

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

source-address-range
Syntax Hierarchy Level Release Information
source-address-range low minimum-value high maximum-value <except>; [edit services nat rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the source address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Prevent the specified address range from being translated.

Description Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

source-pool
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
source-pool nat-pool-name; [edit services nat rule rule-name term term-name then translated]

Statement introduced before Junos OS Release 7.4. Specify the source address pool for translated traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

Copyright 2011, Juniper Networks, Inc.

261

Junos 11.4 Services Interfaces Configuration Guide

source-prefix
Syntax Hierarchy Level Release Information
source-prefix source-prefix; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 7.6. source-prefix option enhanced to support IPv6 addresses in Junos OS Release 8.5. Specify the source prefix for translated traffic.
source-prefixIPv4 or IPv6 source prefix value.

Description Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

source-prefix-list
Syntax Hierarchy Level Release Information Description
source-prefix-list list-name <except>; [edit services nat rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the source prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in NAT Rules on page 158

Junos OS Routing Policy Configuration Guide

262

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

syslog
Syntax Hierarchy Level Release Information Description
syslog; [edit services nat rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Enable system logging. The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring Actions in NAT Rules on page 159

Copyright 2011, Juniper Networks, Inc.

263

Junos 11.4 Services Interfaces Configuration Guide

term
Syntax
term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } then { no-translation; translated { address-pooling paired; destination-pool nat-pool-name; destination-prefix destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type endpoint-independent; mapping-type endpoint-independent; source-pool nat-pool-name; source-prefix source-prefix; translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44); } } syslog; } } [edit services nat rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define the NAT term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rules on page 156

264

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

then
Syntax
then { no-translation; translated { address-pooling paired; destination-pool nat-pool-name; destination-prefix destination-prefix; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type endpoint-independent; mapping-type endpoint-independent; source-pool nat-pool-name; source-prefix source-prefix; translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44); } } syslog; } [edit services nat rule rule-name term term-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. Define the NAT term actions. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring NAT Rules on page 156

Copyright 2011, Juniper Networks, Inc.

265

Junos 11.4 Services Interfaces Configuration Guide

translated-port
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
translated-port port id; [edit services nat port-forwarding map-name]

Statement introduced in Junos OS Release 11.4. Specify the port to which all traffic will be translated.
port idThe port number to which traffic will be translated.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

port-forwarding on page 255 destined-port on page 245

translated
Syntax
translated { address-pooling paired; destination-pool nat-pool-name; dns-alg-pool dns-alg-pool; dns-alg-prefix dns-alg-prefix; filtering-type endpoint-independent; mapping-type endpoint-independent; source-pool nat-pool-name; translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) } } [edit services nat rule rule-name term term-name then]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. Define properties for translated traffic. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

266

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

translation-type
Syntax
translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | nat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) [edit services nat rule rule-name term term-name then translated]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. The following options introduced in Junos OS Release 11.2, replacing all previous options:

basic-nat44 basic-nat66 basic-nat-pt dnat-44 dynamic-nat44 napt-44 napt-66 napt-pt stateful-nat64

twice-basic-nat-44Option introduced in Junos OS Release 11.4 twice-dynamic-nat-44Option introduced in Junos OS Release 11.4 twice-napt-44Option introduced in Junos OS Release 11.4

Description Options

Specify the NAT translation types.

basic-nat44Translate the source address statically (IPv4 to IPv4). basic-nat66Translate the source address statically (IPv6 to IPv6). basic-nat-ptTranslate the addresses of IPv6 hosts as they originate sessions to the

IPv4 hosts in the external domain. The basic-nat-pt option is always implemented with DNS ALG.

dnat-44Translate the destination address statically (IPv4 to IPv4). dynamic-nat44Translate only the source address by dynamically choosing the NAT

address from the source address pool.

napt-44Translate the transport identifier of the IPv4 private network to a single IPv4

external address.

napt-66Translate the transport identifier of the IPv6 private network to a single IPv6

external address.

Copyright 2011, Juniper Networks, Inc.

267

Junos 11.4 Services Interfaces Configuration Guide

napt-ptBind addresses in an IPv6 network with addresses in an IPv4 network and

vice versa to provide transparent routing for the datagrams traversing between the address realms.

stateful-nat64Implement dynamic address and port translation for source IP

addresses (IPv6-to-IPv4) and prefix removal translation for the destination IP addresses (IPv6-to-IPv4).

twice-basic-nat-44Translate the source and destination addresses statically (IPv4

to IPv4).

twice-dynamic-nat-44Translate the source address by dynamically choosing the

NAT address from the source address pool. Translate the destination address statically.

twice-dynamic-napt-44Translate the transport identifier of the IPv4 private network

to a single IPv4 external address. Translate the destination address statically. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Actions in NAT Rules on page 159

transport
Syntax Hierarchy Level Release Information Description Options
transport [ transport-protocols ]; [edit services nat pool nat-pool-name pgcp]

Statement introduced in Junos OS Release 9.2. Configure the BGF to select a NAT pool based on transport protocol type.
[ transport-protocol ]One or more transport protocols.

Values: rtp-avp, tcp, udp Syntax: One or more protocols. If you specify more than one protocol, you must enclose all protocols in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

268

Copyright 2011, Juniper Networks, Inc.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements

use-dns-map-for-destination-translation
Syntax Hierarchy Level Release Information Description
use-dns-map-for-destination-translation; [edit services nat rule rule-name term term-name then translated]

Statement introduced in Junos OS Release 10.4. Enable the Domain Name System (DNS) application-level gateway (ALG) address map for destination translation.

NOTE: This statement is deprecated and might be removed completely in a future release.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

269

Junos 11.4 Services Interfaces Configuration Guide

270

Copyright 2011, Juniper Networks, Inc.

CHAPTER 12

Load Balancing Configuration Guidelines

As of now, most router services are provisioned using service sets in Junos OS. Each service set directs traffic to a specific preconfigured services PIC only. This leads to inefficient use of networking resources within a system. Load balancing resolves this situation by allowing distribution of ingress and egress traffic across multiple services PICs. Load balancing works by hashing each packet and then redirecting the packet to the appropriate services PIC. Load balancing can be accomplished only on MX Series 3D Universal Edge routers because services PICs require symmetric hashing to ensure that ingress and egress traffic are directed properly.

Configuring Load Balancing on AMS Infrastructure on page 271 Example: Configuring Static Source Translation on AMS Infrastructure on page 273

Configuring Load Balancing on AMS Infrastructure

Configuring load balancing requires an aggregated Multiservices (AMS) system. AMS involves grouping several Multiservices PICs together. An AMS configuration eliminates the need for separate routers within a system. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. Starting with Junos OS 11.4, high availability (HA) is supported on AMS infrastructure on all MX Series 3D Universal Edge routers. AMS has several benefits:

Support for configuring behavior if a Multiservices PIC that is part of the AMS configuration fails Support for specifying hash keys for each service set in either direction Support for adding routes to individual PICs within the AMS system

Configuring AMS Infrastructure

AMS supports load balancing across multiple service sets. All ingress or egress traffic for a service set can be load balanced across different services PICs. To enable load balancing, you have to configure an aggregate interface with existing services interfaces. To configure failure behavior in AMS, include the member-failure-options statement:
[edit interfaces ams1] load-balancing-options { member-failure-options {

Copyright 2011, Juniper Networks, Inc.

271

Junos 11.4 Services Interfaces Configuration Guide

drop-member-traffic { rejoin-timeout rejoin-timeout; } redistribute-all-traffic { enable-rejoin; } } }

If a PIC fails, the traffic to the failed PIC can be configured to be redistributed by using the redistribute-all-traffic statement at the [edit interfaces interface-name load-balancing-options member-failure-options] hierarchy level. If the drop-member-traffic statement is used, all traffic to the failed PIC is dropped. Both options are mutually exclusive.

NOTE: If member-failure-options is not explicitly configured, the default behavior is to drop member traffic with a rejoin timeout of 120 seconds.

Only mams- interfaces (services interfaces that are part of AMS) can be aggregated. After an AMS interface has been configured, the constituent mams- interfaces cannot be individually configured. A mams- interface cannot be used as an rms interface. AMS supports only IPv4; inet6 family is not supported. It is not possible to configure addresses on an AMS interface. Network Address Translation (NAT) is the only application that runs on AMS infrastructure at this time.

NOTE: Unit 0 on an AMS interface cannot be configured.

To support multiple applications and different types of translation, AMS infrastructure supports configuring hashing for each service set. The hash keys can be configured separately for ingress and egress. The default configuration uses source IP, destination IP, and the protocol for hashing; incoming-interface for ingress and outgoing-interface for egress are also available.

Configuring High Availability

In an AMS system configured with high availability, a designated Multiservices PIC acts as a backup for other active PICs that are part of the AMS system. Presently, only N:1 backup for high availability is supported; only one PIC is available as backup for all other active PICs. High availability for load balancing is configured by adding the high-availability-options statement at the [edit interfaces interface-name load-balancing-options] hierarchy level. To configure high availability, include the high-availability-options statement:
[edit interfaces ams1] load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup;

272

Copyright 2011, Juniper Networks, Inc.

Chapter 12: Load Balancing Configuration Guidelines

} } }

Load Balancing Network Address Translation Flows

Starting with Junos OS Release 11.4, Network Address Translation (NAT) has been programmed as a plug-in and is a function of load balancing and high availability. The plug-in runs on AMS infrastructure. All flows for translation are automatically distributed to different services PICs that are part of the AMS infrastructure. In case of failure of an active Multiservices PIC, the configured backup Multiservices PIC wiIl take over the NAT pool resources of the failed PIC. The hashing method selected depends on the type of NAT. Using NAT on AMS infrastructure has a few limitations:

NAT flows to failed PICs cannot be restored. There is no support for IPv6 flows. Twice NAT is not supported for load balancing.

See Example: Configuring Static Source Translation on AMS Infrastructure on page 273 for more details on configuring NAT flows for load balancing.

Example: Configuring Static Source Translation on AMS Infrastructure

This example shows a static source translation configured on an AMS interface. The flows will be load balanced across member interfaces with this example. Configure the AMS interface ams0 with load balancing options.
[edit interfaces ams0] load-balancing-options { member-interface mams-5/0/0; member-interface mams-5/1/0; } unit 1 { family inet; } unit 2 { family inet; }

Configure hashing for the service set for both ingress and egress traffic.
[edit services service-set ss1] interface-service { service-interface ams0.1; load-balancing-options { hash-keys { ingress-key destination-ip; egress-key source-ip; } } }

Copyright 2011, Juniper Networks, Inc.

273

Junos 11.4 Services Interfaces Configuration Guide

NOTE: Hashing is determined based on whether the service set is applied on the ingress or egress interface.

Configure two NAT pools because you have configured two member interfaces for the AMS interface.
[edit services] nat { pool p1 { address-range low 20.1.1.80 high 20.1.1.80; } pool p2 { address 20.1.1.81/32; } }

Configure the NAT rule and translation.

[edit services] nat { rule r1 { match-direction input; term t1 { from { source-address { 20.1.1.2/32; } } then { translated { source-pool p1; translation-type { basic-nat44; } } } term t1 { from { source-address { 40.1.1.2/32; } } then { translated { source-pool p2; translation-type { basic-nat44; } } } } }

274

Copyright 2011, Juniper Networks, Inc.

Chapter 12: Load Balancing Configuration Guidelines

NOTE: A similar configuration can be applied for translation types dynamic-nat44 and napt-44. Twice NAT cannot run on AMS infrastructure at this time.

Related Documentation

Configuring Load Balancing on AMS Infrastructure on page 271

Copyright 2011, Juniper Networks, Inc.

275

Junos 11.4 Services Interfaces Configuration Guide

276

Copyright 2011, Juniper Networks, Inc.

CHAPTER 13

Summary of Load Balancing Configuration Statements

The following sections explain each of the load balancing and aggregated Multiservices (AMS) statements. The statements are organized alphabetically.

drop-member-traffic (Aggregated Multiservices)

Syntax
drop-member-traffic { rejoin-timeout rejoin-timeout; } [edit interfaces interface-name load-balancing-options member-failure-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Specify whether the broadband gateway should drop traffic to a Multiservices PIC when it fails. For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT), this configuration is valid only when two or more Multiservices PICs have failed. The remaining statement is explained separately.

Default

If this statement is not configured, then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

member-failure-options (Aggregated Multiservices) on page 283

Copyright 2011, Juniper Networks, Inc.

277

Junos 11.4 Services Interfaces Configuration Guide

enable-rejoin (aggregated Multiservices)

Syntax Hierarchy Level
enable-rejoin; [edit interfaces interface-name load-balancing-options member-failure-options redistribute-all-traffic]

Release Information Description

Statement introduced in Junos OS Release 11.4. Enable the failed member to rejoin the aggregated Multiservices (AMS) interface after the member comes back online. For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT), this configuration allows the failed members to rejoin the pool of active members automatically.

Default

If you do not configure this option, then the failed members do not automatically rejoin the ams interface even after coming back online. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

redistribute-all-traffic (Aggregated Multiservices) on page 286

family (aggregated Multiservices)

Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
family family; [edit interfaces interface-name unit interface-unit-number]

Statement introduced in Junos OS Release 11.4. Configure protocol family information for the logical interface.
familyProtocol family. Currently, only one option, inet (IP version 4 suite), is supported.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

unit (Aggregated Multiservices) on page 287

278

Copyright 2011, Juniper Networks, Inc.

Chapter 13: Summary of Load Balancing Configuration Statements

high-availability-options (aggregated Multiservices)

Syntax
high-availability-options { many-to-one { preferred-backup preferred-backup; } } [edit interfaces interface-name load-balancing-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the high availability options for the aggregated Multiservices (AMS) interface. For service applications, if only the load-balancing feature is being used, then this configuration is optional. For many-to-one (N:1) high availability support for service applications like Network Address Translation (NAT), the preferred backup Multiservices PIC, in hot standby mode, backs up one or more (N) active Multiservices PICs.

NOTE: In both cases, if one of the active Multiservices PICs goes down, then the backup replaces it as the active Multiservices PIC. When the failed PIC comes back up, it becomes the new backup. This is called floating backup.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

load-balancing-options on page 281

Copyright 2011, Juniper Networks, Inc.

279

Junos 11.4 Services Interfaces Configuration Guide

interfaces (Aggregated Multiservices)

Syntax
interfaces interface-name { load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup; } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout; } redistribute-all-traffic { enable-rejoin; } } member-interface interface-name; } unit interface-unit-number { family family; } } [edit]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the aggregated Multiservices (AMS) interface. The AMS interface provides the infrastructure for load balancing and high availability (HA).

NOTE: The interfaces must be valid aggregated Multiservices interfaces (ams)for example, ams0 or ams1, and so on. The ams infrastructure is supported only in chassis with Trio-based modules and Multiservices Dense Port Concentrators (MS-DPCs).

The remaining statements are explained separately. Options

interface-nameName of the aggregated Multiservices interface (ams)for example, ams0 or ams1, and so on.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Load Balancing on AMS Infrastructure on page 271

280

Copyright 2011, Juniper Networks, Inc.

Chapter 13: Summary of Load Balancing Configuration Statements

load-balancing-options (Aggregated Multiservices)

Syntax
load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup; } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout; } redistribute-all-traffic { enable-rejoin; } } member-interface interface-name; } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the high availability (HA) options for the aggregated Multiservices (AMS) interface. Many-to-one (N:1) high availability mode for service applications like Network Address Translation (NAT) is supported. In this case, one Multiservices PIC is the backup (in hot standby mode) for one or more (N) active Multiservices PICs. If one of the active Multiservices PICs goes down, then the backup replaces it as the active Multiservices PIC. When the failed PIC comes back online, it becomes the new backup. This is called floating backup mode. The remaining statements are explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces on page 280

Copyright 2011, Juniper Networks, Inc.

281

Junos 11.4 Services Interfaces Configuration Guide

many-to-one (Aggregated Multiservices)

Syntax
many-to-one { preferred-backup preferred-backup; } [edit interfaces interface-name load-balancing-options high-availability-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the initial preferred backup for the aggregated Multiservices (AMS) interface.

NOTE: The preferred backup must be one of the member interfaces (mams) that have already been configured at the [edit interfaces interface-name load-balancing-options] hierarchy level. Even in the case of mobile control plane redundancy, which is one-to-one (1:1), the initial preferred backup is configured at this hierarchy level.

The remaining statements are explained separately. Options

preferred-backup preferred-backupName of the preferred backup member interface.

The member interface format is mams-a/b/0, where a is the Flexible PIC Concentrator (FPC) slot number and b is the PIC slot number. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

high-availability-options (aggregated Multiservices) on page 279

282

Copyright 2011, Juniper Networks, Inc.

Chapter 13: Summary of Load Balancing Configuration Statements

member-failure-options (Aggregated Multiservices)

Syntax
member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout; } redistribute-all-traffic { enable-rejoin; } } [edit interfaces interface-name load-balancing-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the possible behavior for the aggregated Multiservices (AMS) interface in case of failure of more than one active member.

NOTE: The drop-member-traffic configuration and the redistribute-all-traffic configuration are mutually exclusive.

Table 11 on page 283 displays the behavior of the member interface after the failure of the first Multiservices PIC. Table 12 on page 284 displays the behavior of the member interface after the failure of two Multiservices PICs.

NOTE: The AMS infrastructure has been designed to handle one failure automatically. However, in the unlikely event that more than one Multiservices PIC fails, the AMS infrastructure provides configuration options to minimize the impact on existing traffic flows.

Table 11: Behavior of Member Interface After One Multiservices PIC Fails
High Availability Mode
Many-to-one (N:1) high availability support for service applications

Member Interface Behavior

Automatically handled by the AMS infrastructure

Copyright 2011, Juniper Networks, Inc.

283

Junos 11.4 Services Interfaces Configuration Guide

Table 12: Behavior of Member Interface After Two Multiservices PICs Fail
High Availability Mode
Many-to-one (N:1) high availability support for service applications

Configuration
drop-member-traffic

rejoin-timeout

Behavior when member rejoins before rejoin-timeout expires

The existing traffic for the second failed member will not be redistributed to the other members. The first member to rejoin becomes an active member. The second member to rejoin becomes the backup. This behavior is handled automatically by the AMS infrastructure.

Behavior when member rejoins after rejoin-timeout expires

The existing traffic for the second failed member will not be redistributed to the other members. The first member will rejoin the AMS automatically. However, the other members who are rejoining will be moved to the discard state.

Configured

Many-to-one (N:1) high availability support for service applications

redistribute-all-traffic

Not applicable

Before rejoin, the traffic is redistributed to existing active members. After a failed member rejoins, the traffic is load-balanced afresh. This may impact existing traffic flows.

The remaining statements are explained separately. Default If member-failure-options are not configured, then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

load-balancing-options (Aggregated Multiservices) on page 281

284

Copyright 2011, Juniper Networks, Inc.

Chapter 13: Summary of Load Balancing Configuration Statements

member-interface (Aggregated Multiservices)

Syntax Hierarchy Level Release Information Description
member-interface interface-name; [edit interfaces interface-name load-balancing-options]

Statement introduced in Junos OS Release 11.4. Specify the member interfaces for the aggregated Multiservices (AMS) interface. You can configure multiple interfaces by specifying each interface in a separate statement. For high availability service applications like Network Address Translation (NAT) that support many-to-one (N:1) redundancy, you can specify two or more interfaces.

NOTE: The member interfaces that you specify must be members of aggregated Multiservices interfaces (mams-).

The remaining statements are explained separately. Options

interface-nameName of the member interface. The member interface format is mams-a/b/0, where a is the Flexible PIC Concentrator (FPC) slot number and b is

the PIC slot number. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

load-balancing-options (Aggregated Multiservices) on page 281

Copyright 2011, Juniper Networks, Inc.

285

Junos 11.4 Services Interfaces Configuration Guide

redistribute-all-traffic (Aggregated Multiservices)

Syntax
redistribute-all-traffic { enable-rejoin; } [edit interfaces interface-name load-balancing-options member-failure-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Enable the option to redistribute traffic of a failed active member to the other active members. For many-to-one (N:1) high availability support for Network Address Translation (NAT), the traffic for the failed member is automatically redistributed to the other active members. The remaining statement is explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

member-failure-options (Aggregated Multiservices) on page 283

rejoin-timeout (Aggregated Multiservices)

Syntax Hierarchy Level
rejoin-timeout rejoin-timeout; [edit interfaces interface-name load-balancing-options member-failure-options drop-member-traffic]

Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the time by when a failed member should rejoin the aggregated Multiservices (AMS) interface automatically. If the failed member does not rejoin by the configured time, then the member is moved to the inactive state and the traffic meant for this member is dropped. If you do not configure a value, the default value of 120 seconds is used.
rejoin-timeoutTime, in seconds, by which a failed member must rejoin.

Default Options

Default: 120 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

drop-member-traffic (Aggregated Multiservices) on page 277

286

Copyright 2011, Juniper Networks, Inc.

Chapter 13: Summary of Load Balancing Configuration Statements

unit (Aggregated Multiservices)

Syntax
unit interface-unit-number { family family; } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 11.4. Configure the logical interface on the physical device. You must configure a logical interface to be able to use the physical device. The remaining statements are explained separately.

Options

interface-unit-numberNumber of the logical unit.

NOTE: Unit 0 is reserved and cannot be configured under the aggregated Multiservices interface (ams). Range: 1 through 16,384 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces on page 280

Copyright 2011, Juniper Networks, Inc.

287

Junos 11.4 Services Interfaces Configuration Guide

288

Copyright 2011, Juniper Networks, Inc.

CHAPTER 14

Intrusion Detection Service Configuration Guidelines

The Adaptive Services (AS) or Multiservices PIC supports a limited set of intrusion detection services (IDS) to perform attack detection. You can use IDS to perform the following tasks:

Detect various types of denial-of-service (DoS) and directed denial-of-service (DDoS) attacks. Detect attempts at network scanning and probing. Detect anomalies in traffic patterns, such as sudden bursts or a decline in bandwidth. Prevent some types of attacks. Redirect attack traffic to a collector for analysis. Specify thresholds for limiting the number of flows, the packet rate, and the session rate.

IDS enables you to focus attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. Signature detection is not supported. To configure IDS, include the ids statement at the [edit services] hierarchy level:
[edit services] ids { rule rule-name { match-direction (input | output | input-output); term term-name { rule { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { aggregation {

Copyright 2011, Juniper Networks, Inc.

289

Junos 11.4 Services Interfaces Configuration Guide

destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } } } } rule-set rule-set-name { [ rule rule-names ]; } }

NOTE: The Junos OS uses stateful firewall settings as a basis for performing IDS. You must commit a stateful firewall configuration in the same service set for IDS to function properly.

This chapter contains the following sections:

Configuring IDS Rules on page 291 Configuring IDS Rule Sets on page 297 Examples: Configuring IDS Rules on page 297

290

Copyright 2011, Juniper Networks, Inc.

Chapter 14: Intrusion Detection Service Configuration Guidelines

Configuring IDS Rules

IDS rules identify traffic for which you want the router software to count events. Because IDS is based on stateful firewall properties, you must configure at least one stateful firewall rule and include it in the service set with the IDS rules; for more information, see Configuring Stateful Firewall Rules on page 114. To configure an IDS rule, include the rule rule-name statement at the [edit services ids] hierarchy level:
[edit services ids] rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } }

Copyright 2011, Juniper Networks, Inc.

291

Junos 11.4 Services Interfaces Configuration Guide

syn-cookie { mss value; threshold rate; } } } }

Each IDS rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The following sections describe IDS rule content in more detail:

Configuring Match Direction for IDS Rules on page 292 Configuring Match Conditions in IDS Rules on page 293 Configuring Actions in IDS Rules on page 294

Configuring Match Direction for IDS Rules

Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. To configure where the match is applied, include the match-direction (input | input-output | output) statement at the [edit services ids rule rule-name] hierarchy level:
[edit services ids rule rule-name] match-direction (input | output | input-output);

If you configure match-direction input-output, bidirectional rule creation is allowed. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it. With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the AS or Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.

292

Copyright 2011, Juniper Networks, Inc.

Chapter 14: Intrusion Detection Service Configuration Guidelines

Configuring Match Conditions in IDS Rules

To configure IDS match conditions, include the from statement at the [edit services ids rule rule-name term term-name] hierarchy level:
[edit services ids rule rule-name term term-name] from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; destination-prefix-list list-name <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; source-prefix-list list-name <except>; }

If you omit the from statement, the software accepts all events and places them in the IDS cache for processing. The source address and destination address can be either IPv4 or IPv6. You can use the destination address, a range of destination addresses, a source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the IDS rule. For an example, see Examples: Configuring Stateful Firewall Rules on page 118. You can also include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Protocol Properties on page 72.

To apply one or more specific application protocol definitions, include the applications statement at the [edit services ids rule rule-name term term-name from] hierarchy level. To apply one or more sets of application protocol definitions that you have defined, include the application-sets statement at the [edit services ids rule rule-name term term-name from] hierarchy level.

NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.

If a match occurs on an application, the application protocol is displayed separately in the show services ids command output. For more information, see the Junos OS System Basics and Services Command Reference.

Copyright 2011, Juniper Networks, Inc.

293

Junos 11.4 Services Interfaces Configuration Guide

Configuring Actions in IDS Rules

To configure IDS actions, include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level:
[edit services ids rule rule-name term term-name] then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } }

You can configure the following possible actions:

aggregationThe router aggregates traffic labeled with the specified source or

destination prefixes before passing the events to IDS processing. This is helpful if you want to examine all the traffic connected with a particular source or destination host. To collect traffic with some other marker, such as a particular application or port, configure that value in the match conditions. To configure aggregation prefixes, include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix, destination-prefix source-prefix-ipv6, or destination-prefix-ipv6:
[edit services ids rule rule-name term term-name then]

294

Copyright 2011, Juniper Networks, Inc.

Chapter 14: Intrusion Detection Service Configuration Guidelines

aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; }

The value of source-prefix and destination-prefix must be an integer between 1 and 32. The value of source-prefix-ipv6 and destination-prefix-ipv6 must be an integer between 1 and 128.

(force-entry | ignore-entry)force-entry provides a permanent spot in IDS caches for

subsequent events after one event is registered. By default, the IDS software does not record information about good packets that do not exhibit suspicious behavior. You can use the force-entry statement to record all traffic from a suspect host, even traffic that would not otherwise be counted.
ignore-entry ensures that all IDS events are ignored. You can use this statement to

disregard all traffic from a host you trust, including any temporary anomalies that IDS would otherwise count as events. To configure an entry behavior different from the default, include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
[edit services ids rule rule-name term term-name then] (force-entry | ignore-entry);

loggingThe event is logged in the system log file.

To configure logging, include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
[edit services ids rule rule-name term term-name then] logging { syslog; threshold rate; }

You can optionally include a threshold rate to trigger the generation of system log messages. The threshold rate is specified in events per second. IDS logs are generated once every 60 seconds for each anomaly that is reported. The logs are generated as long as the events continue.

session-limitThe router limits open sessions when the specified threshold is reached.

To configure a threshold, include the session-limit statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
[edit services ids rule rule-name term term-name then] session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number;

Copyright 2011, Juniper Networks, Inc.

295

Junos 11.4 Services Interfaces Configuration Guide

packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } }

You configure the thresholds for flow limitation based on traffic direction:

To limit the number of outgoing sessions from one internal host or subnet, configure the by-source statement. To limit the number of sessions between a pair of IP addresses, subnets, or applications, configure the by-pair statement. To limit the number of incoming sessions to one external public IP address or subnet, configure the by-destination statement.

For each direction, you can configure the following threshold values:

hold-time secondsWhen the rate or packets measurement reaches the threshold

value, stop all new flows for the specified number of seconds. Once hold-time is in effect, the traffic is blocked for the specified time even if the rate subsides below the specified limit. By default, hold-time has a value of 0; the range is 0 through 60 seconds.

maximum numberMaximum number of open sessions per IP address or subnet per

application. The range is 1 through 32,767.

packets numberMaximum number of packets per second (pps) per IP address or

subnet per application. The range is 4 through 2,147,483,647.

rate numberMaximum number of sessions per second per IP address or subnet per

application. The range is 4 through 32,767. If you include more than one source address in the match conditions configured at the [edit services ids rule rule-name term term-name from] hierarchy level, limits are applied for each source address independently. For example, the following configuration allows 20 connections from each source address (10.1.1.1 and 10.1.1.2), not 20 connections total. The same logic applies to the applications and destination-address match conditions.
[edit services ids rule rule-name term term-name] from { source-address 10.1.1.1; source-address 10.1.1.2; } then { session-limit by-source { maximum 20; }

296

Copyright 2011, Juniper Networks, Inc.

Chapter 14: Intrusion Detection Service Configuration Guidelines

NOTE: IDS limits are applied to packets that are accepted by stateful firewall rules. They are not applied to packets discarded or rejected by stateful firewall rules. For example, if the stateful firewall accepts 75 percent of the incoming traffic and the remaining 25 percent is rejected or discarded, the IDS limit applies only to 75 percent of the traffic.

syn-cookieThe router activates SYN-cookie defensive mechanisms.

To configure SYN-cookie values, include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
[edit services ids rule rule-name term term-name then] syn-cookie { mss value; threshold rate; }

If you enable SYN-cookie defenses, you must include both a threshold rate to trigger SYN-cookie activity and a Transmission Control Protocol (TCP) maximum segment size (MSS) value for TCP delayed binding. The threshold rate is specified in SYN attacks per second. By default, the TCP MSS value is 1500; the range is from 128 through 8192.

Configuring IDS Rule Sets

The rule-set statement defines a collection of IDS rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services ids] hierarchy level with a rule statement for each rule:
[edit services ids] rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

Examples: Configuring IDS Rules

The following configuration adds a permanent entry to the IDS anomaly table when it encounters a flow with the destination address 10.410.6.2:
[edit services ids] rule simple_ids { term 1 {

Copyright 2011, Juniper Networks, Inc.

297

Junos 11.4 Services Interfaces Configuration Guide

from { destination-address 10.410.6.2/32; } then { force-entry; logging { threshold 1; syslog; } } } term default { then { aggregation { source-prefix 24; } } } match-direction input; }

The IDS configuration works in conjunction with the stateful firewall mechanism and relies heavily on the anomalies reported by the stateful firewall. The following configuration example shows this relationship:
[edit services ids] rule simple_ids { term 1 { from { source-address 10.30.20.2/32; destination-address { 10.30.10.2/32; 10.30.1.2/32 except; } applications appl-ftp; } then { force-entry; logging { threshold 5; syslog; } syn-cookie { threshold 10; } } } match-direction input; }

The following example shows configuration of flow limits:

[edit services ids] rule ids-all { match-direction input; term t1 {

298

Copyright 2011, Juniper Networks, Inc.

Chapter 14: Intrusion Detection Service Configuration Guidelines

from { application-sets alg-set; } then { aggregation { destination-prefix 30; /* IDS action aggregation */ } logging { threshold 10; } session-limit { by-destination { hold-time 0; maximum 10; packets 200; rate 100; } by-pair { hold-time 0; maximum 10; packets 200; rate 100; } by-source { hold-time 5; maximum 10; packets 200; rate 100; } } } } }

Copyright 2011, Juniper Networks, Inc.

299

Junos 11.4 Services Interfaces Configuration Guide

300

Copyright 2011, Juniper Networks, Inc.

CHAPTER 15

Summary of Intrusion Detection Service Configuration Statements

The following sections explain each of the intrusion detection service (IDS) statements. The statements are organized alphabetically.

aggregation
Syntax
aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } [edit services ids rule rule-name term term-name then]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the type of data to be aggregated. The remaining statements are explained separately. See Configuring IDS Rules on page 291. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

301

Junos 11.4 Services Interfaces Configuration Guide

application-sets
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
application-sets set-name; [edit services ids rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more target application sets.
set-nameName of the target application set.

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
applications [ application-names ]; [edit services ids rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Define one or more applications to which IDS applies.
application-nameName of the target application.

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

302

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

by-destination
Syntax
by-destination { hold-time seconds; maximum number; packets number; rate number; } [edit services ids rule rule-name term term-name then session-limit]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Apply limit to sessions based on numbers generated from the configured destination (IP or subnet) or application.
hold-time secondsLength of time for which to stop all new flows once the rate of events

Options

exceeds the threshold set by one or more of the maximum, packets, or rate statements.
maximum numberMaximum number of open sessions per application or IP address. packets numberMaximum peak packets per second per application or IP address. rate numberMaximum number of sessions per second per application or IP address.

Usage Guidelines Required Privilege Level

See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

303

Junos 11.4 Services Interfaces Configuration Guide

by-pair
Syntax
by-pair { hold-time seconds; maximum number; packets number; rate number; } [edit services ids rule rule-name term term-name then session-limit]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Apply limit to paired stateful firewall and NAT flows (forward and reverse).
hold-time secondsLength of time for which to stop all new flows once the rate of events

exceeds the threshold set by one or more of the maximum, packets, or rate statements.
maximum numberMaximum number of open sessions per application or IP address. packets numberMaximum peak packets per second per application or IP address. rate numberMaximum number of sessions per second per application or IP address.

Usage Guidelines Required Privilege Level

See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

304

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

by-source
Syntax
by-source { hold-time seconds; maximum number; packets number; rate number; } [edit services ids rule rule-name term term-name then session-limit]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Apply limit to sessions based on numbers generated from the configured source (IP or subnet) or application.
hold-time secondsLength of time for which to stop all new flows once the rate of events

Options

exceeds the threshold set by one or more of the maximum, packets, or rate statements.
maximum numberMaximum number of open sessions per application or IP address. packets numberMaximum peak packets per second per application or IP address. rate numberMaximum number of sessions per second per application or IP address.

Usage Guidelines Required Privilege Level

See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

305

Junos 11.4 Services Interfaces Configuration Guide

destination-address
Syntax Hierarchy Level Release Information
destination-address (address | any-unicast) <except>; [edit services ids rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the destination address for rule matching.
addressDestination IPv4 or IPv6 address or prefix value. any-unicastAny unicast packet. except(Optional) Exempt the specified address, prefix, or unicast packets from rule

Description Options

matching. Usage Guidelines Required Privilege Level See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

destination-address-range
Syntax Hierarchy Level Release Information
destination-address-range low minimum-value high maximum-value <except>; [edit services ids rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the destination address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Exempt the specified address range from rule matching.

Description Options

Usage Guidelines Required Privilege Level

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

306

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

destination-prefix
Syntax Hierarchy Level Release Information Description Options
destination-prefix prefix-value; [edit services ids rule rule-name term term-name then aggregation]

Statement introduced before Junos OS Release 7.4. Specify the prefix value for destination IPv4 address aggregation.
prefix-valueInteger value.

Range: 1 through 32 Usage Guidelines Required Privilege Level See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

destination-prefix-ipv6
Syntax Hierarchy Level Release Information Description Options
destination-prefix-ipv6 prefix; [edit services ids rule rule-name term term-name then aggregation]

Statement introduced in Junos OS Release 8.5. Specify the prefix value for destination IPv6 address aggregation.
prefix-valueInteger value.

Range: 1 through 128 Usage Guidelines Required Privilege Level See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

307

Junos 11.4 Services Interfaces Configuration Guide

destination-prefix-list
Syntax Hierarchy Level Release Information Description
destination-prefix-list list-name <except>; [edit services ids rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the destination prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

force-entry
Syntax Hierarchy Level Release Information Description
(force-entry | ignore-entry); [edit services ids rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Specify handling of entries in the IDS events cache:

force-entryEnsure that the entry has a permanent place in the IDS cache after one

event is registered.

ignore-entryEnsure that all IDS events are ignored.

Usage Guidelines Required Privilege Level

See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

308

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

from
Syntax
from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } [edit services ids rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify input conditions for the IDS term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ignore-entry
See force-entry

logging
Syntax
logging { syslog; threshold rate; } [edit services ids rule rule-name term term-name then]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Set logging values for this IDS term. The remaining statements are explained separately. See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

309

Junos 11.4 Services Interfaces Configuration Guide

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output | input-output); [edit services ids rule rule-name]

Statement introduced before Junos OS Release 7.4. Specify the direction in which the rule match is applied.
inputApply the rule match on input. outputApply the rule match on output. input-outputApply the rule match bidirectionally.

Usage Guidelines Required Privilege Level

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

mss
Syntax Hierarchy Level Release Information Description
mss value; [edit services ids rule rule-name term term-name then syn-cookie]

Statement introduced before Junos OS Release 7.4. Specify the maximum segment size (MSS) value used in Transmission Control Protocol (TCP) delayed binding.
valueMSS value.

Options

Default: 1500 Range: 128 through 8192 Usage Guidelines Required Privilege Level See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

310

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

rule
Syntax
rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } } } } [edit services ids], [edit services ids rule-set rule-set-name]

Hierarchy Level

Copyright 2011, Juniper Networks, Inc.

311

Junos 11.4 Services Interfaces Configuration Guide

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

See Configuring IDS Rules on page 291. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

rule-set
Syntax
rule-set rule-set-name { [ rule rule-names ]; } [edit services ids]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

See Configuring IDS Rule Sets on page 297. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services ids { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic.
idsIdentifies the IDS set of rules statements.

See Configuring IDS Rules on page 291. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

312

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

session-limit
Syntax
session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } [edit services ids rule rule-name term term-name then]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Enable flow limitation by configuring thresholds on source, destination, or stateful firewall and network address translation (NAT) paired traffic flows. The remaining statements are described separately. See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

313

Junos 11.4 Services Interfaces Configuration Guide

source-address
Syntax Hierarchy Level Release Information
source-address (address | any-unicast) <except>; [edit services ids rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the source address for rule matching.
addressSource IPv4 or IPv6 address or prefix value. any-unicastAny unicast packet. except(Optional) Exempt the specified address, prefix, or unicast packets from rule

Description Options

matching. Usage Guidelines Required Privilege Level See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-address-range
Syntax Hierarchy Level Release Information
source-address-range low minimum-value high maximum-value <except>; [edit services ids rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.6. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the source address range for rule matching.
minimum-valueLower boundary for the IPv4 or IPv6 address range. maximum-valueUpper boundary for the IPv4 or IPv6 address range. except(Optional) Exempt the specified address range from rule matching.

Description Options

Usage Guidelines Required Privilege Level

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

314

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

source-prefix
Syntax Hierarchy Level Release Information Description Options
source-prefix prefix-value; [edit services ids rule rule-name term term-name then aggregation]

Statement introduced before Junos OS Release 7.4. Specify the prefix value for source IPv4 address aggregation.
prefix-valueInteger value.

Range: 1 through 32 Usage Guidelines Required Privilege Level See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-prefix-ipv6
Syntax Hierarchy Level Release Information Description Options
source-prefix-ipv6 prefix-value; [edit services ids rule rule-name term term-name then aggregation]

Statement introduced in Junos OS Release 8.5. Specify the prefix value for source IPv6 address aggregation.
prefix-valueInteger value.

Range: 1 through 128 Usage Guidelines Required Privilege Level See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

315

Junos 11.4 Services Interfaces Configuration Guide

source-prefix-list
Syntax Hierarchy Level Release Information Description
source-prefix-list list-name <except>; [edit services ids rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the source prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Match Conditions in IDS Rules on page 293. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

syn-cookie
Syntax
syn-cookie { mss value; threshold rate; } [edit services ids rule rule-name term term-name then]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Enable SYN-cookie defenses against SYN attacks. By default, SYN-cookie techniques are not applied. The remaining statements are described separately. See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

316

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

syslog
Syntax Hierarchy Level Release Information Description
syslog; [edit services ids rule rule-name term term-name then logging]

Statement introduced before Junos OS Release 7.4. Enable system logging. The system log information from the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory. See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

317

Junos 11.4 Services Interfaces Configuration Guide

term
Syntax
term term-name { from { application-sets set-name; applications [ application-names ]; destination-address (address | any-unicast) <except>; destination-address-range low minimum-value high maximum-value <except>; source-address (address | any-unicast) <except>; source-address-range low minimum-value high maximum-value <except>; } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value; source-prefix prefix-value | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } } } [edit services ids rule rule-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Define the IDS term properties.

318

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

Options

term-nameIdentifier for the term.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring IDS Rules on page 291. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

319

Junos 11.4 Services Interfaces Configuration Guide

then
Syntax
then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-value; source-prefix prefix-number | source-prefix-ipv6 prefix-value; } (force-entry | ignore-entry); logging { syslog; threshold rate; } session-limit { by-destination { hold-time seconds; maximum number; packets number; rate number; } by-pair { hold-time seconds; maximum number; packets number; rate number; } by-source { hold-time seconds; maximum number; packets number; rate number; } } syn-cookie { mss value; threshold rate; } } [edit services ids rule rule-name term term-name]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the IDS term actions. The remaining statements are explained separately. See Configuring IDS Rules on page 291. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

320

Copyright 2011, Juniper Networks, Inc.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements

threshold
Syntax Hierarchy Level
threshold rate; [edit services ids rule rule-name term term-name then logging], [edit services ids rule rule-name term term-name then syn-cookie]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the threshold for logging or applying SYN-cookie defenses.
rateLogging threshold number of events per second. rateSYN-cookie defense number of SYN attacks per second.

Usage Guidelines Required Privilege Level

See Configuring Actions in IDS Rules on page 294. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

321

Junos 11.4 Services Interfaces Configuration Guide

322

Copyright 2011, Juniper Networks, Inc.

CHAPTER 16

IPsec Services Configuration Guidelines

To configure IP Security (IPsec) services, include the following statements at the [edit services ipsec-vpn] hierarchy level:
[edit services ipsec-vpn] clear-ike-sas-on-pic-restart; clear-ipsec-sas-on-pic-restart; ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); description description; dh-group (group1 | group2 | group5 | group14); encryption-algorithm algorithm; lifetime-seconds seconds; } policy policy-name { description description; local-certificate identifier; local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); version (1 | 2); mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description; encryption-algorithm algorithm; lifetime-seconds seconds; protocol (ah | esp | bundle); } policy policy-name { description description; perfect-forward-secrecy {

Copyright 2011, Juniper Networks, Inc.

323

Junos 11.4 Services Interfaces Configuration Guide

keys (group1 | group2); } proposals [ proposal-names ]; } } rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } } rule-set rule-set-name { [ rule rule-names ]; } no-ipsec-tunnel-in-traceroute; traceoptions { file { files number; size bytes; } flag flag; level level; }

324

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

This chapter includes the following sections:

Minimum Security Association Configurations on page 325 Configuring Security Associations on page 326 Configuring IKE Proposals on page 332 Configuring IKE Policies on page 335 Configuring IPsec Proposals on page 341 Configuring IPsec Policies on page 343 IPsec Policy for Dynamic Endpoints on page 346 Configuring IPsec Rules on page 346 Configuring IPsec Rule Sets on page 353 Configuring Dynamic Endpoints for IPsec Tunnels on page 353 Tracing IPsec Operations on page 358 Configuring IPSec on the Services SDK on page 360 Examples: Configuring IPsec Services on page 361

Minimum Security Association Configurations

The following sections show the minimum configurations necessary to set up security associations (SAs) for IPsec services:

Minimum Manual SA Configuration on page 325 Minimum Dynamic SA Configuration on page 325

Minimum Manual SA Configuration

To define a manual SA configuration, you must include at least the following statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | esp | bundle); spi spi-value; }

Minimum Dynamic SA Configuration

To define a dynamic SA configuration, you must include at least the following statements at the [edit services ipsec-vpn] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

325

Junos 11.4 Services Interfaces Configuration Guide

[edit services ipsec-vpn] ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method pre-shared-keys; dh-group (group1 | group2 | group5 |group14); encryption-algorithm algorithm; } policy policy-name { proposals [ ike-proposal-names ]; pre-shared-key (ascii-text key | hexadecimal key); version (1 | 2); mode (aggressive | main); } } ipsec { policy policy-name { proposals [ ipsec-proposal-names ]; } proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); encryption-algorithm algorithm; protocol (ah | esp | bundle); } }

NOTE:

Starting with Junos OS Release 11.4, both IKEv1 and IKEv2 are supported by default on all M Series, MX Series, and T Series routers. The version statement under the [edit services ipsec-vpn ike policy name] hierarchy allows you to configure the specific IKE version to be supported. The mode statement under the [edit services ipsec-vpn ike policy name] hierarchy is required only if the version option is set to 1.

You must also include the ipsec-policy statement at the [edit services ipsec-vpn rule rule-name term term-name then dynamic] hierarchy level.

Configuring Security Associations

To use IPsec services, you create an SA between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. You can configure two types of SAs:

ManualRequires no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place. For information about how to configure a manual SA, see Configuring Manual Security Associations on page 327. DynamicSpecifies proposals to be negotiated with the tunnel peer. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. The dynamic SA includes one or more proposal statements, which allow

326

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

you to prioritize a list of protocols and algorithms to be negotiated with the peer. For information about how to configure a dynamic SA, see Configuring Dynamic Security Associations on page 331. This section includes the following topics:

Configuring Manual Security Associations on page 327 Configuring Dynamic Security Associations on page 331 Clearing Security Associations on page 332

NOTE: Both OSPFv2 and OSPFv3 support IPsec authentication. However, dynamic or tunnel mode IPsec SAs are not supported for OSPFv3. If you add SAs into OSPFv3 by including the ipsec-sa statement at the [edit protocols ospf3 area area-number interface interface-name] hierarchy level, your configuration fails to commit. For more information about OSPF authentication and other OSPF properties, see the Junos OS Routing Protocols Configuration Guide.

Configuring Manual Security Associations

Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place. To configure a manual IPsec security association, include statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi auxiliary-spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | esp | bundle); spi spi-value; }

To configure manual SA statements, do the following:

Configuring the Direction for IPsec Processing on page 328 Configuring the Protocol for a Manual IPsec SA on page 329 Configuring the Security Parameter Index on page 329 Configuring the Auxiliary Security Parameter Index on page 329

Copyright 2011, Juniper Networks, Inc.

327

Junos 11.4 Services Interfaces Configuration Guide

Configuring Authentication for a Manual IPsec SA on page 329 Configuring Encryption for a Manual IPsec SA on page 330

Configuring the Direction for IPsec Processing

The direction statement specifies inbound or outbound IPsec processing. If you want to define different algorithms, keys, or security parameter index (SPI) values for each direction, you configure the inbound and outbound options. If you want the same attributes in both directions, use the bidirectional option. To configure the direction of IPsec processing, include the direction statement at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { ... }

Example: Using Different Configuration for the Inbound and Outbound Directions Define different algorithms, keys, and security parameter index values for each direction:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction inbound { protocol esp; spi 16384; encryption { algorithm 3des-cbc; key ascii-text 23456789012345678901234; } } direction outbound { protocol esp; spi 24576; encryption { algorithm 3des-cbc; key ascii-text 12345678901234567890abcd; } }

Example: Using the Same Configuration for the Inbound and Outbound Directions Define one set of algorithms, keys, and security parameter index values that is valid in both directions:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction bidirectional { protocol ah; spi 20001; authentication { algorithm hmac-md5-96; key ascii-text 123456789012abcd; } }

328

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Configuring the Protocol for a Manual IPsec SA

IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). The AH protocol is used for strong authentication. A third option, bundle, uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets. To configure the IPsec protocol, include the protocol statement and specify the ah, esp, or bundle option at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual direction direction] protocol (ah | bundle | esp);

Configuring the Security Parameter Index

An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets.

NOTE: Each manual SA must have a unique SPI and protocol combination. Use the auxiliary SPI when you configure the protocol statement to use the bundle option.

To configure the SPI, include the spi statement and specify a value (from 256 through 16,639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual direction direction] spi spi-value;

Configuring the Auxiliary Security Parameter Index

Use the auxiliary SPI when you configure the protocol statement to use the bundle option.

NOTE: Each manual SA must have a unique SPI and protocol combination.

To configure the auxiliary SPI, include the auxiliary-spi statement and specify a value (from 256 through 16,639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual direction direction] auxiliary-spi auxiliary-spi-value;

Configuring Authentication for a Manual IPsec SA

To configure an authentication algorithm, include the authentication statement and specify an authentication algorithm and a key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

329

Junos 11.4 Services Interfaces Configuration Guide

[edit services ipsec-vpn rule rule-name term term-name then manual direction direction] authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); }

The algorithm can be one of the following:

hmac-md5-96Hash algorithm that authenticates packet data. It produces a 128-bit

authenticator value and a 96-bit digest.

hmac-sha1-96Hash algorithm that authenticates packet data. It produces a 160-bit

authenticator value and a 96-bit digest. The key can be one of the following:

ascii-textASCII text key. With the hmac-md5-96 option, the key contains 16 ASCII

characters. With the hmac-sha1-96 option, the key contains 20 ASCII characters.

hexadecimalHexadecimal key. With the hmac-md5-96 option, the key contains

32 hexadecimal characters. With the hmac-sha1-96 option, the key contains 40 hexadecimal characters.

Configuring Encryption for a Manual IPsec SA

To configure IPsec encryption, include the encryption statement and specify an algorithm and key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual direction direction] encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); }

The algorithm can be one of the following:

des-cbcEncryption algorithm that has a block size of 8 bytes; its key size is 64 bits

long.

3des-cbcEncryption algorithm that has a block size of 24 bytes; its key size is 192 bits

long.

aes-128-cbcAdvanced Encryption Standard (AES) 128-bit encryption algorithm. aes-192-cbcAdvanced Encryption Standard (AES) 192-bit encryption algorithm. aes-256-cbcAdvanced Encryption Standard (AES) 256-bit encryption algorithm.

330

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option. For reference information on AES encryption, see RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec. For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes. If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

The key can be one of the following:

ascii-textASCII text key. With the des-cbc option, the key contains 8 ASCII characters.

With the 3des-cbc option, the key contains 24 ASCII characters.

hexadecimalHexadecimal key. With the des-cbc option, the key contains

16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.

NOTE: You cannot configure encryption when you use the AH protocol.

Configuring Dynamic Security Associations

You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. The dynamic SA includes one or more proposals, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer. To enable a dynamic SA, follow these steps:
1.

Configure Internet Key Exchange (IKE) proposals and IKE policies associated with these proposals.

2. Configure IPsec proposals and an IPsec policy associated with these proposals. 3. Associate an SA with an IPsec policy by configuring the dynamic statement.

For more information about IKE policies and proposals, see Configuring IKE Policies on page 335 and Configuring IKE Proposals on page 332. For more information about IPsec policies and proposals, see Configuring IPsec Policies on page 343.

Copyright 2011, Juniper Networks, Inc.

331

Junos 11.4 Services Interfaces Configuration Guide

To configure a dynamic SA, include the dynamic statement and specify an IPsec policy name at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. The ike-policy statement is optional unless you use the preshared key authentication method.
[edit services ipsec-vpn rule rule-name term term-name then] dynamic { ike-policy policy-name; ipsec-policy policy-name; }

NOTE: If you want to establish a dynamic SA, the attributes in at least one configured IPsec and IKE proposal must match those of its peer.

Clearing Security Associations

You can set up the router software to clear IKE or IPsec SAs automatically when the corresponding services PIC restarts or is taken offline. To configure this property, include the clear-ike-sas-on-pic-restart or clear-ipsec-sas-on-pic-restart statement at the [edit services ipsec-vpn] hierarchy level:
[edit services ipsec-vpn] clear-ike-sas-on-pic-restart; clear-ipsec-sas-on-pic-restart;

After you add this statement to the configuration, all the IKE or IPsec SAs corresponding to the tunnels in the PIC will be cleared when the PIC restarts or goes offline.

Configuring IKE Proposals

Dynamic security associations (SAs) require IKE configuration. With dynamic SAs, you configure IKE first, and then the SA. IKE creates the dynamic SAs and negotiates them for IPsec. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. To configure an IKE proposal, include the proposal statement and specify a name at the [edit services ipsec-vpn ike] hierarchy level:
[edit services ipsec-vpn ike] proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method (dsa-signatures | pre-shared-key | rsa-signatures); dh-group (group1 | group2 | group5 |group14); encryption-algorithm algorithm; lifetime-seconds seconds; }

332

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

This section includes the following topics:

Configuring the Authentication Algorithm for an IKE Proposal on page 333 Configuring the Authentication Method for an IKE Proposal on page 333 Configuring the Diffie-Hellman Group for an IKE Proposal on page 334 Configuring the Encryption Algorithm for an IKE Proposal on page 334 Configuring the Lifetime for an IKE SA on page 335 Example: Configuring an IKE Proposal on page 335

Configuring the Authentication Algorithm for an IKE Proposal

To configure the authentication algorithm for an IKE proposal, include the authentication-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name] authentication-algorithm (md5 | sha1 | sha-256);

The authentication algorithm can be one of the following:

md5Produces a 128-bit digest. sha1Produces a 160-bit digest. sha-256Produces a 256-bit digest.

NOTE: For reference information on Secure Hash Algorithms (SHAs), see Internet draft draft-eastlake-sha2-02.txt, Secure Hash Algorithms (SHA and HMAC-SHA) (expires July 2006).

Configuring the Authentication Method for an IKE Proposal

To configure the authentication method for an IKE proposal, include the authentication-method statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name] authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);

The authentication method can be one of the following:

dsa-signaturesDigital Signature Algorithm pre-shared-keysA key derived from an out-of-band mechanism; the key authenticates

the exchanges

rsa-signaturesPublic key algorithm (supports encryption and digital signatures)

Copyright 2011, Juniper Networks, Inc.

333

Junos 11.4 Services Interfaces Configuration Guide

Configuring the Diffie-Hellman Group for an IKE Proposal

Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys. To configure the Diffie-Hellman group for an IKE proposal, include the dh-group statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name] dh-group (group1 | group2 | group5 |group14);

The group can be one of the following:

group1Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

group2Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

group5Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

group14Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group

when performing the new Diffie-Hellman exchange. Using a Diffie-Hellman group based on a greater number of bits results a more secure IKE tunnel than using a group based on fewer bits. However, this additional security entails additional processing time.

Configuring the Encryption Algorithm for an IKE Proposal

To configure the encryption algorithm for an IKE proposal, include the encryption-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name] encryption-algorithm algorithm;

The encryption algorithm can be one of the following:

3des-cbcCipher block chaining encryption algorithm with a key size of 24 bytes; its

key size is 192 bits long.

des-cbcCipher block chaining encryption algorithm with a key size of 8 bytes; its key

size is 56 bits long.

aes-128-cbcAdvanced Encryption Standard (AES) 128-bit encryption algorithm. aes-192-cbcAdvanced Encryption Standard (AES) 192-bit encryption algorithm. aes-256-cbcAdvanced Encryption Standard (AES) 256-bit encryption algorithm.

334

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option. For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes. If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

Configuring the Lifetime for an IKE SA

The lifetime-seconds statement sets the lifetime of an IKE SA. When the IKE SA expires, it is replaced by a new SA (and SPI) or the IPsec connection is terminated. To configure the lifetime for an IKE SA, include the lifetime-seconds statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name] lifetime-seconds seconds;

By default, the IKE SA lifetime is 3600 seconds. The range is from 180 through 86,400 seconds.

NOTE: For IKE proposals, there is only one SA lifetime value, specified by the Junos OS. IPsec proposals use a different mechanism; for more information, see Configuring the Lifetime for an IPsec SA on page 342.

Example: Configuring an IKE Proposal

Configure an IKE proposal:
[edit services ipsec-vpn ike] proposal ike-proposal { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm sha1; encryption-algorithm 3des-cbc; }

Configuring IKE Policies

An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared

Copyright 2011, Juniper Networks, Inc.

335

Junos 11.4 Services Interfaces Configuration Guide

key for the given peer or the local certificate. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer. Starting with Junos OS Release 11.4, both IKEv1 and IKEv2 are supported by default on all M Series, MX Series, and T Series routers. You can configure the specific IKE phase to be supported for the negotiation. However, if only IKEv1 is supported, the Junos OS rejects IKEv2 negotiations. Similarly, if only IKEv2 is supported, the Junos OS rejects all IKEv1 negotiations. The key management process (kmd) daemon determines which version of IKE is used in a negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the configured version for negotiations. If kmd is the IKE responder, it accepts connections from both IKEv1 and IKEv2. You can create multiple, prioritized proposals at each peer to ensure that at least one proposal matches a remote peers proposal. First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last. To configure an IKE policy, include the policy statement and specify a policy name at the [edit services ipsec-vpn ike] hierarchy level:
[edit services ipsec-vpn ike] policy policy-name { description description; local-certificate identifier; local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); version (1 | 2); mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } }

This section includes the following topics:

Configuring the IKE Phase on page 337 Configuring the Mode for an IKE Policy on page 337 Configuring the Proposals in an IKE Policy on page 337 Configuring the Preshared Key for an IKE Policy on page 338

336

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Configuring the Local Certificate for an IKE Policy on page 338 Configuring the Description for an IKE Policy on page 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation on page 339 Example: Configuring an IKE Policy on page 340

For an example of an IKE policy configuration, see Example: Configuring an IKE Policy on page 340.

Configuring the IKE Phase

Starting with Junos OS Release 11.4, both IKEv1 and IKEv2 are supported by default on all M Series, MX Series, and T Series routers. You can configure the specific IKE phase to be supported for the negotiation. However, if only IKEv1 is supported, the Junos OS rejects IKEv2 negotiations. Similarly, if only IKEv2 is supported, the Junos OS rejects all IKEv1 negotiations. To configure the IKE phase used, include the version statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] version (1 | 2);

Configuring the Mode for an IKE Policy

IKE policy has two modes: aggressive and main. By default, main mode is enabled. Main mode uses six messages, in three exchanges, to establish the IKE SA. (These three steps are IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer.) Main mode also allows a peer to hide its identity. Aggressive mode also establishes an authenticated IKE SA and keys. However, aggressive mode uses half the number of messages, has less negotiation power, and does not provide identity protection. The peer can use the aggressive or main mode to start IKE negotiation; the remote peer accepts the mode sent by the peer.

NOTE: The mode configuration is required only if the version option is set to 1.

To configure the mode for an IKE policy, include the mode statement and specify aggressive or main at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] mode (aggressive | main);

Configuring the Proposals in an IKE Policy

The IKE policy includes a list of one or more proposals associated with an IKE policy. To configure the proposals in an IKE policy, include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

337

Junos 11.4 Services Interfaces Configuration Guide

proposals [ proposal-names ];

Configuring the Preshared Key for an IKE Policy

When you include the authentication-method pre-shared-keys statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level, IKE policy preshared keys authenticate peers; for more information, see Configuring the Authentication Method for an IKE Proposal on page 333. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key. To configure the preshared key in an IKE policy, include the pre-shared-key statement and a key at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] pre-shared-key (ascii-text key | hexadecimal key);

The key can be one of the following:

ascii-textASCII text key. With the des-cbc option, the key contains 8 ASCII characters.

With the 3des-cbc option, the key contains 24 ASCII characters.

hexadecimalHexadecimal key. With the des-cbc option, the key contains

16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.

Configuring the Local Certificate for an IKE Policy

When you include the authentication-method rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level, public key infrastructure (PKI) digital certificates authenticate peers; for more information, see Configuring the Authentication Method for an IKE Proposal on page 333. You must identify a local certificate that is sent to the peer during the IKE authentication phase. To configure the local certificate for an IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] local-certificate identifier;

The local-certificate statement specifies the identifier used to obtain the end entitys certificate from the certification authority. Configuring it in an IKE policy allows you the flexibility of using a separate certificate with each remote peer if that is needed. You must also specify the identity of the certification authority by configuring the ca-profile statement at the [edit security pki] hierarchy level; for more information, see the Junos OS System Basics Configuration Guide. For complete examples of digital certificate configuration, see the Junos OS Feature Guides. You can use the configured profiles to establish a set of trusted certification authorities for use with a particular service set. This enables you to configure separate service sets for individual clients to whom you are providing IP services; the distinct service sets provide logical separation of one set of IKE sessions from another, using different local gateway addresses, or virtualization. To configure the set of trusted certification authorities, include

338

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:
[edit services service-set service-set-name ipsec-vpn-options] trusted-ca ca-profile;

For more information, see Configuring IPsec Service Sets on page 573.

Configuring a Certificate Revocation List

A certificate revocation list (CRL) contains a list of digital certificates that have been cancelled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL.

NOTE: By default, certificate revocation list verification is enabled. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. By default, if the router either cannot access the Lightweight Directory Access Protocol (LDAP) URL or retrieve a valid certificate revocation list, certificate verification fails and the IPsec tunnel is not established. To override this behavior and permit the authentication of the IPsec peer when the CRL is not downloaded, include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level.

To use the CA certificate revocation list, you include statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. For details, see the Junos OS System Basics Configuration Guide.

Configuring the Description for an IKE Policy

To specify an optional text description for an IKE policy, include the description statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] description description;

Configuring Local and Remote IDs for IKE Phase 1 Negotiation

You can optionally specify local identifiers for use in IKE phase 1 negotiation. If the local-id statement is omitted, the local gateway address is used. To specify one or more local IDs, include the local-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier);

You can also specify remote gateway identifiers for which the IKE policy is used. The remote gateway address in which this policy is defined is added by default.

Copyright 2011, Juniper Networks, Inc.

339

Junos 11.4 Services Interfaces Configuration Guide

To specify one or more remote IDs, include the remote-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
[edit services ipsec-vpn ike policy policy-name] remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; }

The any-remote-id option allows any remote address to connect. This option is supported only in dynamic endpoints configurations and cannot be configured along with specific values. For more information about dynamic endpoint configurations, see Configuring Dynamic Endpoints for IPsec Tunnels on page 353.

Example: Configuring an IKE Policy

Define two IKE policies: policy 10.1.1.2 and policy 10.1.1.1. Each policy is associated with proposal-1 and proposal-2. The following configuration uses only IKEv1 for negotiation.
[edit services ipsec-vpn] ike { proposal proposal-1 { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 1000; } proposal proposal-2 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 10000; } proposal proposal-3 { authentication-method rsa-signatures; dh-group group2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 10000; } policy 10.1.1.2 { mode main; proposals [ proposal-1 proposal-2 ]; pre-shared-key ascii-text example-pre-shared-key; } policy 10.1.1.1 { local-certificate certificate-file-name; local-key-pair private-public-key-file; mode aggressive; proposals [ proposal-2 proposal-3 ] pre-shared-key hexadecimal 0102030abbcd; }

340

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

NOTE: Updates to the current IKE proposal and policy configuration are not applied to the current IKE SA; updates are applied to new IKE SAs. If you want the new updates to take immediate effect, you must clear the existing IKE security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IKE security association, see the Junos OS System Basics and Services Command Reference.

Configuring IPsec Proposals

An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer. To configure an IPsec proposal, include the proposal statement and specify an IPsec proposal name at the [edit services ipsec-vpn ipsec] hierarchy level:
[edit services ipsec-vpn ipsec] proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description; encryption-algorithm algorithm; lifetime-seconds seconds; protocol (ah | esp | bundle); }

This section discusses the following topics:

Configuring the Authentication Algorithm for an IPsec Proposal on page 341 Configuring the Description for an IPsec Proposal on page 342 Configuring the Encryption Algorithm for an IPsec Proposal on page 342 Configuring the Lifetime for an IPsec SA on page 342 Configuring the Protocol for a Dynamic SA on page 343

Configuring the Authentication Algorithm for an IPsec Proposal

To configure the authentication algorithm for an IPsec proposal, include the authentication-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name] authentication-algorithm (hmac-md5-96 | hmac-sha1-96);

The authentication algorithm can be one of the following:

hmac-md5-96Hash algorithm that authenticates packet data. It produces a 128-bit

digest. Only 96 bits are used for authentication.

Copyright 2011, Juniper Networks, Inc.

341

Junos 11.4 Services Interfaces Configuration Guide

hmac-sha1-96Hash algorithm that authenticates packet data. It produces a 160-bit

digest. Only 96 bits are used for authentication.

Configuring the Description for an IPsec Proposal

To specify an optional text description for an IPsec proposal, include the description statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name] description description;

Configuring the Encryption Algorithm for an IPsec Proposal

To configure encryption algorithm for an IPsec proposal, include the encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name] encryption-algorithm algorithm;

The encryption algorithm can be one of the following:

3des-cbcEncryption algorithm that has a block size of 24 bytes; its key size is 192 bits

long.

des-cbcEncryption algorithm that has a block size of 8 bytes; its key size is 48 bits

long.

aes-128-cbcAdvanced Encryption Standard (AES) 128-bit encryption algorithm. aes-192-cbcAdvanced Encryption Standard (AES) 192-bit encryption algorithm. aes-256-cbcAdvanced Encryption Standard (AES) 256-bit encryption algorithm.

NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option. For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes. If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

Configuring the Lifetime for an IPsec SA

When a dynamic IPsec SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPsec key management system that the SA is about to expire.

342

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

This allows the key management system to negotiate a new SA before the hard lifetime expires. To configure the hard lifetime value, include the lifetime-seconds statement and specify the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name] lifetime-seconds seconds;

The default lifetime is 28,800 seconds. The range is from 180 through 86,400 seconds. The soft lifetime values are as follows:

Initiator: Soft lifetime = Hard lifetime 135 seconds. Responder: Soft lifetime = Hard lifetime 90 seconds.

Configuring the Protocol for a Dynamic SA

The protocol statement sets the protocol for a dynamic SA. IPsec uses two protocols to protect IP traffic: ESP and AH. The ESP protocol can support authentication, encryption, or both. The AH protocol is used for strong authentication. AH also authenticates the IP packet. The bundle option uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets. To configure the protocol for a dynamic SA, include the protocol statement and specify the ah, esp, or bundle option at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name] protocol (ah | esp | bundle);

Configuring IPsec Policies

An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec looks for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. You can create multiple, prioritized IPsec proposals at each peer to ensure that at least one proposal matches a remote peers proposal. First, you configure one or more IPsec proposals; then you associate these proposals with an IPsec policy. You can prioritize a list of proposals used by IPsec in the policy statement by listing the proposals you want to use, from first to last.

Copyright 2011, Juniper Networks, Inc.

343

Junos 11.4 Services Interfaces Configuration Guide

To configure an IPsec policy, include the policy statement, and specify the policy name and one or more proposals to associate with the policy, at the [edit services ipsec-vpn ipsec] hierarchy level:
[edit services ipsec-vpn ipsec] policy policy-name { description description; perfect-forward-secrecy { keys (group1 | group2 | group5 | group14); } proposals [ proposal-names ]; }

This section includes the following topics related to configuring an IPsec policy:

Configuring the Description for an IPsec Policy on page 344 Configuring Perfect Forward Secrecy on page 344 Configuring the Proposals in an IPsec Policy on page 345 Example: Configuring an IPsec Policy on page 345

Configuring the Description for an IPsec Policy

To specify an optional text description for an IPsec policy, include the description statement at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
[edit services ipsec-vpn ipsec policy policy-name] description description;

Configuring Perfect Forward Secrecy

PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. This statement is optional. To configure PFS, include the perfect-forward-secrecy statement and specify a Diffie-Hellman group at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
[edit services ipsec-vpn ipsec policy policy-name] perfect-forward-secrecy { keys (group1 | group2 | group5 | group14); }

The key can be one of the following:

group1Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

group2Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

344

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

group5Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when

performing the new Diffie-Hellman exchange.

group14Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group

when performing the new Diffie-Hellman exchange. The higher numbered groups provide more security than the lowered numbered groups,, but require more processing time.

Configuring the Proposals in an IPsec Policy

The IPsec policy includes a list of one or more proposals associated with an IPsec policy. To configure the proposals in an IPsec policy, include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
[edit services ipsec-vpn ipsec policy policy-name] proposals [ proposal-names ];

Example: Configuring an IPsec Policy

Define an IPsec policy, dynamic policy-1, that is associated with two proposals (dynamic-1 and dynamic-2):
[edit services ipsec-vpn ipsec] proposal dynamic-1 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 6000; } proposal dynamic-2 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 6000; } policy dynamic-policy-1 { perfect-forward-secrecy { keys group1; } proposals [ dynamic-1 dynamic-2 ]; }

NOTE: Updates to the current IPsec proposal and policy configuration are not applied to the current IPsec SA; updates are applied to new IPsec SAs. If you want the new updates to take immediate effect, you must clear the existing IPsec security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IPsec security association, see the Junos OS System Basics and Services Command Reference.

Copyright 2011, Juniper Networks, Inc.

345

Junos 11.4 Services Interfaces Configuration Guide

IPsec Policy for Dynamic Endpoints

An IPsec policy for dynamic endpoints defines a combination of security parameters (IPsec proposals) used during IPsec negotiation between dynamic peer security gateways, in which the remote ends of tunnels do not have a statically assigned IP address. During the IPsec negotiation, theIPsec policy looks for an IPsec proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match. A match is made when the policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. If no policy is set, any policy proposed by the dynamic peer is accepted. For more information about configuring IPsec policy, see Configuring IPsec Policies on page 343. Related Documentation

Configuring IPsec Policies on page 343

Configuring IPsec Rules

To configure an IPsec rule, include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level:
[edit services ipsec-vpn] rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm;

346

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } }

Each IPsec rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The following sections explain how to configure the components of IPsec rules:

Configuring Match Direction for IPsec Rules on page 347 Configuring Match Conditions in IPsec Rules on page 348 Configuring Actions in IPsec Rules on page 349

Configuring Match Direction for IPsec Rules

Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. To configure where the match is applied, include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level:
[edit services ipsec-vpn rule rule-name] match-direction (input | output);

The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it. With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the AS or Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing,

Copyright 2011, Juniper Networks, Inc.

347

Junos 11.4 Services Interfaces Configuration Guide

the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.

Configuring Match Conditions in IPsec Rules

To configure the match conditions in an IPsec rule, include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name] from { destination-address address; ipsec-inside-interface interface-name; source-address address; }

You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. IPsec services support both IPv4 and IPv6 address formats. If you do not specifically configure either the source address or destination address, the default value 0.0.0.0/0 (IPv4 ANY) is used. To use IPv6 ANY (0::0/128) as either source or destination address, you must configure it explicitly. For next-hop-style service sets only, the ipsec-inside-interface statement allows you to assign a logical interface to the tunnels established as a result of this match condition. The inside-service-interface statement that you can configure at the [edit services service-set name next-hop-service] hierarchy level allows you to specify .1 and .2 as inside and outside interfaces. However, you can configure multiple adaptive services logical interfaces with the service-domain inside statement and use one of them to configure the ipsec-inside-interface statement. For more information, see Configuring Service Sets to be Applied to Services Interfaces on page 568 and Interface Properties. The Junos OS evaluates the criteria you configure in the from statement. If multiple link-type tunnels are configured within the same next-hop-style service set, the ipsec-inside-interface value enables the rule lookup module to distinguish a particular tunnel from other tunnels in case the source and destination addresses for all of them are 0.0.0.0/0 (ANY-ANY).

NOTE: When you configure the ipsec-inside-interface statement, interface-style service sets are not supported.

A special situation is provided by a term containing an any-any match condition (usually because the from statement is omitted). If there is an any-any match in a tunnel, a flow is not needed, because all flows within this tunnel use the same security association (SA) and packet selectors do not play a significant role. As a result, these tunnels will use packet-based IPsec. This strategy saves some flow resources on the PIC, which can be used for other tunnels that need a flow-based service.

348

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

The following configuration example shows an any-any tunnel configuration with no from statement in term-1. Missing selectors in the from clause result in a packet-based IPsec service.
services { ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10.1.0.1; dynamic { ike-policy ike_policy; ipsec-policy ipsec_policy; } } } match-direction input; } ..... }

Flowless IPsec service is provided to link-type tunnels with an any-any matching, as well as to dynamic tunnels with any-any matching in both dedicated and shared mode. For link-type tunnels, a mixture of flowless and flow-based IPsec is supported within a service set. If a service set includes some terms with any-any matching and some terms with selectors in the from clause, packet-based service is provided for the any-any tunnels and flow-based service is provided for the other tunnels with selectors. For non link-type tunnels, if a service set contains both any-any terms and selector-based terms, flow-based service is provided to all the tunnels.

Configuring Actions in IPsec Rules

To configure actions in an IPsec rule, include the then statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name] then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption {

Copyright 2011, Juniper Networks, Inc.

349

Junos 11.4 Services Interfaces Configuration Guide

algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; }

The principal IPsec actions are to configure a dynamic or manual SA:

You configure a dynamic SA by including the dynamic statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn ike] hierarchy levels; for more information, see Configuring Dynamic Security Associations on page 331. You configure a manual SA by including the manual statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level; for more information, see Configuring Manual Security Associations on page 327.

You can configure the following additional properties:

Enabling IPsec Packet Fragmentation on page 350 Configuring Destination Addresses for Dead Peer Detection on page 350 Configuring or Disabling IPsec Anti-Replay on page 352 Enabling System Log Messages on page 352 Specifying the MTU for IPsec Tunnels on page 352

Enabling IPsec Packet Fragmentation

To enable fragmentation of IP version 4 (IPv4) packets in IPsec tunnels, include the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] clear-dont-fragment-bit;

Setting the clear-dont-fragment-bit statement clears the Dont Fragment (DF) bit in the packet header, regardless of the packet size. If the packet size exceeds the tunnel maximum transmission unit (MTU) value, the packet is fragmented before encapsulation. For IPsec tunnels, the default MTU value is 1500 regardless of the interface MTU setting.

Configuring Destination Addresses for Dead Peer Detection

To specify the remote address to which the IPsec traffic is directed, include the remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then]

350

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

remote-gateway address;

To specify a backup remote address, include the backup-remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] backup-remote-gateway address;

These two statements support both IPv4 and IPv6 address formats. Configuring the backup-remote-gateway statement enables the dead peer detection (DPD) protocol, which monitors the tunnel state and remote peer availability. When the primary tunnel defined by the remote-gateway statement is active, the backup tunnel is in standby mode. If the DPD protocol determines that the primary remote gateway address is no longer reachable, a new tunnel is established to the backup address. If there is no incoming traffic from a peer during a defined interval of 10 seconds, the router detects a tunnel as inactive. A global timer polls all tunnels every 10 seconds and the Adaptive Services (AS) or Multiservices Physical Interface Card (PIC) sends a message listing any inactive tunnels. If a tunnel becomes inactive, the router takes the following steps to failover to the backup address:
1.

The adaptive services message triggers the DPD protocol to send a hello message to the peer.

2. If no acknowledgment is received, two retries are sent at 2-second intervals, and then

the tunnel is declared dead.

3. Failover takes place if the tunnel is declared dead or there is an IPsec Phase 1

negotiation timeout. The primary tunnel is put in standby mode and the backup becomes active.
4. If the negotiation to the backup tunnel times out, the router switches back to the

primary tunnel. If both peers are down, it tries the failover six times. It then stops failing over and reverts to the original configuration, with the primary tunnel active and the backup in standby mode. You can also enable triggering of DPD Hello messages without configuring a backup remote gateway by including the initiate-dead-peer-detection statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] initiate-dead-peer-detection;

The monitoring behavior is the same as described for the backup-remote-gateway statement. This configuration enables the router to initiate DPD Hellos when a backup IPsec gateway does not exist and clean up the IKE and IPsec SAs in case the IKE peer is not reachable. If the DPD protocol determines that the primary remote gateway address is no longer reachable, a new tunnel is established to the backup address. However, when you configure initiate-dead-peer-detection without a backup remote gateway address and the DPD protocol determines that the primary remote gateway address is no longer reachable, the tunnel is declared dead and IKE and IPsec SAs are cleaned up.

Copyright 2011, Juniper Networks, Inc.

351

Junos 11.4 Services Interfaces Configuration Guide

For more information on the DPD protocol, see RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers.

Configuring or Disabling IPsec Anti-Replay

To configure the size of the IPsec antireplay window, include the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] anti-replay-window-size bits; anti-replay-window-size can take values in the range from 64 through 4096 bits. The

default value is 64 bits for AS PICs and 128 bits for Multiservices PICs and DPCs. AS PICs can support a maximum replay window size of 1024 bits, whereas Multiservices PICs and DPCs can support a maximum replay window size of 4096 bits. When the software is committing an IPsec configuration , the key management process (kmd) is unable to differentiate between the service interface types. As a result, if the maximum antireplay window size exceeds 1024 for AS PICs, the commit succeeds and no error message is produced. However, the software internally sets the antireplay window size for AS PICs to 1024 bits even if the configured value of the anti-replay-window-size is larger. To disable the IPsec antireplay feature, include the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] no-anti-replay;

By default, antireplay service is enabled. Occasionally this can cause interoperability issues with other vendors equipment.

Enabling System Log Messages

To record an alert in the system logging facility, include the syslog statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] syslog;

Specifying the MTU for IPsec Tunnels

To configure a specific maximum transmission unit (MTU) value for IPsec tunnels, include the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then] tunnel-mtu bytes;

NOTE: The tunnel-mtu setting is the only place you need to configure an MTU value for IPsec tunnels. Inclusion of an mtu setting at the [edit interfaces sp-fpc/pic/port unit logical-unit-number family inet] hierarchy level is not supported.

352

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Configuring IPsec Rule Sets

The rule-set statement defines a collection of IPsec rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services ipsec-vpn] hierarchy level with a rule statement for each rule:
[edit services ipsec-vpn] rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

Configuring Dynamic Endpoints for IPsec Tunnels

IPsec tunnels can also be established using dynamic peer security gateways, in which the remote ends of tunnels do not have a statically assigned IP address. Since the remote address is not known and might be pulled from an address pool each time the remote host reboots, establishment of the tunnel relies on using IKE main mode with either preshared global keys or digital certificates that accept any remote identification value. For more information on IKE policy modes, see Configuring the Mode for an IKE Policy on page 337. Both policy-based and link-type tunnels are supported:

Policy-based tunnels used shared mode. Link-type or routed tunnels use dedicated mode. Each tunnel allocates a service interface from a pool of interfaces configured for the dynamic peers. Routing protocols can be configured to run on these service interfaces to learn routes over the IPsec tunnel that is used as a link in this scenario.

This section includes the following topics:

Authentication Process on page 354 Implicit Dynamic Rules on page 354 Reverse Route Insertion on page 355 Configuring an IKE Access Profile on page 355 Referencing the IKE Access Profile in a Service Set on page 357 Configuring the Interface Identifier on page 357 Default IKE and IPsec Proposals on page 358

Copyright 2011, Juniper Networks, Inc.

353

Junos 11.4 Services Interfaces Configuration Guide

Authentication Process
The remote (dynamic peer) initiates the negotiations with the local (Juniper Networks) router. The local router uses the default IKE and IPsec policies to match the proposals sent by the remote peer to negotiate the security association (SA) values. Implicit proposals contain a list of all the supported transforms that the local router expects from all the dynamic peers. If preshared key authentication is used, the preshared key is global for a service set. When seeking the preshared key for the peer, the local router matches the peers source address against any explicitly configured preshared keys in that service set. If a match is not found, the local router uses the global preshared key for authentication. This key is the one configured in the IKE access profile referenced by the service set. Phase 2 of the authentication matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. You can configure proxy identities by including the allowed-proxy-pair statement in the IKE access profile. If no entry matches, the negotiation is rejected. If you do not configure the allowed-proxy-pair statement, the default value ANY(0.0.0.0/0)-ANY is applied, and the local router accepts any proxy identities sent by the peer. Both IPv4 and IPv6 addresses are accepted, but you must configure all IPv6 addresses manually. Once the phase 2 negotiation completes successfully, the router builds the dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.

Implicit Dynamic Rules

After successful negotiation with the dynamic peer, the key management process (kmd) creates a dynamic rule for the accepted phase 2 proxy and applies it on the local AS or Multiservices PIC. The source and destination addresses are specified by the accepted proxy. This rule is used to encrypt traffic directed to one of the end hosts in the phase 2 proxy identity. The dynamic rule includes an ipsec-inside-interface value, which is the interface name assigned to the dynamic tunnel. The source-address and destination-address values are accepted from the proxy ID. The match-direction value is input for next-hop-style service sets.

NOTE: You do not configure this rule; it is created by the key management process (kmd).

Rule lookup for static tunnels is unaffected by the presence of a dynamic rule; it is performed in the order configured. When a packet is received for a service set, static rules are always matched first. Dynamic rules are matched after the rule match for static rules has failed.

354

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Response to dead peer detection (DPD) hello messages takes place the same way with dynamic peers as with static peers. Initiating DPD hello messages from dynamic peers is not supported. For more information on DPD, see Configuring Destination Addresses for Dead Peer Detection on page 350.

Reverse Route Insertion

Static routes are automatically inserted into the route table for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. Each route is created based on the remote proxy network and mask sent by the peer and is inserted in the relevant route table after successful phase 1 and phase 2 negotiations. The route preference for each static reverse route is 1. This value is necessary to avoid conflict with similar routes that might be added by the routing protocol process (rpd). No routes are added if the accepted remote proxy address is the default (0.0.0.0/0). In this case you can run routing protocols over the IPsec tunnel to learn routes and add static routes for the traffic you want to be protected over this tunnel. For next-hop-style service sets, the reverse routes include next hops pointing to the locations specified by the inside-service-interface statement. The route table in which to insert these routes depends on where the inside-service-interface location is listed. If these interfaces are present in a VPN routing and forwarding (VRF) instance, then routes are added to the corresponding VRF table; otherwise, the routes are added to inet.0.

NOTE: Reverse route insertion takes place only for tunnels to dynamic peers. These routes are added only for next-hop-style service sets.

Configuring an IKE Access Profile

You can configure only one tunnel profile per service set for all dynamic peers. The configured preshared key in the profile is used for IKE authentication of all dynamic peers terminating in that service set. Alternatively, you can include the ike-policy statement to reference an IKE policy you define with either specific identification values or a wildcard (the any-remote-id option). You configure the IKE policy at the [edit services ipsec-vpn ike] hierarchy level; for more information, see Configuring IKE Policies on page 335. The IKE tunnel profile specifies all the information needed to complete the IKE negotiation. Each protocol has its own statement hierarchy within the client statement to configure protocol-specific attribute value pairs, but only one client configuration is allowed for each profile. The following is the configuration at the [edit access] hierarchy level; for more information on access profiles, see the Junos OS System Basics Configuration Guide.
[edit access] profile profile-name { client * { ike {

Copyright 2011, Juniper Networks, Inc.

355

Junos 11.4 Services Interfaces Configuration Guide

allowed-proxy-pair { remote remote-proxy-address local local-proxy-address; } pre-shared-key (ascii-text key-string | hexadecimal key-string); ike-policy policy-name; interface-id <string-value>; ipsec-policy ipsec-policy; } } }

NOTE: For dynamic peers, the Junos OS supports the IKE main mode with either the preshared key method of authentication or an IKE access profile that uses a local digital certificate.

In preshared key mode, the IP address is used to identify a tunnel peer to get the preshared key information. The client value * (wildcard) means that configuration within this profile is valid for all dynamic peers terminating within the service set accessing this profile. In digital certificate mode, the IKE policy defines which remote identification values are allowed; for more information, see Configuring IKE Policies on page 335.

The following statements make up the IKE profile:

allowed-proxy-pairDuring phase 2 IKE negotiation, the remote peer supplies its network

address (remote) and its peers network address (local). Since multiple dynamic tunnels are authenticated through the same mechanism, this statement must include the list of possible combinations. If the dynamic peer does not present a valid combination, the phase 2 IKE negotiation fails. By default, remote 0.0.0.0/0 local 0.0.0.0/0 is used if no values are configured. Both IPv4 and IPv6 address formats are supported in this configuration, but there are no default IPv6 addresses. You must specify even 0::0/0.

pre-shared-keyKey used to authenticate the dynamic peer during IKE phase 1

negotiation. This key is known to both ends through an out-of-band secure mechanism. You can configure the value either in hexadecimal or ascii-text format. It is a mandatory value.

ike-policyPolicy that defines the remote identification values corresponding to the

allowed dynamic peers; can contain a wildcard value any-remote-id for use in dynamic endpoint configurations only.

interface-idInterface identifier, a mandatory attribute used to derive the logical service

interface information for the session.

ipsec-policyName of the IPsec policy that defines the IPsec policy information for

the session. You define the IPsec policy at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level. If no policy is set, any policy proposed by the dynamic peer is accepted.

356

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Referencing the IKE Access Profile in a Service Set

To complete the configuration, you need to reference the IKE access profile configured at the [edit access] hierarchy level. To do this, include the ike-access-profile statement at the [edit services service-set name ipsec-vpn-options] hierarchy level:
[edit services service-set name] ipsec-vpn-options { local-gateway address; ike-access-profile profile-name; } next-hop-service { inside-service-interface interface-name; outside-service-interface interface-name; }

The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can reference only one access profile in each service set. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only.

NOTE: If you configure an IKE access profile in a service set, no other service set can share the same local-gateway address. Also, you must configure a separate service set for each VRF instance. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF instance.

Configuring the Interface Identifier

You can configure an interface identifier for a group of dynamic peers, which specifies which adaptive services logical interface(s) take part in the dynamic IPsec negotiation. By assigning the same interface identifier to multiple logical interfaces, you can create a pool of interfaces for this purpose. To configure an interface identifier, include the ipsec-interface-id statement and the dedicated or shared statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level:
[edit interfaces interface-name unit logical-unit-number dial-options] ipsec-interface-id identifier; (dedicated | shared);

Specifying the interface identifier in the dial-options statement makes this logical interface part of the pool identified by the ipsec-interface-id statement.

NOTE: Only one interface identifier can be specified at a time. You can include the ipsec-interface-id statement or the l2tp-interface-id statement, but not both.

Copyright 2011, Juniper Networks, Inc.

357

Junos 11.4 Services Interfaces Configuration Guide

If you configure shared mode, it enables one logical interface to be shared across multiple tunnels. The dedicated statement specifies that the logical interface is used in a dedicated mode, which is necessary when you are configuring an IPsec link-type tunnel. You must include the dedicated statement when you specify an ipsec-interface-id value.

Default IKE and IPsec Proposals

The software includes implicit default IKE and IPsec proposals to match the proposals sent by the dynamic peers. The values are shown in Table 13 on page 358; if more than one value is shown, the first value is the default. For more information on IKE proposals, see Configuring IKE Proposals on page 332; for more information on IPsec proposals, see Configuring IPsec Proposals on page 341.

NOTE: RSA certificates are not supported with dynamic endpoint configuration.

Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations
Statement Name Implicit IKE Proposal
authentication-method dh-group authentication-algorithm encryption-algorithm lifetime-seconds pre-shared keys group1, group2, group5, group14 sha1, md5, sha-256 3des-cbc, des-cbc, aes-128, aes-192, aes-256 3600 seconds

Values

Implicit IPsec Proposal

protocol authentication-algorithm encryption-algorithm lifetime-seconds esp, ah, bundle hmac-sha1-96, hmac-md5-96 3des-cbc, des-cbc, aes-128, aes-192, aes-256 28,800 seconds (8 hours)

Tracing IPsec Operations

Trace operations track IPsec events and record them in a log file in the /var/log directory. By default, this file is named /var/log/kmd. To trace IPsec operations, include the traceoptions statement at the [edit services ipsec-vpn] hierarchy level:

358

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

[edit services ipsec-vpn] traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>; flag flag; level level; no-remote-trace; }

You can specify the following IPsec tracing flags:

allTrace everything. certificatesTrace certificates events. databaseTrace security associations database events. generalTrace general events. ikeTrace IKE module processing. parseTrace configuration processing. policy-managerTrace policy manager processing. routing-socketTrace routing socket messages. snmpTrace SNMP operations. timerTrace internal timer events.

The level statement sets the key management process (kmd) tracing level. The following values are supported:

allMatch all levels. errorMatch error conditions. infoMatch informational messages. noticeMatch conditions that should be handled specially. verboseMatch verbose messages. warningMatch warning messages.

Disabling IPsec Tunnel Endpoint in Traceroute

If you include the no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level, the IPsec tunnel is not treated as a next hop and TTL is not decremented. Also, if the TTL reaches zero, an ICMP time exceeded message is not generated.
[edit services ipsec-vpn] no-ipsec-tunnel-in-traceroute;

Copyright 2011, Juniper Networks, Inc.

359

Junos 11.4 Services Interfaces Configuration Guide

NOTE: This functionality is also provided by the passive-mode-tunneling statement described in Configuring IPsec Service Sets on page 573. You can use the no-ipsec-tunnel-in-traceroute statement in specific scenarios in which the IPsec tunnel should not be treated as a next hop and passive mode is not desired.

Tracing IPsec PKI Operations

Trace operations track IPsec PKI events and record them in a log file in the /var/log directory. By default, this file is named /var/log/pkid. To trace IPsec PKI operations, include the traceoptions statement at the [edit security pki] hierarchy level:
[edit security pki] traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag (all | certificate-verification | enrollment | online-crl-check); }

You can specify the following PKI tracing flags:

allTrace everything. certificatesTrace certificates events. databaseTrace security associations database events. generalTrace general events. ikeTrace IKE module processing. parseTrace configuration processing. policy-managerTrace policy manager processing. routing-socketTrace routing socket messages. snmpTrace SNMP operations. timerTrace internal timer events.

Configuring IPSec on the Services SDK

Starting with Junos OS Release 11.4, IPSec is supported by the Services SDK. IPSec on the Services SDK is supported on all M Series, T Series and MX Series routers with Multiservices 100, Multiservices 400 PICs, and Multiservices DPCs. IPSec on the Services SDK has the following limitations:

IPSec on the Services SDK supports only policies negotiated between dynamic peer security gateways in which the remote ends of tunnels do not have a statically assigned IP address (Dynamic Endpoints).

360

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Encapsulating Security Payload (ESP) is the only protocol that is supported for protecting IP traffic. IPSec on the Services SDK does not support IPv6.

To enable IPSec for the Services SDK on the adaptive services interface, configure the object-cache-size, policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the IPSec plugin on the Services SDK, package-name in the package package-name statement is jservices-ipsec. For more information about the Services SDK, see the SDK Applications Configuration Guide and Command Reference. The following example shows how to enable IPSec for the Services SDK on the adaptive services interface:
chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 7; object-cache-size 1280; policy-db-size 64; package jservices-crypto-base; package jservices-ipsec; } } } } }

Configure the inside and outside interfaces for next-hop-style service sets:
service-set abc { next-hop-service { inside-service-interface ms-0/2/0.1; # Name and logical unit number of the service interface associated with the service set applied inside the network. outside-service-interface ms-0/2/0.2; # Name and logical unit number of the service interface associated with the service set applied outside the network. } }

Examples: Configuring IPsec Services

See the following sections:

Example: Configuring Statically Assigned Tunnels on page 362 Example: Configuring Dynamically Assigned Tunnels on page 364 Multitask Example: Configuring IPsec Services on page 369

Copyright 2011, Juniper Networks, Inc.

361

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Statically Assigned Tunnels

Following is the configuration of the provider edge (PE) router, demonstrating the usage of next-hop service sets and dynamic SA configuration:
[edit interfaces] so-0/0/0 { no-keepalives; encapsulation cisco-hdlc; unit 0 { family inet { address 10.6.6.6/32; } } } so-2/2/0 { description "teller so-0/2/0"; no-keepalives; encapsulation cisco-hdlc; unit 0 { family inet { address 10.21.1.1/16; } } } sp-3/1/0 { unit 0 { family inet { address 10.7.7.7/32; } } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } } [edit policy-options] policy-statement vpn-export { then { community add vpn-comm; accept; } } policy-statement vpn-import { term a { from community vpn-comm; then accept; } } community vpn-comm members target:100:20; [edit routing-instances]

362

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

vrf { instance-type vrf; interface sp-3/1/0.1; # Inside sp interface interface so-0/0/0.0; route-distinguisher 192.168.0.1:1; vrf-import vpn-import; vrf-export vpn-export; routing-options { static { route 10.0.0.0/0 next-hop so-0/0/0.0; route 10.11.11.1/32 next-hop so-0/0/0.0; route 10.8.8.1/32 next-hop sp-3/1/0.1; } } } [edit services] ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10.21.2.1; dynamic { ike-policy ike-policy; } } } match-direction input; } ike { policy ike-policy { pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI"; } } } service-set service-set-1 { ipsec-vpn { local-gateway 10.21.1.1; } ipsec-vpn-rules rule-1; next-hop-service { inside-service-interface sp-3/1/0.1; outside-service-interface sp-3/1/0.2; } }

Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set:
services ipsec-vpn { rule demo-rule { term term-0 { from { ipsec-inside-interface sp-0/0/0.1; } then { remote-gateway 10.2.2.2;

Copyright 2011, Juniper Networks, Inc.

363

Junos 11.4 Services Interfaces Configuration Guide

dynamic { ike-policy demo-ike-policy; } } } term term-1 { from { ipsec-inside-interface sp-0/0/0.3; } then { remote-gateway 10.3.3.3; dynamic { ike-policy demo-ike-policy; } } } } match-direction input; } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-0/0/0.1; outside-service-interface sp-0/0/0.2; } ipsec-vpn-options { local-gateway 10.1.1.1; } ipsec-rules demo-rule; } } interfaces sp-0/0/0 { unit 0 { family inet; } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } unit 3 { family inet; service-domain inside; } unit 4 { family inet; service-domain inside; } }

Example: Configuring Dynamically Assigned Tunnels

The following examples are based on this network configuration (see Figure 9 on page 365):

364

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

A local network N-1 behind security gateway SG-1, a Juniper Networks router terminating static as well as dynamic peer endpoints. The tunnel termination address on SG-1 is 10.1.1.1 and the local network address is 172.16.1.0/24. Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.2.2.2. Remote network N-3 has address 172.16.3.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.3.3.3.

Figure 9: IPsec Dynamic Endpoint Tunneling Topology

The examples in this section show the following configurations:

Configuring a Next-Hop Style Service Set with Link-Type Tunnels on page 365 Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels on page 367

NOTE: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections.

Configuring a Next-Hop Style Service Set with Link-Type Tunnels

access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 0.0.0.0/0 local 0.0.0.0/0; # ANY to ANY } pre-shared-key { ascii-text keyfordynamicpeers; } interface-id demo-ipsec-interface-id; } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0.1; outside-service-interface sp-1/0/0.2; } ipsec-vpn-options { local-gateway 10.1.1.1; ike-access-profile demo-ike-access-profile;

Copyright 2011, Juniper Networks, Inc.

365

Junos 11.4 Services Interfaces Configuration Guide

} } } }

NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces { sp-0/0/0 { unit 0 { family inet; } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } unit 3 { family inet; service-domain inside; dial-options { ipsec-interface-id demo-ipsec-interface-id; dedicated; } } unit 4 { family inet; service-domain inside; dial-options { ipsec-interface-id demo-ipsec-interface-id; dedicated; } } } }

The following results are obtained:

Reverse routes inserted after successful negotiation: None

Routes learned by routing protocol: 172.16.2.0/24 172.16.3.0/24

Dynamic implicit rules created after successful negotiation:

rule: junos-dynamic-rule-0

366

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

term: term-0 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2 source-address : 0.0.0.0/0 destination-address : 0.0.0.0/0 ipsec-inside-interface: sp-0/0/0.3 term: term-1 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3 source-address : 0.0.0.0/0 destination-address : 0.0.0.0/0 ipsec-inside-interface: sp-0/0/0.4 match-direction: input

Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels

access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 172.16.2.0/24 local 172.16.1.0/24; #N-2 <==> #N-1 remote 172.16.3.0/24 local 172.16.1.0/24; #N-3 <==> #N-1 } pre-shared-key { ascii-text keyfordynamicpeers; } interface-id demo-ipsec-interface-id; } } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0.1; outside-service-interface sp-1/0/0.2; } ipsec-vpn-options { local-gateway 10.1.1.1; } ike-access-profile demo-ike-access-profile; } }

NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces { sp-0/0/0 { unit 0 { family inet; } unit 1 { family inet; service-domain inside;

Copyright 2011, Juniper Networks, Inc.

367

Junos 11.4 Services Interfaces Configuration Guide

} unit 2 { family inet; service-domain outside; } unit 3 { family inet; service-domain inside; dial-options { ipsec-interface-id demo-ipsec-interface-id; mode shared; } } } } # VRF configuration, if not inet.0 routing-instances { demo-vrf { instance-type vrf; interface sp-0/0/0.1; interface sp-0/0/0.3; ..... } }

The following results are obtained:

Reverse routes injected after successful negotiation:

demo-vrf.inet.0: .... # Routing instance 172.11.0.0/24 *[Static/1].. > via sp-0/0/0.3 172.12.0.0/24 *[Static/1].. > via sp-0/0/0.3

Dynamic implicit rules created after successful negotiation:

rule: junos-dynamic-rule-0 term: term-0 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2 source-address : 172.16.1.0/24 destination-address : 172.16.2.0/24 ipsec-inside-interface: sp-0/0/0.3 term: term-1 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3 source-address : 172.16.1.0/24 destination-address : 172.16.3.0/24 ipsec-inside-interface: sp-0/0/0.3 match-direction: input

368

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

Multitask Example: Configuring IPsec Services

The following example-based instructions show how to configure IPsec services. The configuration involves defining an IKE policy, an IPsec policy, IPsec rules, trace options, and service sets. This topic includes the following tasks:
1.

Configuring the IKE Proposal on page 369

2. Configuring the IKE Policy (and Referencing the IKE Proposal) on page 370 3. Configuring the IPsec Proposal on page 370 4. Configuring the IPsec Policy (and Referencing the IPsec Proposal) on page 371 5. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) on page 372 6. Configuring IPsec Trace Options on page 373 7. Configuring the Access Profile (and Referencing the IKE and IPsec Policies) on page 373 8. Configuring the Service Set (and Referencing the IKE Profile and the IPsec

Rule) on page 374

Configuring the IKE Proposal

The IKE proposal configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. For more information about IKE proposals, see Configuring IKE Proposals on page 332. To define the IKE proposaI:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

2. Configure the authentication method, which is pre-shared keys in this example:

[edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-method pre-shared-keys
3. Configure the Diffie-Hellman Group and specify a namefor example, group1:

[edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal dh-group group1
4. Configure the authentication algorithm, which is sha1 in this example:

[edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-algorithm sha1
5. Configure the encryption algorithm, which is aes-256-cbc in this example:

[edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal encryption-algorithm aes-256-cbc

The following sample output shows the configuration of the IKE proposal:
[edit services ipsec-vpn] user@host# show ike proposal test-IKE-proposal {

Copyright 2011, Juniper Networks, Inc.

369

Junos 11.4 Services Interfaces Configuration Guide

authentication-method pre-shared-keys; dh-group group1; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; }

Configuring the IKE Policy (and Referencing the IKE Proposal)

The IKE policy configuration defines the proposal, mode, addresses, and other security parameters used during IKE negotiation. For more information about IKE policies, see Configuring IKE Policies on page 335. To define the IKE policy and reference the IKE proposal:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

2. Configure the IKE first phase modefor example, main:

[edit services ipsec-vpn] user@host# set ike policy test-IKE-policy mode main
3. Configure the proposal, which is test-IKE-proposal in this example:

[edit services ipsec-vpn] user@host# set ike policy test-IKE-policy proposals test-IKE-proposal
4. Configure the local identification with an IPv4 addressfor example, 192.168.255.2:

[edit services ipsec-vpn] user@host# set ike policy test-IKE-policy local-id ipv4_addr 192.168.255.2
5. Configure the preshared key in ASCII text format, which is TEST in this example:

[edit services ipsec-vpn] user@host# set ike policy test-IKE-policy pre-shared-key ascii-text TEST

The following sample output shows the configuration of the IKE policy:
[edit services ipsec-vpn] user@host# show ike policy test-IKE-policy { mode main; proposals test-IKE-proposal; local-id ipv4_addr 192.168.255.2; pre-shared-key ascii-text TEST; }

Configuring the IPsec Proposal

The IPsec proposal configuration defines the protocols and algorithms (security services) that are required to negotiate with the remote IPsec peer. For more information about IPsec proposals, see Configuring IPsec Proposals on page 341. To define the IPsec proposal:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

370

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

2. Configure the IPsec protocol for the proposalfor example, esp:

[edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal protocol esp
3. Configure the authentication algorithm for the proposal, which is hmac-sha1-96 in this

example:
[edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal authentication-algorithm hmac-sha1-96
4. Configure the encryption algorithm for the proposal, which is aes-256-cbc in this

example:
[edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal encryption-algorithm aes-256-cbc

The following sample output shows the configuration of the IPsec proposal:
[edit services ipsec-vpn] user@host# show ike proposal test-IPsec-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; }

Configuring the IPsec Policy (and Referencing the IPsec Proposal)

The IPsec policy configuration defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines PFS and the proposals needed for the connection. For more information about IPsec policies, see Configuring IPsec Policies on page 343. To define the IPsec policy and reference the IPsec proposal:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

2. Configure the keys for perfect forward secrecy in the IPsec policyfor example, group1:

[edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy perfect-forward-secrecy keys group1
3. Configure a set of IPsec proposals in the IPsec policyfor example, test-IPsec-proposal:

[edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy proposals test-IPsec-proposal

The following sample output shows the configuration of the IPsec policy:
[edit services ipsec-vpn] user@host# show ipsec policy test-IPsec-policy perfect-forward-secrecy { keys group1;

Copyright 2011, Juniper Networks, Inc.

371

Junos 11.4 Services Interfaces Configuration Guide

} proposals test-IPsec-proposal;

Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies)
The IPsec rule configuration defines the direction that specifies whether the match is applied on the input or output side of the interface. The configuration also consists of a set of terms that specify the match conditions and applications that are included and excluded and also specify the actions and action modifiers to be performed by the router software. For more information about IPsec rules, see Configuring IPsec Rules on page 346. To define the IPsec rule and reference the IKE and IPsec policies:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

2. Configure the IP destination address for the IPsec term in the IPsec rulefor example,

192.168.255.2/32: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 from destination-address 192.168.255.2/32
3. Configure the remote gateway address for the IPsec term in the IPsec rulefor

example, 0.0.0.0:
[edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then remote-gateway 0.0.0.0
4. Configure a dynamic security association for IKE policy for the IPsec term in the IPsec

rule, which is test-IKE-policy in this example:

[edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ike-policy test-IKE-policy
5. Configure a dynamic security association for IKE proposal for the IPsec term in the

IPsec rule, which is test-IPsec-proposal in this example:

[edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ipsec-policy test-IPsec-policy
6. Configure a direction for which the rule match is being applied in the IPsec rulefor

example, input:
[edit services ipsec-vpn] user@host# set rule test-IPsec-rule match-direction input

The following sample output shows the configuration of the IPsec rule:
[edit services ipsec-vpn] user@host# show rule test-IPsec-rule term 10 { from { destination-address { 192.168.255.2/32; } } then {

372

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

remote-gateway 0.0.0.0; dynamic { ike-policy test-IKE-policy; ipsec-policy test-IPsec-policy; } } } match-direction input;

Configuring IPsec Trace Options

The IPsec trace options configuration tracks IPsec events and records them in a log file in the /var/log directory. By default, this file is named /var/log/kmd. For more information about IPsec rules, see Tracing IPsec Operations on page 358. To define the IPsec trace options:
1.

In configuration mode, go to the following hierarchy level:

user@host# edit services ipsec-vpn

2. Configure the trace file, which is ipsec.log in this example:

[edit services ipsec-vpn] user@host# set traceoptions file ipsec.log

3. Configure all the tracing parameters with the option all in this example:

[edit services ipsec-vpn] user@host# set traceoptions flag all

The following sample output shows the configuration of the IPsec trace options:
[edit services ipsec-vpn] user@host# show traceoptions file ipsec.log; flag all;

Configuring the Access Profile (and Referencing the IKE and IPsec Policies)
The access profile configuration defines the access profile and references the IKE and IPsec policies. For more information about access profile, see Configuring an IKE Access Profile. To define the access profile and reference the IKE and IPsec policies:
1.

In configuration mode, go to the following hierarchy level:

user@host# [edit access]

2. Configure the list of local and remote proxy identity pairs with the allowed-proxy-pair

option. In this example, 10.0.0.0/24 is the IP address for local proxy identity and 10.0.1.0/24 is the IP address for remote proxy identity:
[edit access] user@host# set profile IKE-profile-TEST client * ike allowed-proxy-pair local 10.0.0.0/24 remote 10.0.1.0/24
3. Configure the IKE policyfor example, test-IKE-policy:

Copyright 2011, Juniper Networks, Inc.

373

Junos 11.4 Services Interfaces Configuration Guide

[edit access] user@host# set profile IKE-profile-TEST client * ike ike-policy test-IKE-policy
4. Configure the IPsec policyfor example, test-IPsec-policy:

[edit access] user@host# set profile IKE-profile-TEST client * ike ipsec-policy test-IPsec-policy
5. Configure the identity of logical service interface pool, which is TEST-intf in this

example:
[edit access] user@host# set profile IKE-profile-TEST client * ike interface-id TEST-intf

The following sample output shows the configuration of the access profile:
[edit access] user@host# show profile IKE-profile-TEST { client * { ike { allowed-proxy-pair local 10.0.0.0/24 remote 10.0.1.0/24; ike-policy test-IKE-policy; ipsec-policy test-IPsec-policy; # new statement interface-id TEST-intf; } } }

Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule)
The service set configuration defines IPsec service sets that require additional specifications and references the IKE profile and the IPsec rule. For more information about IPsec service sets, see Configuring IPsec Service Sets on page 573. To define the service set configuration with the next-hop service sets and IPsec VPN options:
1.

In configuration mode, go to the following hierarchy level:

user@host# [edit services]

2. Configure a service set with parameters for next hop service interfaces for the inside

networkfor example, sp-1/2/0.1:

[edit services] user@host# set service-set TEST next-hop-service inside-service-interface sp-1/2/0.1
3. Configure a service set with parameters for next hop service interfaces for the outside

networkfor example, sp-1/2/0.2:

[edit services] user@host# set service-set TEST next-hop-service outside-service-interface sp-1/2/0.2
4. Configure the IPsec VPN options with the address and routing instance for the local

gatewayfor example, 192.168.255.2:

[edit services] user@host# set service-set TEST ipsec-vpn-options local-gateway 192.168.255.2

374

Copyright 2011, Juniper Networks, Inc.

Chapter 16: IPsec Services Configuration Guidelines

5. Configure the IPsec VPN options with the IKE access profile for dynamic peers, which

is IKE-profile-TEST in this example:

[edit services] user@host# set service-set TEST ipsec-vpn-options ike-access-profile IKE-profile-TEST
6. Configure a service set with IPsec VPN rules, which is test-IPsec-rule in this example:

[edit services] user@host# set service-set TEST ipsec-vpn-rules test-IPsec-rule

The following sample output shows the configuration of the service set configuration referencing the IKE profile and the IPsec rule:
[edit services]user@host# show service-set TEST next-hop-service { inside-service-interface sp-1/2/0.1; outside-service-interface sp-1/2/0.2; } ipsec-vpn-options { local-gateway 192.168.255.2; ike-access-profile IKE-profile-TEST; } ipsec-vpn-rules test-IPsec-rule;

Copyright 2011, Juniper Networks, Inc.

375

Junos 11.4 Services Interfaces Configuration Guide

376

Copyright 2011, Juniper Networks, Inc.

CHAPTER 17

Summary of IPsec Services Configuration Statements

The following sections explain each of the IP Security (IPsec) services statements. The statements are organized alphabetically.

anti-replay-window-size
Syntax Hierarchy Level Release Information Description Options
anti-replay-window-size bits; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced in Junos OS Release 10.0. Specify the size of the IPsec antireplay window.
bitsSize of the antireplay window, in bits.

Default: 64 bits (AS PICs), 128 bits (Multiservices PICs and DPCs) Range: 64 through 4096 bits Usage Guidelines Required Privilege Level See Configuring or Disabling IPsec Anti-Replay on page 352. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

377

Junos 11.4 Services Interfaces Configuration Guide

authentication
Syntax
authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure IPsec authentication parameters for a manual security association (SA).
algorithmHash algorithm that authenticates packet data. The algorithm can be one of

the following:

hmac-md5-96Produces a 128-bit digest. hmac-sha1-96Produces a 160-bit digest.

keyType of authentication key. The key can be one of the following:

ascii-text keyASCII text key. For hmac-md5-96, the key is 16 ASCII characters; for hmac-sha1-96, the key is 20 ASCII characters.

hexadecimal keyHexadecimal key. For hmac-md5-96, the key is 32 hexadecimal

characters; for hmac-sha1-96, the key is 40 hexadecimal characters. Usage Guidelines Required Privilege Level See Configuring Authentication for a Manual IPsec SA on page 329. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

378

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

authentication-algorithm
See the following sections:

authentication-algorithm (IKE) on page 379 authentication-algorithm (IPsec) on page 379

authentication-algorithm (IKE)
Syntax Hierarchy Level Release Information
authentication-algorithm (md5 | sha1 | sha-256); [edit services ipsec-vpn ike proposal proposal-name]

Statement introduced before Junos OS Release 7.4. sha-256 option added in Junos OS Release 7.6. Configure the Internet Key Exchange (IKE) hash algorithm that authenticates packet data.
md5Produces a 128-bit digest. sha1Produces a 160-bit digest. sha-256Produces a 256-bit digest.

Description

Options

Usage Guidelines Required Privilege Level

See Configuring the Authentication Algorithm for an IKE Proposal on page 333. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

authentication-algorithm (IPsec)
Syntax Hierarchy Level Release Information Description Options
authentication-algorithm (hmac-md5-96 | hmac-sha1-96); [edit services ipsec-vpn ipsec proposal ipsec-proposal-name]

Statement introduced before Junos OS Release 7.4. Configure the IPsec hash algorithm that authenticates packet data.
hmac-md5-96Produces a 128-bit digest. hmac-sha1-96Produces a 160-bit digest.

Usage Guidelines Required Privilege Level

See Configuring the Authentication Algorithm for an IPsec Proposal on page 341. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

379

Junos 11.4 Services Interfaces Configuration Guide

authentication-method
Syntax Hierarchy Level Release Information Description Options
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); [edit services ipsec-vpn ike proposal proposal-name]

Statement introduced before Junos OS Release 7.4. Configure an IKE authentication method.
dsa-signaturesDigital signature algorithm (DSA). rsa-signaturesPublic key algorithm (supports encryption and digital signatures). pre-shared-keysA key derived from an out-of-band mechanism; the key authenticates

the exchange. Usage Guidelines Required Privilege Level See Configuring the Authentication Method for an IKE Proposal on page 333. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

auxiliary-spi
Syntax Hierarchy Level Release Information Description
auxiliary-spi spi-value; [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]

Statement introduced before Junos OS Release 7.4. Configure an auxiliary Security Parameter Index (SPI) for a manual SA. Use the auxiliary SPI when you configure the protocol statement to use the bundle option.
spi-valueAn arbitrary value that uniquely identifies which SA to use at the receiving host

Options

(the destination address in the packet). Range: 256 through 16,639 Usage Guidelines See Configuring the Auxiliary Security Parameter Index on page 329. For information about SPI, see Configuring the Security Parameter Index on page 329 and spi. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

380

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

backup-remote-gateway
Syntax Hierarchy Level Release Information Description
backup-remote-gateway address; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Define the backup remote address to which the IPsec traffic is directed when the primary remote gateway is down. Configuring this statement also enables the dead peer detection (DPD) protocol.
addressBackup remote IPv4 or IPv6 address.

Options Usage Guidelines Required Privilege Level

See Configuring Destination Addresses for Dead Peer Detection on page 350. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

clear-dont-fragment-bit
Syntax Hierarchy Level Release Information Description
clear-dont-fragment-bit; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Clear the Dont Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation. See Configuring Actions in IPsec Rules on page 349. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

381

Junos 11.4 Services Interfaces Configuration Guide

clear-ike-sas-on-pic-restart
Syntax Hierarchy Level Release Information Description
clear-ike-sas-on-pic-restart; [edit services ipsec-vpn]

Statement introduced in Junos OS Release 8.5. Clear IKE security associations (SAs) when the corresponding PIC restarts or is taken offline. See Clearing Security Associations on page 332. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

clear-ipsec-sas-on-pic-restart
Syntax Hierarchy Level Release Information Description
clear-ipsec-sas-on-pic-restart; [edit services ipsec-vpn]

Statement introduced in Junos OS Release 9.2. Clear IPsec security associations (SAs) when the corresponding PIC restarts or is taken offline. See Clearing Security Associations on page 332. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

382

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

description
Syntax Hierarchy Level
description description; [edit services ipsec-vpn ike policy policy-name], [edit services ipsec-vpn ike proposal proposal-name], [edit services ipsec-vpn ipsec policy policy-name], [edit services ipsec-vpn ipsec proposal proposal-name]

Release Information Description Usage Guidelines

Statement introduced before Junos OS Release 7.4. Specify the text description for an IKE or IPsec policy or proposal. See Configuring the Description for an IKE Policy on page 339, Configuring the Description for an IPsec Proposal on page 342, and Configuring the Description for an IPsec Policy on page 344. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

destination-address
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
destination-address address; [edit services ipsec-vpn rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Specify the destination address for rule matching.
addressDestination IP address.

See Configuring Match Conditions in IPsec Rules on page 348. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

383

Junos 11.4 Services Interfaces Configuration Guide

dh-group
Syntax Hierarchy Level Release Information Description
dh-group (group1 | group2 | group5 |group14); [edit services ipsec-vpn ike proposal proposal-name]

Statement introduced before Junos OS Release 7.4. Configure the IKE Diffie-Hellman prime modulus group to use for performing the new Diffie-Hellman exchange.
group1768-bit. group21024-bit. group51536-bit. group142048-bit.

Options

Usage Guidelines Required Privilege Level

See Configuring the Diffie-Hellman Group for an IKE Proposal on page 334. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

384

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

direction
Syntax
direction (inbound | outbound | bidirectional) { protocol (ah | bundle | esp); spi spi-value; auxiliary-spi spi-value; authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } } [edit services ipsec-vpn rule rule-name term term-name then manual]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the direction in which manual SAs are applied.
bidirectionalApply the SA in both directions. inboundApply the SA on inbound traffic. outboundApply the SA on outbound traffic.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

385

Junos 11.4 Services Interfaces Configuration Guide

dynamic
Syntax
dynamic { ike-policy policy-name; ipsec-policy policy-name; } [edit services ipsec-vpn rule rule-name term term-name then]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define a dynamic IPsec SA.
ike-policy policy-nameName of the IKE policy. This statement is optional for the

non-preshared-key authentication method. For digital signature-based authentication, this statement is optional and the default policy is used if none is supplied.
ipsec-policy policy-nameName of the IPsec policy. This statement is optional and the

default policy is used if none is supplied. Usage Guidelines Required Privilege Level See Configuring Dynamic Security Associations on page 331. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

386

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

encryption
Syntax
encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. aes-128-cbc, aes-192-cbc, and aes-256-cbc options added in Junos OS Release 7.6. Configure an encryption algorithm and key for manual SA.
algorithmType of encryption algorithm. The algorithm can be one of the following:

Description Options

des-cbcHas a block size of 8 bytes (64 bits); the key size is 48 bits long. 3des-cbcHas a block size of 8 bytes (64 bits); the key size is 192 bits long. aes-128-cbcAdvanced Encryption Standard (AES) 128-bit encryption algorithm. aes-192-cbcAdvanced Encryption Standard (AES) 192-bit encryption algorithm. aes-256-cbcAdvanced Encryption Standard (AES) 256-bit encryption algorithm.

NOTE: For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes.

keyType of encryption key. The key can be one of the following:

ascii-textASCII text key. Following are the key lengths, in ASCII characters, for the

different encryption options:

des-cbc option, 8 ASCII characters 3des-cbc option, 24 ASCII characters aes-128-cbc option, 16 ASCII characters aes-192-cbc option, 24 ASCII characters aes-256-cbc option, 32 ASCII characters

hexadecimalHexadecimal key. Following are the key lengths, in hexadecimal

characters, for the different encryption options:

des-cbc option, 16 hexadecimal characters 3des-cbc option, 48 hexadecimal characters aes-128-cbc option, 32 hexadecimal characters

Copyright 2011, Juniper Networks, Inc.

387

Junos 11.4 Services Interfaces Configuration Guide

aes-192-cbc option, 48 hexadecimal characters aes-256-cbc option, 64 hexadecimal characters

Usage Guidelines Required Privilege Level

See Configuring Encryption for a Manual IPsec SA on page 330. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

encryption-algorithm
Syntax Hierarchy Level
encryption-algorithm algorithm; [edit services ipsec-vpn ike proposal proposal-name], [edit services ipsec-vpn ipsec proposal proposal-name]

Release Information

Statement introduced before Junos OS Release 7.4. aes-128-cbc, aes-192-cbc, and aes-256-cbc options added in Junos OS Release 7.6. Configure an IKE or IPsec encryption algorithm.
3des-cbcHas a block size of 24 bytes; the key size is 192 bits long. des-cbcHas a block size of 8 bytes; the key size is 48 bits long. aes-128-cbcAdvanced Encryption Standard (AES) 128-bit encryption algorithm. aes-192-cbcAdvanced Encryption Standard (AES) 192-bit encryption algorithm. aes-256-cbcAdvanced Encryption Standard (AES) 256-bit encryption algorithm.

Description Options

Usage Guidelines

See Configuring the Encryption Algorithm for an IKE Proposal on page 334 and Configuring the Encryption Algorithm for an IPsec Proposal on page 342. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

388

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

from
Syntax
from { destination-address address; ipsec-inside-interface interface-name; source-address address; } [edit services ipsec-vpn rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify input conditions for the IPsec term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

389

Junos 11.4 Services Interfaces Configuration Guide

ike
Syntax
ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); description description; dh-group (group1 | group2 | group5 |group14); encryption-algorithm algorithm; lifetime-seconds seconds; } policy policy-name { description description; local-certificate identifier; local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); version (1 | 2); mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } } } [edit services ipsec-vpn]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure IKE. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring IKE Proposals on page 332 and Configuring IKE Policies on page 335. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

390

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

initiate-dead-peer-detection
Syntax Hierarchy Level Release Information Description
initiate-dead-peer-detection; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced in Junos OS Release 9.2. Enable triggering of dead peer detection (DPD) Hello messages to the remote peer for the specified tunnel. See Configuring Destination Addresses for Dead Peer Detection on page 350. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level Related Documentation

backup-remote-gateway on page 381

ipsec
Syntax
ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description; encryption-algorithm algorithm; lifetime-seconds seconds; protocol (ah | esp | bundle); } policy policy-name { description description; perfect-forward-secrecy { keys (group1 | group2); } proposals [ proposal-names ]; } } [edit services ipsec-vpn]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure IPsec. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Security Associations on page 326. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

391

Junos 11.4 Services Interfaces Configuration Guide

ipsec-inside-interface
Syntax Hierarchy Level Release Information Description
ipsec-inside-interface interface-name; [edit services ipsec-vpn rule rule-name term term-name from]

Statement introduced in Junos OS Release 7.4. Specify the interface name for next-hop-style service sets. This value is also implicitly generated in dynamic endpoint tunneling.
interface-nameService interface for internal network.

Options Usage Guidelines

See Configuring Match Conditions in IPsec Rules on page 348 or Configuring Dynamic Endpoints for IPsec Tunnels on page 353. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

lifetime-seconds
Syntax Hierarchy Level
lifetime-seconds seconds; [edit services ipsec-vpn ike proposal proposal-name], [edit services ipsec-vpn ipsec proposal proposal-name]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure the lifetime of an IKE or IPsec SA. This statement is optional.
secondsLifetime

Default: 3600 seconds (IKE); 28,800 seconds (IPsec) Range: 180 through 86,400 Usage Guidelines See Configuring the Lifetime for an IKE SA on page 335 and Configuring the Lifetime for an IPsec SA on page 342. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

Required Privilege Level

392

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

local-certificate
Syntax Hierarchy Level Release Information Description
local-certificate identifier; [edit services ipsec-vpn ike policy policy-name]

Statement introduced in Junos OS Release 7.5. Name of the certificate that needs to be sent to the peer during the IKE authentication phase.
identifierName of certificate.

Options Usage Guidelines Required Privilege Level

See Configuring the Local Certificate for an IKE Policy on page 338. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

local-id
Syntax Hierarchy Level Release Information
local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); [edit services ipsec-vpn ike policy policy-name]

Statement introduced before Junos OS Release 7.4. ipv6_addr option added in Junos OS Release 7.6. Specify local identifiers for IKE Phase 1 negotiation. This statement is optional.
ipv4_addr ipv4-addressIPv4 address identification value. ipv6_addr ipv6-addressIPv6 address identification value. key_id identifierKey identification value.

Description Options

Usage Guidelines Required Privilege Level

See Configuring Local and Remote IDs for IKE Phase 1 Negotiation on page 339. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

393

Junos 11.4 Services Interfaces Configuration Guide

manual
Syntax
manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } spi spi-value; protocol (ah | esp | bundle); } } [edit services ipsec-vpn rule rule-name term term-name then]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Define a manual IPsec SA. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Manual Security Associations on page 327. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output); [edit services ipsec-vpn rule rule-name]

Statement introduced before Junos OS Release 7.4. Specify the direction in which the rule match is applied.
inputApply the rule match on input. outputApply the rule match on output.

Usage Guidelines Required Privilege Level

See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

394

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

mode
Syntax Hierarchy Level Release Information Description Default Options
mode (aggressive | main); [edit services ipsec-vpn ike policy policy-name]

Statement introduced before Junos OS Release 7.4. Define an IKE policy mode.
main aggressiveTakes half the number of messages of main mode, has less negotiation

power, and does not provide identity protection.

mainUses six messages, in three peer-to-peer exchanges, to establish the IKE SA. These

three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection. Usage Guidelines Required Privilege Level See Configuring the Mode for an IKE Policy on page 337. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

no-anti-replay
Syntax Hierarchy Level Release Information Description
no-anti-replay; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Disable IPsec antireplay service, which occasionally causes interoperability issues for security associations. See Configuring or Disabling IPsec Anti-Replay on page 352. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

395

Junos 11.4 Services Interfaces Configuration Guide

no-ipsec-tunnel-in-traceroute
Syntax Hierarchy Level Release Information Description
no-ipsec-tunnel-in-traceroute; [edit services ipsec-vpn]

Statement introduced in Junos OS Release 10.0. Disables displaying the IPsec tunnel endpoint in the trace route output. The IPsec tunnel is not treated as a next hop and TTL is not decremented. If the TTL becomes zero, the ICMP time exceeded message will not be generated. See Configuring or Disabling IPsec Anti-Replay on page 352. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

perfect-forward-secrecy
Syntax
perfect-forward-secrecy { keys (group1 | group2 |group5 |group14); } [edit services ipsec-vpn ipsec policy policy-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define Perfect Forward Secrecy (PFS). Creates single-use keys. This statement is optional.
keysType of Diffie-Hellman prime modulus group that IKE uses when performing the

new Diffie-Hellman exchange. The key can be one of the following:

group1768-bit. group21024-bit. group51536-bit. group142048-bit.

Usage Guidelines Required Privilege Level

See Configuring Perfect Forward Secrecy on page 344. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

396

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

policy
See the following sections:

policy (IKE) on page 397 policy (IPsec) on page 398

policy (IKE)
Syntax
policy policy-name { description description; local-certificate identifier; local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier); version (1 | 2); mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } } [edit services ipsec-vpn ike]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define an IKE policy.

policy-nameIKE policy name.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring IKE Policies on page 335. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

397

Junos 11.4 Services Interfaces Configuration Guide

policy (IPsec)
Syntax
policy policy-name { description description; perfect-forward-secrecy { keys (group1 | group2); } proposals [ proposal-names ]; } [edit services ipsec-vpn ipsec]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define an IPsec policy.

policy-nameIPsec policy name.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring IPsec Policies on page 343. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

pre-shared-key
Syntax Hierarchy Level Release Information Description Options
pre-shared-key (ascii-text key | hexadecimal key); [edit services ike policy policy-name]

Statement introduced before Junos OS Release 7.4. Define a preshared key for an IKE policy.
keyValue of preshared key. The key can be one of the following:

ascii-textASCII text key. hexadecimalHexadecimal key.

Usage Guidelines Required Privilege Level

See Configuring IKE Policies on page 335. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

398

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

proposal
See the following sections:

proposal (IKE) on page 399 proposal (IPsec) on page 400

proposal (IKE)
Syntax
proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); description description; dh-group (group1 | group2 | group5 |group14); encryption-algorithm algorithm; lifetime-seconds seconds; } [edit services ipsec-vpn ike]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define an IKE proposal for a dynamic SA.
proposal-nameIKE proposal name.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring IKE Proposals on page 332. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

399

Junos 11.4 Services Interfaces Configuration Guide

proposal (IPsec)
Syntax
proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description; encryption-algorithm algorithm; lifetime-seconds seconds; protocol (ah | esp | bundle); } [edit services ipsec-vpn ipsec]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define an IPsec proposal for a dynamic SA.
proposal-nameIPsec proposal name.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring IPsec Proposals on page 341. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

proposals
Syntax Hierarchy Level
proposals [ proposal-names ]; [edit services ipsec-vpn ike policy policy-name], [edit services ipsec-vpn ipsec policy policy-name]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Define a list of proposals to include in the IKE or IPsec policy.
proposal-namesList of IKE or IPsec proposal names.

See Configuring the Proposals in an IKE Policy on page 337 and Configuring the Proposals in an IPsec Policy on page 345. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

400

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

protocol
Syntax Hierarchy Level
protocol (ah | esp | bundle); [edit services ipsec-vpn ipsec proposal proposal-name], [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define an IPsec protocol for a dynamic or manual SA.
ahAuthentication Header protocol. espEncapsulating Security Payload protocol. bundleAH and ESP protocol.

Usage Guidelines Required Privilege Level

See Configuring the Protocol for a Manual IPsec SA on page 329. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

remote-gateway
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
remote-gateway address; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Define the remote address to which the IPsec traffic is directed.
addressRemote IPv4 or IPv6 address.

See Configuring Actions in IPsec Rules on page 349. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

401

Junos 11.4 Services Interfaces Configuration Guide

remote-id
Syntax
remote-id { any-remote-id; ipv4_addr [ values ]; ipv6_addr [ values ]; key_id [ values ]; } [edit services ipsec-vpn ikepolicy policy-name]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. ipv6_addr option added in Junos OS Release 7.6. any-remote-id option added in Junos OS Release 8.2. Define the remote identification values to which the IKE policy applies.
any-remote-idAllow any remote address to connect. This option is supported only in

Description Options

dynamic endpoints configurations and cannot be configured along with specific values.
ipv4_addr [ values ]Define one or more IPv4 address identification values. ipv6_addr [ values ]Define one or more IPv6 address identification values. key_id [ values ]Define one or more key identification values.

Usage Guidelines Required Privilege Level

See Configuring Local and Remote IDs for IKE Phase 1 Negotiation on page 339. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

402

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

rule
Syntax
rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } } [edit services ipsec-vpn], [edit services ipsec-vpn rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that comprise this rule.

The remaining statements are explained separately.

Copyright 2011, Juniper Networks, Inc.

403

Junos 11.4 Services Interfaces Configuration Guide

Usage Guidelines Required Privilege Level

See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

rule-set
Syntax
rule-set rule-set-name { [ rule rule-names ]; } [edit services ipsec-vpn]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

See Configuring IPsec Rule Sets on page 353. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services ipsec-vpn { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic.
ipsec-vpnIPsec set of rules statements.

See IPsec Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

404

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

source-address
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
source-address address; [edit services ipsec-vpn rule rule-name term term-name from]

Statement introduced before Junos OS Release 7.4. Specify the source address for rule matching.
addressSource IP address.

See Configuring Match Conditions in IPsec Rules on page 348. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

spi
Syntax Hierarchy Level Release Information Description Options
spi spi-value; [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]

Statement introduced before Junos OS Release 7.4. Configure the SPI for an SA.
spi-valueAn arbitrary value that uniquely identifies which SA to use at the receiving host

(the destination address in the packet). Range: 256 through 16,639

NOTE: Use the auxiliary SPI when you configure the protocol statement to use the bundle option.

Usage Guidelines Required Privilege Level

See Configuring the Security Parameter Index on page 329. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

405

Junos 11.4 Services Interfaces Configuration Guide

syslog
Syntax Hierarchy Level Release Information Description
syslog; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced before Junos OS Release 7.4. Enable system logging. The system log information for the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory. See Configuring Actions in IPsec Rules on page 349. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

406

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

term
Syntax
term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } [edit services ipsec-vpn rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define the IPsec term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

407

Junos 11.4 Services Interfaces Configuration Guide

then
Syntax
then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } [edit services ipsec-vpn rule rule-name term term-name]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the IPsec term actions. The remaining statements are explained separately. See Configuring Match Direction for IPsec Rules on page 347. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

408

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

traceoptions
Syntax
traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>; flag flag; level level; no-remote-trace; } [edit services ipsec-vpn]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 7.5. level option added in Junos OS Release 10.0. Configure IPsec tracing operations. By default, messages are written to /var/log/kmd.
files numberMaximum number of trace data files.

Description Options

Range: 2 through 1000

flag flagTracing operation to perform:

allTrace everything. certificatesTrace certificates that apply to the IPsec service set. databaseTrace security associations database events. generalTrace general events. ikeTrace IKE module processing. parseTrace configuration processing. policy-managerTrace policy manager processing. routing-socketTrace routing socket messages. snmpTrace SNMP operations. timerTrace internal timer events.

level levelKey management process (kmd) tracing level. The following values are

supported:

allMatch all levels. errorMatch error conditions. infoMatch informational messages. noticeMatch conditions that should be handled specially. verboseMatch verbose messages. warningMatch warning messages.

Copyright 2011, Juniper Networks, Inc.

409

Junos 11.4 Services Interfaces Configuration Guide

size bytesMaximum trace file size.

Usage Guidelines Required Privilege Level

See Tracing IPsec Operations on page 358. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

410

Copyright 2011, Juniper Networks, Inc.

Chapter 17: Summary of IPsec Services Configuration Statements

traceoptions (PKI)
Syntax
traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag; } [edit security pki]

Hierarchy Level Description

Configure security public key infrastructure (PKI) trace options. To specify more than one trace option, include multiple flag statements. Trace option output is recorded in the /var/log/pkid file.
file filenameName of the file to receive the output of the tracing operation. Enclose the

Options

name within quotation marks. To include the file statement, you must specify a filename.
files number(Optional) Maximum number of trace files. When a trace file (for example, pkid) reaches its maximum size, it is renamed pkid.0, then pkid.1, and so on, until the

maximum number of trace files is reached. When the maximum number is reached, the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 2 files
flagTrace operation to perform. To specify more than one trace operation, include

multiple flag statements:

allTrace with all flags enabled. certificate-verificationTrace PKI certificate verification events. online-crl-checkTrace PKI online certificate revocation list (CRL) events. enrollmentPKI certificate enrollment tracing. match regular-expression(Optional) Refine the output to include lines that contain the

regular expression.
size maximum-file-size(Optional) Maximum size of each trace file, in kilobytes (KB). If

you specify a maximum file size, you also must specify a maximum number of trace files with the files number option. Default: 1024 KB
world-readable | no-world-readable(Optional) By default, log files can be accessed

only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.

Copyright 2011, Juniper Networks, Inc.

411

Junos 11.4 Services Interfaces Configuration Guide

Required Privilege Level

traceTo view this statement in the configuration. trace-controlTo add this statement to the configuration.

tunnel-mtu
Syntax Hierarchy Level Release Information Description Options
tunnel-mtu bytes; [edit services ipsec-vpn rule rule-name term term-name then]

Statement introduced in Junos OS Release 7.5. Maximum transmission unit (MTU) size for IPsec tunnels.
bytesMTU size.

Default: 1500 bytes Range: 256 through 9192 bytes Usage Guidelines Required Privilege Level Related Documentation See Specifying the MTU for IPsec Tunnels on page 352. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

mtu on page 1287

version (IKE)
Syntax Hierarchy Level Release Information Description
version ( 1 | 2); [edit services ipsec-vpn ike policy policy-name],

Statement introduced in Junos OS Release 11.4. Configure the Internet Key Exchange (IKE) version that is used to negotiate dynamic SAs for IPSec.
1Uses IKEv1. 2Uses IKEv2.

Options

Usage Guidelines Required Privilege Level

See Configuring IKE Policies on page 335. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

412

Copyright 2011, Juniper Networks, Inc.

CHAPTER 18

Layer 2 Tunneling Protocol Services Configuration Guidelines

The Layer 2 Tunneling Protocol (L2TP) enables you to set up client services for establishing Point-to-Point Protocol (PPP) tunnels across a network and negotiating Multilink PPP if it is implemented. Multiple L2TP PPP sessions can share the same remote peer IP address, which enables you to set up redundant sessions between the same links.

If you configure Multilink PPP, the same remote IP address can be shared across multiple bundles, because the IP address negotiation takes place on the bundle rather than on each session. If Multilink PPP is not configured, multiple sessions can share the same remote IP address.

The last session or bundle to come up accomplishes the traffic transfer. When this session or bundle goes down, the traffic switches to the next-to-last session or bundle to come up. For example, if four sessions or bundles labeled A, B, C, and D share the same remote IP address and come up in alphabetical order, D initially handles the data transfer. If D goes down, traffic switches over to C, and so forth. If another session or bundle E subsequently comes up and has the same address, the traffic switches over to it. To configure L2TP services, include the l2tp statement at the [edit services] hierarchy level:
[edit services] l2tp { tunnel-group group-name { hello-interval seconds; hide-avps; l2tp-access-profile profile-name; local-gateway address address; maximum-send-window packets; ppp-access-profile profile-name; receive-window packets; retransmit-interval seconds; service-interface interface-name; syslog { host hostname { services severity-level; facility-override facility-name;

Copyright 2011, Juniper Networks, Inc.

413

Junos 11.4 Services Interfaces Configuration Guide

log-prefix prefix-value; } } tunnel-timeout seconds; } traceoptions { debug-level level; filter { protocol name; } flag flag; interfaces interface-name { debug-level level; flag flag; } } }

NOTE: L2TP configurations on Adaptive Services and Multiservices PICs are supported only on M7i, M10i, and M120 routers. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access, see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide.

You configure other components of this feature at the [edit access] and [edit interfaces] hierarchy levels. Those configurations are summarized in this chapter; for more information, see the Junos OS System Basics Configuration Guide or the Junos OS Network Interfaces Configuration Guide. This chapter contains the following sections:

L2TP Services Configuration Overview on page 415 L2TP Minimum Configuration on page 416 Configuring L2TP Tunnel Groups on page 418 Configuring the Identifier for Logical Interfaces that Provide L2TP Services on page 422 AS PIC Redundancy for L2TP Services on page 424 Tracing L2TP Operations on page 424 Examples: Configuring L2TP Services on page 426

414

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

L2TP Services Configuration Overview

The statements for configuring L2TP services are found at the following hierarchy levels:

[edit services l2tp tunnel-group group-name]

The L2TP tunnel-group statement identifies an L2TP instance or L2TP server. Associated statements specify the local gateway address on which incoming tunnels and sessions are accepted, the Adaptive Services (AS) Physical Interface Card (PIC) that processes data for the sessions in this tunnel group, references to L2TP and PPP access profiles, and other attributes for configuring window sizes and timer values.

[edit interfaces sp-fpc/pic/port unit logical-unit-number dial-options]

The dial-options statement includes configuration for the l2tp-interface-id statement and the shared/dedicated flag. The interface identifier associates a user session with a logical interface. Sessions can use either shared or dedicated logical interfaces. To run routing protocols, a session must use a dedicated logical interface.

[edit access profile profile-name client name l2tp]

Tunnel profiles are defined at the [edit access] hierarchy level. Tunnel clients are defined with authentication, multilink negotiation and fragmentation, and other L2TP attributes in these profiles.

[edit access profile profile-name client name ppp]

User profiles are defined at the [edit access] hierarchy level. User clients are defined with authentication and other PPP attributes in these profiles. These client profiles are used when local authentication is specified.

[edit access radius-server address]

When you configure authentication-order radius at the [edit access profile profile-name] hierarchy level, you must configure a RADIUS service at the [edit access radius-server] hierarchy level.

NOTE: For more information about configuring properties at the [edit access] hierarchy level, see the Junos OS System Basics Configuration Guide. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access, see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

415

Junos 11.4 Services Interfaces Configuration Guide

L2TP Minimum Configuration

To configure L2TP services, you must perform at least the following tasks:

Define a tunnel group at the [edit services l2tp] hierarchy level with the following attributes:

l2tp-access-profileProfile name for the L2TP tunnel. ppp-access-profileProfile name for the L2TP user. local-gatewayAddress for the L2TP tunnel. service-interfaceAS PIC interface for the L2TP service.

Optionally, you can configure traceoptions for debugging purposes.

The following example shows a minimum configuration for a tunnel group with trace options:
[edit services l2tp] tunnel-group finance-lns-server { l2tp-access-profile westcoast_bldg_1_tunnel; ppp-access-profile westcoast_bldg_1; local-gateway { address 10.21.255.129; } service-interface sp-1/3/0; } traceoptions { flag all; filter { protocol udp; protocol l2tp; protocol ppp; protocol radius; } }

At the [edit interfaces] hierarchy level:

Identify the physical interface at which L2TP tunnel packets enter the router, for example ge-0/3/0. Configure the AS PIC interface with unit 0 family inet defined for IP service, and configure another logical interface with family inet and the dial-options statement.

The following example shows a minimum interfaces configuration for L2TP:

[edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10.58.255.129/28; } }

416

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

} sp-1/3/0 { unit 0 { family inet; } unit 20 { dial-options { l2tp-interface-id test; shared; } family inet; } }

At the [edit access] hierarchy level:

Configure a tunnel profile. Each client specifies a unique L2TP Access Concentrator (LAC) name with an interface-id value that matches the one configured on the AS PIC interface unit; shared-secret is authentication between the LAC and the L2TP Network Server (LNS). Configure a user profile. If RADIUS is used as the authentication method, it needs to be defined. Define the RADIUS server with an IP address, port, and authentication data shared between the router and the RADIUS server.

NOTE: When the L2TP Network Server (LNS) is configured with RADIUS authentication, the default behavior is to accept the preferred RADIUS-assigned IP address. Previously, the default behavior was to accept and install the nonzero peer IP address that came into the IP-Address option of the IPCP Configuration Request packet.

Optionally, you can define a group profile for common attributes, for example keepalive 0 to turn off keepalive messages.

The following example shows a minimum profiles configuration for L2TP:

[edit access] group-profile westcoast_users { ppp { keepalive 0; } } profile westcoast_bldg_1_tunnel { client production { l2tp { interface-id test; shared-secret "$9$n8HX6A01RhlvL1R"; # SECRET-DATA } user-group-profile westcoast_users; } }

Copyright 2011, Juniper Networks, Inc.

417

Junos 11.4 Services Interfaces Configuration Guide

profile westcoast_bldg_1 { authentication-order radius; } radius-server { 192.168.65.63 { port 1812; secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5"; # SECRET-DATA } }

Configuring L2TP Tunnel Groups

To establish L2TP service on a router, you need to identify an L2TP tunnel group and specify a number of values that define which access profiles, interface addresses, and other properties to use in creating a tunnel. To identify the tunnel group, include the tunnel-group statement at the [edit services l2tp] hierarchy level:
tunnel-group group-name { hello-interval seconds; hide-avps; l2tp-access-profile profile-name; local-gateway address address; maximum-send-window packets; ppp-access-profile profile-name; receive-window packets; retransmit-interval seconds; service-interface interface-name; syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } } tunnel-timeout seconds; }

NOTE: If you delete a tunnel group or mark it inactive, all L2TP sessions in that tunnel group are terminated. If you change the value of the local-gateway address or the service-interface statement, all L2TP sessions using those settings are terminated. If you change or delete other statements at the [edit services l2tp tunnel-group group-name] hierarchy level, new tunnels you establish will use the updated values but existing tunnels and sessions are not affected.

This following sections explain how to configure L2TP tunnel groups:

Configuring Access Profiles for L2TP Tunnel Groups on page 419 Configuring the Local Gateway Address and PIC on page 419 Configuring Window Size for L2TP Tunnels on page 420

418

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

Configuring Timers for L2TP Tunnels on page 420 Hiding Attribute-Value Pairs for L2TP Tunnels on page 420 Configuring System Logging of L2TP Tunnel Activity on page 421

Configuring Access Profiles for L2TP Tunnel Groups

To validate L2TP connections and session requests, you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. You need to configure two types of profiles:

L2TP tunnel access profile, which validates all L2TP connection requests to the specified local gateway address PPP access profile, which validates all PPP session requests through L2TP tunnels established to the local gateway address

For more information on configuring the profiles, see the Junos OS System Basics Configuration Guide. A profile example is included in Examples: Configuring L2TP Services on page 426. To associate the profiles with a tunnel group, include the l2tp-access-profile and ppp-access-profile statements at the [edit services l2tp tunnel-group group-name] hierarchy level:
l2tp-access-profile profile-name; ppp-access-profile profile-name;

Configuring the Local Gateway Address and PIC

When you configure an L2TP group, you must also define a local address for the L2TP tunnel connections and the AS PIC that processes the requests:

To configure the local gateway IP address, include the local-gateway statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
local-gateway address address;

To configure the AS PIC, include the service-interface statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
service-interface sp-fpc/pic/port;

You can optionally specify the logical unit number along with the service interface. If specified, the unit is used as a logical interface representing PPP sessions negotiated using this profile.

NOTE: If you change the local gateway address or the service interface configuration, all L2TP sessions using those settings are terminated.

Dynamic class-of-service (CoS) functionality is supported on L2TP LNS sessions or L2TP sessions with ATM VCs, as long as the L2TP session is configured to use an IQ2 PIC on

Copyright 2011, Juniper Networks, Inc.

419

Junos 11.4 Services Interfaces Configuration Guide

the egress interface. For more information, see the Junos OS Class of Service Configuration Guide.

Configuring Window Size for L2TP Tunnels

You can configure the maximum window size for packet processing at each end of the L2TP tunnel:

The receive window size limits the number of concurrent packets the server processes. By default, the maximum is 16 packets. To change the window size, include the receive-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
receive-window packets;

The maximum-send window size limits the other ends receive window size. The information is transmitted in the receive window size attribute-value pair. By default, the maximum is 32 packets. To change the window size, include the maximum-send-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
maximum-send-window packets;

Configuring Timers for L2TP Tunnels

You can configure the following timer values that regulate L2TP tunnel processing:

Hello intervalIf the server does not receive any messages within a specified time interval, the router software sends a hello message to the tunnels remote peer. By default, the interval length is 60 seconds. If you configure a value of 0, no hello messages are sent. To configure a different value, include the hello-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
hello-interval seconds;

Retransmit intervalBy default, the retransmit interval length is 30 seconds. To configure a different value, include the retransmit-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
retransmit-interval seconds;

Tunnel timeoutIf the server cannot send any data through the tunnel within a specified time interval, it assumes that the connection with the remote peer has been lost and deletes the tunnel. By default, the interval length is 120 seconds. To configure a different value, include the tunnel-timeout statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
tunnel-timeout seconds;

Hiding Attribute-Value Pairs for L2TP Tunnels

Once an L2TP tunnel has been established and the connection authenticated, information is encoded by means of attribute-value pairs. By default, this information is not hidden. To hide the attribute-value pairs once the shared secret is known, include the hide-avps statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

420

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

hide-avps;

Configuring System Logging of L2TP Tunnel Activity

You can specify properties that control how system log messages are generated for L2TP services. To configure interface-wide default system logging values, include the syslog statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } }

Configure the host statement with a hostname or IP address that specifies the system log target server. The hostname local directs system log messages to the Routing Engine. For external system log servers, the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. You can specify only one system logging hostname. Table 14 on page 421 lists the severity levels that you can specify in configuration statements at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.

Table 14: System Log Message Severity Levels

Severity Level
any emergency alert

Description
Includes all severity levels System panic or other condition that causes the router to stop functioning Conditions that require immediate correction, such as a corrupted system database Critical conditions, such as hard drive errors Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels Conditions that warrant monitoring Conditions that are not errors but might warrant special handling Events or nonerror conditions of interest

critical error

warning notice info

We recommend setting the system logging severity level to error during normal operation. To monitor PIC resource usage, set the level to warning. To gather information about an

Copyright 2011, Juniper Networks, Inc.

421

Junos 11.4 Services Interfaces Configuration Guide

intrusion attack when an intrusion detection system error is detected, set the level to notice for a specific service set. To debug a configuration or log Network Address Translation (NAT) events, set the level to info. For more information about system log messages, see the Junos OS System Log Messages Reference. To use one particular facility code for all logging to the specified system log host, include the facility-override statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level:
facility-override facility-name;

The supported facilities include: authorization, daemon, ftp, kernel, user, and local0 through local7. To specify a text prefix for all logging to this system log host, include the log-prefix statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level:
log-prefix prefix-text;

Configuring the Identifier for Logical Interfaces that Provide L2TP Services
You can configure L2TP services on adaptive services interfaces on M7i, M10i, and M120 routers only. You must configure the logical interface to be dedicated or shared. If a logical interface is dedicated, it can represent only one session at a time. A shared logical interface can have multiple sessions. To configure the logical interface, include the l2tp-interface-id statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level:
l2tp-interface-id name; (dedicated | shared);

The l2tp-interface-id name configured on the logical interface must be replicated at the [edit access profile name] hierarchy level:

For a user-specific identifier, include the l2tp-interface-id statement at the [edit access profile name ppp] hierarchy level. For a group identifier, include the l2tp-interface-id statement at the [edit access profile name l2tp] hierarchy level.

You can configure multiple logical interfaces with the same interface identifier, to be used as a pool for several users. For more information on configuring access profiles, see the Junos OS System Basics Configuration Guide.

NOTE: If you delete the dial-options statement settings configured on a logical interface, all L2TP sessions running on that interface are terminated.

422

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

Example: Configuring Multilink PPP on a Shared Logical Interface

Multilink PPP is supported on either shared or dedicated logical interfaces. The following example can be used to configure many multilink bundles on a single shared interface:
interfaces { sp-1/3/0 { traceoptions { flag all; } unit 0 { family inet; } unit 20 { dial-options { l2tp-interface-id test; shared; } family inet; } } } access { profile t { client test { l2tp { interface-id test; multilink; shared-secret "$9$n8HX6A01RhlvL1R"; # SECRET-DATA } } } profile u { authentication-order radius; } radius-server { 192.168.65.63 { port 1812; secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5"; # SECRET-DATA } } } services { l2tp { tunnel-group 1 { l2tp-access-profile t; ppp-access-profile u; local-gateway { address 10.70.1.1; } service-interface sp-1/3/0; } traceoptions { flag all; debug-level packet-dump;

Copyright 2011, Juniper Networks, Inc.

423

Junos 11.4 Services Interfaces Configuration Guide

filter { protocol l2tp; protocol ppp; protocol radius; } } } }

AS PIC Redundancy for L2TP Services

L2TP services support AS PIC redundancy. To configure redundancy, you specify a redundancy services PIC (rsp) interface in which the primary AS PIC is active and a secondary AS PIC is on standby. If the primary AS PIC fails, the secondary PIC becomes active, and all service processing is transferred to it. If the primary AS PIC is restored, it remains in standby and does not preempt the secondary AS PIC; you need to manually restore the services to the primary PIC. To determine which PIC is currently active, issue the show interfaces redundancy command.

NOTE: On L2TP, the only service option supported is warm standby, in which one backup PIC supports multiple working PICs. Recovery times are not guaranteed, because the configuration must be completely restored on the backup PIC after a failure is detected. The tunnels and sessions are torn down upon switchover and need to be restarted by the LAC and PPP client, respectively. However, configuration is preserved and available on the new active PIC, although the protocol state needs to be reestablished. As with the other AS PIC services that support warm standby, you can issue the request interfaces (revert | switchover) command to manually switch between primary and secondary L2TP interfaces.

For more information, see Configuring AS or Multiservices PIC Redundancy on page 620. For an example configuration, see Examples: Configuring L2TP Services on page 426. For information on operational mode commands, see the Junos OS Interfaces Command Reference.

Tracing L2TP Operations

Tracing operations track all AS PIC operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/l2tpd.

NOTE: This topic refers to tracing L2TP LNS operations on M Series routers. To trace L2TP LAC operations on MX Series routers, see Tracing L2TP Operations for Subscriber Access.

To trace L2TP operations, include the traceoptions statement at the [edit services l2tp] hierarchy level:

424

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

traceoptions { debug-level level; file <filename> <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>; filter { protocol name; user-name username; } flag flag; interfaces interface-name { debug-level severity; flag flag; } level (all | error | info | notice | verbose | warning); no-remote-trace; }

You can specify the following L2TP tracing flags:

allTrace everything. configurationTrace configuration events. protocolTrace routing protocol events. routing-socketTrace routing socket events. rpdTrace routing protocol process events.

You can specify a trace level for PPP, L2TP, RADIUS, and User Datagram Protocol (UDP) tracing. To configure a trace level, include the debug-level statement at the [edit services l2tp traceoptions] hierarchy level and specify one of the following values:

detailDetailed debug information errorErrors only packet-dumpPacket decoding information

You can filter by protocol. To configure filters, include the filter protocol statement at the [edit services l2tp traceoptions] hierarchy level and specify one or more of the following protocol values:

ppp l2tp radius udp

To implement filtering by protocol name, you must also configure either flag protocol or flag all. You can also configure traceoptions for L2TP on a specific adaptive services interface. To configure per-interface tracing, include the interfaces statement at the [edit services l2tp traceoptions] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

425

Junos 11.4 Services Interfaces Configuration Guide

interfaces interface-name { debug-level level; flag flag; }

NOTE: Implementing traceoptions consumes CPU resources and affects the packet processing performance.

You can specify the debug-level and flag statements for the interface, but the options are slightly different from the general L2TP traceoptions. You specify the debug level as detail, error, or extensive, which provides complete PIC debug information. The following flags are available:

allTrace everything. ipcTrace L2TP Inter-Process Communication (IPC) messages between the PIC and

the Routing Engine.

packet-dumpDump each packets content based on debug level. protocolTrace L2TP, PPP, and multilink handling. systemTrace packet processing on the PIC.

Examples: Configuring L2TP Services

Configure L2TP with multiple group and user profiles and a pool of logical interfaces for concurrent tunnel sessions:
[edit access] address-pool customer_a { address 10.1.1.1/32; } address-pool customer_b { address-range low 10.2.2.1 high 10.2.3.2; } group-profile sunnyvale_users { ppp { framed-pool customer_a; idle-timeout 15; primary-dns 192.168.65.1; secondary-dns 192.168.65.2; primary-wins 192.168.65.3; secondary-wins 192.168.65.4; interface-id west; } } group-profile eastcoast_users { ppp { framed-pool customer_b; idle-timeout 20; primary-dns 192.168.65.5; secondary-dns 192.168.65.6; primary-wins 192.168.65.7;

426

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

secondary-wins 192.168.65.8; interface-id east; } } group-profile sunnyvale_tunnel { l2tp { maximum-sessions-per-tunnel 100; interface-id west_shared; } } group-profile east_tunnel { l2tp { maximum-sessions-per-tunnel 125; interface-id east_shared; } } profile sunnyvale_bldg_1 { client white { chap-secret "$9$3s2690IeK8X7VKM7VwgaJn/Ctu1hclv87Ct87"; # SECRET-DATA ppp { idle-timeout 22; primary-dns 192.168.65.1; framed-ip-address 10.12.12.12/32; interface-id east; } group-profile sunnyvale_users; } client blue { chap-secret "$9$eq1KWxbwgZUHNdjqmTF3uO1Rhr-dsoJDNd"; # SECRET-DATA group-profile sunnyvale_users; } authentication-order password; } profile sunnyvale_bldg_1_tunnel { client test { l2tp { shared-secret "$9$r3HKvLg4ZUDkX7JGjif5p0BIRS8LN"; # SECRET-DATA maximum-sessions-per-tunnel 75; interface-id west_shared; ppp-authentication chap; } group-profile sunnyvale_tunnel; } client production { l2tp { shared-secret "$9$R2QErv8X-goGylVwg4jiTz36/t0BEleWFnRhrlXxbs2aJDHqf3nCP5"; ppp-authentication chap; } group-profile sunnyvale_tunnel; } } [edit services] l2tp { tunnel-group finance-lns-server { l2tp-access-profile sunnyvale_bldg_1_tunnel;

Copyright 2011, Juniper Networks, Inc.

427

Junos 11.4 Services Interfaces Configuration Guide

ppp-access-profile sunnyvale_bldg_1; local-gateway { address 10.1.117.3; } service-interface sp-1/3/0; receive-window 1500; maximum-send-window 1200; retransmit-interval 5; hello-interval 15; tunnel-timeout 55; } traceoptions { flag all; } } [edit interfaces sp-1/3/0] unit0 { family inet; } unit 10 { dial-options { l2tp-interface-id foo-user; dedicated; } family inet; } unit 11 { dial-options { l2tp-interface-id east; dedicated; } family inet; } unit 12 { dial-options { l2tp-interface-id east; dedicated; } family inet; } unit 21 { dial-options { l2tp-interface-id west; dedicated; } family inet; } unit 30 { dial-options { l2tp-interface-id west_shared; shared; } family inet; } unit 40 { dial-options {

428

Copyright 2011, Juniper Networks, Inc.

Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines

l2tp-interface-id east_shared; shared; } family inet; }

Configure L2TP redundancy:

interfaces { rsp0 { redundancy-options { primary sp-0/0/0; secondary sp-1/3/0; } unit 0 { family inet; } unit 11 { dial-options { l2tp-interface-id east_shared; shared; } family inet; } } }

Copyright 2011, Juniper Networks, Inc.

429

Junos 11.4 Services Interfaces Configuration Guide

430

Copyright 2011, Juniper Networks, Inc.

CHAPTER 19

Summary of Layer 2 Tunneling Protocol Configuration Statements

The following sections explain each of the Layer 2 Tunneling Protocol (L2TP) statements. The statements are organized alphabetically.

facility-override
Syntax Hierarchy Level Release Information Description Options
facility-override facility-name; [edit services l2tp tunnel-group group-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Override the default facility for system log reporting.
facility-nameName of the facility that overrides the default assignment. Valid entries

include:
authorization daemon ftp kernel local0 through local7 user

Usage Guidelines Required Privilege Level

See Configuring System Logging of L2TP Tunnel Activity on page 421. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

431

Junos 11.4 Services Interfaces Configuration Guide

hello-interval
Syntax Hierarchy Level Release Information
hello-interval seconds; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Support for MX Series routers introduced in Junos OS Release 11.4. Not all subordinate statements are supported for L2TP LNS on MX Series routers. Specify the keepalive timer for L2TP tunnels.
secondsInterval, in seconds, after which the server sends a hello message if no messages

Description Options

are received. A value of 0 means that no hello messages are sent. Default: 60 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

hide-avps
Syntax Hierarchy Level Release Information Description
hide-avps; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Hide L2TP attribute-value pairs if the secret shared between the two ends of the tunnel is known.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Default

Attribute-value pairs that can be hidden are exposed, even if the secret information is known. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Hiding Attribute-Value Pairs for L2TP Tunnels on page 420

432

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

host
Syntax
host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } [edit services l2tp tunnel-group group-name syslog]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the hostname for the system logging utility.
hostnameName of the system logging utility host machine. This can be the local Routing

Engine or an external server address. The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring System Logging of L2TP Tunnel Activity on page 421. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

l2tp-access-profile
Syntax Hierarchy Level Release Information
l2tp-access-profile profile-name; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Support for MX Series routers introduced in Junos OS Release 11.4. Specify the profile used to validate all L2TP connection requests to the local gateway address.
profile-nameIdentifier for the L2TP connection profile.

Description

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M Series routers) Configuring Access Profiles for L2TP Tunnel Groups on page 419 (MX Series routers) Configuring an L2TP Access Profile on the LNS

Copyright 2011, Juniper Networks, Inc.

433

Junos 11.4 Services Interfaces Configuration Guide

local-gateway address
Syntax Hierarchy Level Release Information
local-gateway address address; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Support for MX Series routers introduced in Junos OS Release 11.4. Specify the local (LNS) IP address for L2TP tunnel.
addressLocal IP address; corresponds to the IP address that is used by LACs to identify

Description Options

the LNS. When the LAC is an MX Series router, this address matches the remote gateway address configured in the LAC tunnel profile. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M7i, M10i, M120 routers) Configuring the Local Gateway Address and PIC on page 419. (M Series routers) Configuring L2TP Tunnel Groups on page 418 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

log-prefix
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
log-prefix prefix-value; [edit services l2tp tunnel-group group-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Set the system logging prefix value.
prefix-valueSystem logging prefix value.

See Configuring System Logging of L2TP Tunnel Activity on page 421. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

434

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

maximum-send-window
Syntax Hierarchy Level Release Information Description
maximum-send-window packets; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Specify the size of the send window for L2TP tunnels, which limits the remote ends receive window size.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options

packetsMaximum number of packets the send window can hold at one time.

Default: 32 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Window Size for L2TP Tunnels on page 420

ppp-access-profile
Syntax Hierarchy Level Release Information Description
ppp-access-profile profile-name; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Specify the profile used to validate all Point-to-Point Protocol (PPP) session requests through L2TP tunnels established to the local gateway address.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options Required Privilege Level Related Documentation

profile-nameIdentifier for the PPP profile.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Access Profiles for L2TP Tunnel Groups on page 419

Copyright 2011, Juniper Networks, Inc.

435

Junos 11.4 Services Interfaces Configuration Guide

receive-window
Syntax Hierarchy Level Release Information Description
receive-window packets; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Specify the size of the receive window for L2TP tunnels, which limits the number of packets the server processes concurrently.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options

packetsMaximum number of packets the receive window can hold at one time.

Default: 16 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Window Size for L2TP Tunnels on page 420

retransmit-interval
Syntax Hierarchy Level Release Information Description
retransmit-interval seconds; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Specify the maximum retransmit interval for L2TP tunnels.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options

secondsInterval, in seconds, after which the server retransmits data if no

acknowledgment is received. Default: 30 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Timers for L2TP Tunnels on page 420

436

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

service-interface
Syntax Hierarchy Level Release Information
service-interface interface-name; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Option si-fpc/pic/port introduced in Junos OS Release 11.4. Specify the service interface responsible for handling L2TP processing.

Description

NOTE: On MX Series routers, the service interface configuration is required for static LNS sessions. Either the service interface configuration or the service device pool configuration can be used for dynamic LNS sessions.

Options

interface-nameName of the service interface. The interface type depends on the line

card as follows:

sp-fpc/pic/portOn AS or Multiservices PICs on M7i, M10i, and M120 routers. si-fpc/pic/portOn MPCs on MX Series routers.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M7i, M10i, and M120 routers)Configuring the Local Gateway Address and PIC on page 419 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

Copyright 2011, Juniper Networks, Inc.

437

Junos 11.4 Services Interfaces Configuration Guide

services
See the following sections:

services (Hierarchy) on page 438 services (L2TP System Logging) on page 439

services (Hierarchy)
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services l2tp { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service properties to be applied to traffic.
l2tpIdentifies the L2TP set of services statements.

See L2TP Services Configuration Overview on page 415. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

438

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

services (L2TP System Logging)

Syntax Hierarchy Level Release Information Description Options
services severity-level; [edit services l2tp tunnel-group group-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Specify the system logging severity level.
severity-levelAssigns a severity level to the facility. Valid entries include:

alertConditions that should be corrected immediately. anyMatches any level. criticalCritical conditions. emergencyPanic conditions. errorError conditions. infoInformational messages. noticeConditions that require special handling. warningWarning messages.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring System Logging of L2TP Tunnel Activity on page 421

Copyright 2011, Juniper Networks, Inc.

439

Junos 11.4 Services Interfaces Configuration Guide

syslog
Syntax
syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } } [edit services l2tp tunnel-group group-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the generation of system log messages for L2TP services. System log information is passed to the kernel for logging in the /var/log/l2tpd directory.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options Required Privilege Level Related Documentation

The remaining statements are described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring System Logging of L2TP Tunnel Activity on page 421

440

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

traceoptions (L2TP)
Syntax
traceoptions { debug-level level; file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>; filter { protocol name; user-name username; } flag flag; interfaces interface-name { debug-level level; flag flag; } level (all | error | info | notice | verbose | warning); no-remote-trace; } [edit services l2tp]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Support for L2TP LAC on MX Series routers introduced in Junos OS Release 10.4. Support for L2TP LNS on MX Series routers introduced in Junos OS Release 11.4. Define tracing operations for L2TP processes.
debug-level levelTrace level for PPP, L2TP, RADIUS, and UDP; this option does not

Description Options

apply to L2TP on MX Series routers:

detailTrace detailed debug information. errorTrace error information. packet-dumpTrace packet decoding information.

file filenameName of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files to create before overwriting the

oldest one. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files
filter protocol nameAdditional filter for the specified protocol; this option does not apply

to L2TP on MX Series routers:

l2tp ppp radius

Copyright 2011, Juniper Networks, Inc.

441

Junos 11.4 Services Interfaces Configuration Guide

udp

filter user-name usernameAdditional filter for the specified username; this option does

not apply to L2TP on MX Series routers.

flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

allTrace all operations. configurationTrace configuration events. eventsTrace interface events. generalTrace general events. gresTrace GRES events. initTrace daemon initialization. ipc-rxTrace IPC receive events. ipc-txTrace IPC transmit events. memoryTrace memory management code. messageTrace message processing code. packet-errorTrace packet error events. parseTrace parsing events. protocolTrace L2TP events. receive-packetsTrace received L2TP packets. routing-processTrace routing process interactions. routing-socketTrace routing socket events. session-dbTrace session database interactions. statesTrace state machine events. timerTrace timer events. transmit-packetsTrace transmitted L2TP packets. tunnelTrace tunnel events.

442

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

interfaces interface-nameApply L2TP traceoptions to a specific services interface. This

option does not apply to L2TP on MX Series routers.

debug-level levelTrace level for the interface; this option does not apply to L2TP on

MX Series routers:

detailTrace detailed debug information. errorTrace error information. extensiveTrace all PIC debug information.

flag flagTracing operation to perform for the interface. This option does not apply to

L2TP on MX Series routers. To specify more than one tracing operation, include multiple flag statements. You can include the following flags:

allTrace everything. ipcTrace L2TP Inter-Process Communication (IPC) messages between the PIC

and the Routing Engine.

packet-dumpDump each packet content based on debug level. protocolTrace L2TP, PPP, and multilink handling. systemTrace packet processing on the PIC.

levelSpecify level of tracing to perform. You can specify any of the following levels:

allMatch all levels. errorMatch error conditions. infoMatch informational messages. noticeMatch notice messages about conditions requiring special handling. verboseMatch verbose messages. warningMatch warning messages.

match regular-expression(Optional) Refine the output to include lines that contain the

regular expression.
no-remote-traceDisable remote tracing. no-world-readable(Optional) Disable unrestricted file access. size maximum-file-size(Optional) Maximum size of each trace file. By default, the number

entered is treated as bytes. Alternatively, you can include a suffix to the number to indicate kilobytes (KB), megabytes (MB), or gigabytes (GB). If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: sizek to specify KB, sizem to specify MB, or sizeg to specify GB Range: 10240 through 1073741824
world-readable(Optional) Enable unrestricted file access.

Copyright 2011, Juniper Networks, Inc.

443

Junos 11.4 Services Interfaces Configuration Guide

Required Privilege Level Related Documentation

traceTo view this statement in the configuration. trace-controlTo add this statement to the configuration.

For information about L2TP tracing on MX Series routers, see Tracing L2TP Operations for Subscriber Access For information about L2TP tracing on M Series routers, see Tracing L2TP Operations on page 424

444

Copyright 2011, Juniper Networks, Inc.

Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements

tunnel-group
Syntax
tunnel-group group-name { aaa-access-profile profile-name; dynamic-profile profile-name; hello-interval seconds; hide-avps; l2tp-access-profile profile-name; local-gateway address address; maximum-send-window packets; ppp-access-profile profile-name; receive-window packets; retransmit-interval seconds; service-device-pool pool-name; service-interface interface-name; syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; } } tos-reflect; tunnel-timeout seconds; } [edit services l2tp]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Support for MX Series routers and the aaa-access-profile, dynamic-profile, service-device-pool, and tos-reflect statements introduced in Junos OS Release 11.4 Specify the L2TP tunnel properties.

Description

NOTE: Subordinate statement support depends on the platform. See individual statement topics for more detailed support information.

Options

group-nameIdentifier for the tunnel group.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M71, M10i, and M120 routers) Configuring L2TP Tunnel Groups on page 418 MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

Copyright 2011, Juniper Networks, Inc.

445

Junos 11.4 Services Interfaces Configuration Guide

tunnel-timeout
Syntax Hierarchy Level Release Information
tunnel-timeout seconds; [edit services l2tp tunnel-group name]

Statement introduced before Junos OS Release 7.4. Support for MX Series routers introduced in Junos OS Release 11.4. Specify the maximum downtime for an L2TP tunnel, after which the tunnel is terminated because the connection is presumed to have been lost.
secondsInterval after which the tunnel is terminated if no data can be sent.

Description

Options

Default: 120 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

446

Copyright 2011, Juniper Networks, Inc.

CHAPTER 20

Link Services IQ Interfaces Configuration Guidelines

You can configure link services intelligent queuing (IQ) (LSQ or lsq-) interfaces on the Adaptive Services (AS) PIC, the internal Adaptive Services Module in the M7i platform, the Link Services II PIC, and the Multiservices PIC. LSQ interfaces are similar to link services interfaces, which are described in Multilink and Link Services Logical Interface Configuration Overview on page 1237. The important difference is that LSQ interfaces fully support Junos class of service (CoS) components. The AS or Multiservices PIC has a limit of 1023 logical interfaces. Each logical interface is a Multilink Point-to-Point Protocol (MLPPP) bundle, an FRF.15 bundle, or an FRF.16 DLCI. This chapter describes the Layer 2 service package and the CoS and failure recovery capabilities of LSQ interfaces. For detailed information about Layer 3 services, see other chapters in this manual and the Junos OS Feature Guides.

NOTE: The Link Services II PIC offers the same functionality as the Layer 2 service package on AS or Multiservices PICs.

This chapter contains the following sections:

Layer 2 Service Package Capabilities and Interfaces on page 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS on page 450 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS on page 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453 Configuring CoS Scheduling Queues on Logical LSQ Interfaces on page 461 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces on page 466 Configuring Multiclass MLPPP on LSQ Interfaces on page 467 Oversubscribing Interface Bandwidth on LSQ Interfaces on page 468

Copyright 2011, Juniper Networks, Inc.

447

Junos 11.4 Services Interfaces Configuration Guide

Configuring Guaranteed Minimum Rate on LSQ Interfaces on page 473 Configuring Link Services and CoS on Services PICs on page 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506

Layer 2 Service Package Capabilities and Interfaces

As described in Enabling Service Packages on page 39, you can configure the AS or Multiservices PIC and the internal ASM in the M7i platform to use either the Layer 2 or the Layer 3 service package. When you enable the Layer 2 service package, the AS or Multiservices PIC supports link services. On the AS or Multiservices PIC and the ASM, link services include the following:

Junos CoS componentsConfiguring CoS Scheduling Queues on Logical LSQ Interfaces on page 461 describes how the Junos CoS components work on link services IQ (lsq) interfaces. For detailed information about Junos CoS components, see the Junos OS Class of Service Configuration Guide. Data compression using the compressed Real-Time Transport Protocol (CRTP) for use in voice over IP (VoIP) transmission.

NOTE: On LSQ interfaces, all multilink traffic for a single bundle is sent to a single processor. If CRTP is enabled on the bundle, it adds overhead to the CPU. Because T3 network interfaces support only one link per bundle, make sure you configure a fragmentation map for compressed traffic on these interfaces and specify the no-fragmentation option. For more information, see Configuring Delay-Sensitive Packet Interleaving on page 524 and Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465.

Link fragment interleaving (LFI) on Frame Relay links using FRF.12 end-to-end fragmentationThe standard for FRF.12 is defined in the specification FRF.12, Frame Relay Fragmentation Implementation Agreement. LFI on Multilink Point-to-Point Protocol (MLPPP) links.

448

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Multilink Frame Relay (MLFR) end-to-end (FRF.15)The standard for FRF.15 is defined in the specification FRF.15, End-to-End Multilink Frame Relay Implementation Agreement. Multilink Frame Relay (MLFR) UNI NNI (FRF.16)The standard for FRF.16 is defined in the specification FRF.16.1, Multilink Frame Relay UNI/NNI Implementation Agreement. MLPPPThe standard for MLPPP is defined in the specification RFC 1990, The PPP Multilink Protocol (MP). Multiclass extension to MLPPPThe standard is defined in the specification RFC 2686, The Multi-Class Extension to Multi-Link PPP.

For the LSQ interface on the AS or Multiservices PIC, the configuration syntax is almost the same as for Multilink and Link Services PICs. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls. When you enable the Layer 2 service package on the AS or Multiservices PIC, the following interfaces are automatically created:
gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 ... lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port

Interface types gr, ip, mt, pd, pe, and vt are standard tunnel interfaces that are available on the AS or Multiservices PIC whether you enable the Layer 2 or the Layer 3 service package. These tunnel interfaces function the same way for both service packages, except that the Layer 2 service package does not support some tunnel functions, as shown in Table 5 on page 24. For more information about tunnel interfaces, see Tunnel Properties.

NOTE: Interface type sp is created because it is needed by the Junos OS. For the Layer 2 service package, the sp interface is not configurable, but you should not disable it.

Interface type lsq-fpc/pic/port is the physical link services IQ interface (lsq). Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF.16 bundles. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level. For more information, see Configuring CoS Scheduling Queues on Logical LSQ Interfaces on page 461.

Copyright 2011, Juniper Networks, Inc.

449

Junos 11.4 Services Interfaces Configuration Guide

NOTE: On DS0, E1, or T1 interfaces in LSQ bundles, you can configure the bandwidth statement, but the router does not use the bandwidth value if the interfaces are included in an MLPPP or MLFR bundle. The bandwidth is calculated internally according to the time slots, framing, and byte-encoding of the interface. For more information about these properties, see the Junos OS Network Interfaces Configuration Guide.

Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS
Link services IQ (lsq-) interfaces that are paired with SONET PICs can use the Automatic Protection Switching (APS) configuration already available on SONET networks to provide failure recovery. SONET APS provides stateless failure recovery, if it is configured on SONET interfaces in separate chassis and each SONET PIC is paired with an AS or Multiservices PIC in the same chassis. If one of the following conditions for APS failure is met, the associated SONET PIC triggers recovery to the backup circuit and its associated AS or Multiservices PIC. The failure conditions are:

Failure of Link Services IQ PIC Failure of FPC that hosts the Link Services IQ PIC Failure of Packet Forwarding Engine Failure of chassis

The guidelines for configuring SONET APS are described in the Junos OS Network Interfaces Configuration Guide. The following sections describe how to configure failover properties:

Configuring the Association between LSQ and SONET Interfaces on page 450 Configuring SONET APS Interoperability with Cisco Systems FRF.16 on page 451 Restrictions on APS Redundancy for LSQ Interfaces on page 452

Configuring the Association between LSQ and SONET Interfaces

To configure the association between AS or Multiservices PICs hosting link services IQ interfaces and the SONET interfaces, include the lsq-failure-options statement at the [edit interfaces] hierarchy level:
lsq-fpc/pic/port { lsq-failure-options { no-termination-request; [ trigger-link-failure interface-name ]; } }

For example, consider the following network scenario:

Primary router includes interfaces oc3-0/2/0 and lsq-1/1/0. Backup router includes interfaces oc3-2/2/0 and lsq-3/2/0.

450

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Configure SONET APS, with oc3-0/2/0 as the working circuit and oc3-2/2/0 as the protect circuit. Include the trigger-link-failure statement to extend failure to the LSQ PICs:
interfaces lsq-1/1/0 { lsq-failure-options { trigger-link-failure oc3-0/2/0; } }

NOTE: You must configure the lsq-failure-options statement on the primary router only. The configuration is not supported on the backup router.

To inhibit the router from sending PPP termination-request messages to the remote host if the Link Services IQ PIC fails, include the no-termination-request statement at the [edit interfaces lsq-fpc/pic/port lsq-failure-options] hierarchy level:
[edit interfaces lsq-fpc/pic/port lsq-failure-options] no-termination-request;

This functionality is supported on link PICs as well. To inhibit the router from sending PPP termination-request messages to the remote host if a link PIC fails, include the no-termination-request statement at the [edit interfaces interface-name ppp-options] hierarchy level.
[edit interfaces interface-name ppp-options] no-termination-request;

The no-termination-request statement is supported only with MLPPP and SONET APS configurations and works with PPP, PPP over Frame Relay, and MLPPP interfaces only, on the following PICs:

Channelized OC3 IQ PICs Channelized OC12 IQ PICs Channelized STM1 IQ PICs Channelized STM4 IQ PICs

Configuring SONET APS Interoperability with Cisco Systems FRF.16

Juniper Networks routers configured with APS might not interoperate correctly with Cisco FRF.16. To enable interoperation, include the cisco-interoperability statement at the [edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] hierarchy level:
[edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] cisco-interoperability send-lip-remove-link-for-link-reject;

The send-lip-remove-link-for-link-reject option prompts the router to send a Link Integrity Protocol remove link when it receives an add-link rejection message.

Copyright 2011, Juniper Networks, Inc.

451

Junos 11.4 Services Interfaces Configuration Guide

Restrictions on APS Redundancy for LSQ Interfaces

The following restrictions apply to LSQ failure recovery:

It applies only to Link Services IQ PICs installed in M Series routers, except for M320 routers. You must configure the failure-options statement on physical LSQ interfaces, not on MLFR channelized units. The Link Services IQ PICs must be associated with SONET link PICs. The paired PICs can be installed on different routers or in the same router; in other words, both interchassis and intrachassis recovery are supported Failure recovery is stateless; as a result, route flapping and loss of link state is expected in interchassis recovery, requiring PPP renegotiation. In intrachassis recovery, no impact on traffic is anticipated with Routing Engine failover, but PIC failover results in PPP renegotiation. The switchover is not revertive: when the original hardware is restored to service, traffic does not automatically revert back to it. Normal APS switchover and PIC-triggered APS switchover can be distinguished only by checking the system log messages.

NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds, the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. A system log message at level LOG_ERR is generated. This mechanism applies to both Layer 2 and Layer 3 service packages.

Configuring LSQ Interface Redundancy in a Single Router Using SONET APS

Stateless switchover from one Link Services IQ PIC to another within the same router can be configured by using the SONET APS mechanism described in Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS on page 450. Each Link Services IQ PIC must be associated with a specified SONET link PIC within the same router.

NOTE: For complete intrachassis recovery, including recovery from Routing Engine failover, graceful Routing Engine switchover (GRES) must be enabled on the router. For more information, see the Junos OS System Basics Configuration Guide.

452

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces

You can configure failure recovery on M Series, MX Series, and T Series routers that have multiple AS or Multiservices PICs and DPCs with lsq- interfaces by specifying a virtual LSQ redundancy (rlsq) interface in which the primary Link Services IQ PIC is active and a secondary PIC is on standby. If the primary PIC fails, the secondary PIC becomes active, and all LSQ processing is transferred to it. To determine which PIC is currently active, issue the show interfaces redundancy command.

NOTE: This configuration does not require the use of SONET APS for failover. Network interfaces that do not support SONET can be used, such as T1 or E1 interfaces.

The following sections provide more information:

Configuring Redundant Paired LSQ Interfaces on page 453 Restrictions on Redundant LSQ Interfaces on page 454 Configuring Link State Replication for Redundant Link PICs on page 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery on page 457

Configuring Redundant Paired LSQ Interfaces

The physical interface type rlsq specifies the pairings between primary and secondary lsq interfaces to enable redundancy. To configure a backup lsq interface, include the redundancy-options statement at the [edit interfaces rlsqnumber] hierarchy level:
[edit interfaces rlsqnumber] redundancy-options { (hot-standby | warm-standby); primary lsq-fpc/pic/port; secondary lsq-fpc/pic/port; }

For the rlsq interface, number can be from 0 through 1023. If the primary lsq interface fails, traffic processing switches to the secondary interface. The secondary interface remains active even after the primary interface recovers. If the secondary interface fails and the primary interface is active, processing switches to the primary interface. The hot-standby option is used with one-to-one redundancy configurations, in which one working PIC is supported by one backup PIC. It is supported with MLPPP, CRTP, FRF.15, and FRF.16 configurations for the LSQ interface to achieve an uninterrupted LSQ service. It sets the requirement for the failure detection and recovery time to be less than 5 seconds. The behavior is revertive, but you can manually switch between the primary and secondary PICs by issuing the request interfaces (revert | switchover) rlsqnumber operational mode command. It also provides a switch over time of 5 seconds and less for FRF.15 and a maximum of 10 seconds for FRF.16.

Copyright 2011, Juniper Networks, Inc.

453

Junos 11.4 Services Interfaces Configuration Guide

The warm-standby option is used with redundancy configurations in which one backup PIC supports multiple working PICs. Recovery times are not guaranteed, because the configuration must be completely restored on the backup PIC after a failure is detected. Certain combinations of hot-standby and warm-standby configuration are not permitted and result in a configuration error. The following examples are permitted:

Interface rlsq0 configured with primary lsq-0/0/0 and warm-standby, in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0, in combination with interface rlsq0:1 configured with primary lsq-0/0/0:1

The following example combinations are not permitted:

Interface rlsq0 configured with primary lsq-0/0/0 and hot-standby, in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0, in combination with interface rlsq1:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:1, in combination with interface rlsq1:1 configured with primary lsq-0/0/0:1 Interface rlsq0 configured with primary lsq-0/0/0, in combination with interface rlsq1 configured with primary lsq-0/0/0

In addition, the same physical interface cannot be reused as the primary interface for more than one rlsq interface, nor can any of the associated logical interfaces. For example, primary interface lsq-0/0/0 cannot be reused in another rlsq interface as lsq-0/0/0:0.

Restrictions on Redundant LSQ Interfaces

Link Services IQ PIC failure occurs under the following conditions:

The primary PIC fails to boot. In this case, the rlsq interface does not come up and manual intervention is necessary to reboot or replace the PIC, or to rename the primary PIC to the secondary one in the rlsq configuration. The primary PIC becomes active and then fails. The secondary PIC automatically takes over processing. A failover to the secondary PIC takes place. The secondary PIC then fails. If the primary PIC has been restored to active state, processing switches to it. The FPC that contains the Link Services IQ PIC fails.

The following constraints apply to redundant LSQ configurations:

We recommend that primary and secondary PICs be configured in two different FPCs (in chassis other than M10i routers). You cannot configure a Link Services IQ PIC with explicit bundle configurations and as a constituent of an rlsq interface.

454

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Redundant LSQ configurations provide full GRES support. (You must configure GRES at the [edit chassis] hierarchy level; see the Junos OS System Basics Configuration Guide. If you configure the redundancy-options statement with the hot-standby option, the configuration must include one primary interface value and one secondary interface value. Since the same interface name is used for hot-standby and warm-standby, if you modify the configuration to change this attribute, it is recommended that you first deactivate the interface, commit the new configuration, and then reactivate the interface. You cannot make changes to an active redundancy-options configuration. You must deactivate the rlsqnumber interface configuration, change it, and reactivate it. The rlsqnumber configuration becomes active only if the primary interface is active. When the configuration is first activated, the primary interface must be active; if not, the rlsq interface waits until the primary interface comes up. You cannot modify the configuration of lsq interfaces after they have been included in an active rlsq interface. All the operational mode commands that apply to rsp interfaces also apply to rlsq interfaces. You can issue show commands for the rlsq interface or the primary and secondary lsq interfaces. However, statistics on the link interfaces are not carried over following a Routing Engine switchover. The rlsq interfaces also support the lsq-failure-options configuration, discussed in Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS on page 450. If the primary and secondary Link Services IQ PICs fail and the lsq-failure-options statement is configured, the configuration triggers a SONET APS switchover. Redundant LSQ configurations that require MLPPP Multilink Frame Relay (FRF.15 and FRF.16) are supported only with the warm-standby option. Redundant LSQ support is extended to ATM network interfaces. Channelized interfaces are used with FRF-16 bundles, for example rlsq0:0. The rlsq number and its constituents, the primary and secondary interfaces, must match for the configuration to be valid: either all must be channelized, or none. For an example of an FRF.16 configuration, see Configuring LSQ Interface Redundancy for an FRF.16 Bundle on page 461.

NOTE: Adaptive Services and Multiservices PICs in layer-2 mode (running Layer 2 services) are not rebooted when a MAC flow-control situation is detected.

Configuring Link State Replication for Redundant Link PICs

Link state replication, also called interface preservation, is an addition to the SONET Automatic Protection Switching (APS) functionality that helps promote redundancy of the link PICs used in LSQ configurations.

Copyright 2011, Juniper Networks, Inc.

455

Junos 11.4 Services Interfaces Configuration Guide

Link state replication provides the ability to add two sets of links, one from the active (working) SONET PIC and the other from the backup (protect) SONET PIC to the same bundle. If the active SONET PIC fails, links from the standby PIC are used without causing a link renegotiation. All the negotiated state is replicated from the active links to the standby links to prevent link renegotiation. For more information about SONET APS configurations, see the Junos OS Network Interfaces Configuration Guide. To configure link state replication, include the preserve-interface statement at the [edit interfaces interface-name sonet-options aps] hierarchy level on both network interfaces:
edit interfaces interface-name sonet-options aps] preserve-interface;

The following constraints apply to link PIC redundancy:

APS functionality must be available on the SONET PICs and the interface configurations must be identical on both ends of the link. Any configuration mismatch causes the commit operation to fail. This feature is supported only with LSQ and SONET APS-enabled link PICs, including Channelized OC3, Channelized OC12, and Channelized STM1 intelligent queuing (IQ) PICs. Link state replication supports MLPPP and PPP over Frame Relay (frame-relay-ppp) encapsulation, and fully supports GRES. Enabling the interface or protocol traceoptions with a large number of MLPPP links can trigger Link Control Protocol (LCP) renegotiation during the link switchover time.

NOTE: This renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an add/drop multiplexer (ADM).

In general, networks that connect a Juniper Networks router to an ADM allow faster MLPPP link switchover than those with back-to-back Juniper Networks routers. The MLPPP link switchover time difference may be significant, especially for networks with a large number of MLPPP links. An aggressive LCP keepalive timeout configuration can lead to LCP renegotiation during the MLPPP link switchover. By default, the LCP keepalive timer interval is 10 seconds and the consecutive link down count is 3. The MLPPP links start LCP negotiation only after a timeout of 30 seconds. Lowering these configuration values may trigger one or more of the MLPPP links to renegotiate during the switchover time.

NOTE: LCP renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an ADM.

As an example, the following configuration shows the link state replication configuration between the ports coc3-1/0/0 and coc3-2/0/0.

456

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

interfaces { coc3-1/0/0 { sonet-options { aps { preserve-interface; working-circuit aps-group-1; } } } coc3-2/0/0 { sonet-options { aps { preserve-interface; protect-circuit aps-group-1; } } } }

Examples: Configuring Redundant LSQ Interfaces for Failure Recovery

Configuring LSQ Interface Redundancy for MLPPP The following configuration shows that lsq-1/1/0 and lsq-1/3/0 work as a pair and the redundancy type is hot-standby, which sets the requirement for the failure detection and recovery time to be less than 5 seconds:
interfaces rlsq0 { redundancy-options { primary lsq-1/1/0; secondary lsq-1/3/0; hot-standby; #either hot-standby or warm-standby is supported } }

The following example shows a related MLPPP configuration:

NOTE: MLPPP protocol configuration is required for this configuration.

interfaces { t1-/1/2/0 { unit 0 { family mlppp { bundle rlsq0.0; } } } rlsq0 { unit 0 { family inet { address 30.1.1.2/24; } }

Copyright 2011, Juniper Networks, Inc.

457

Junos 11.4 Services Interfaces Configuration Guide

} }

The following example shows a related CoS configuration:

class-of-service { interfaces { rlsq0 { unit * { fragmentation-maps fr-map1; } } } }

The following example shows a complete link state replication configuration for MLPPP. This example uses two bundles, each with four T1 links. The first four T1 links (t1-*:1 through t1-*:4) form the first bundle and the last four T1 links (t1-*:5 through t1-*:8) form the second bundle. To minimize the duplication in the configuration, this example uses the [edit groups] statement; for more information, see the Junos OS System Basics Configuration Guide. This type of configuration is not required; it simplifies the task and minimizes duplication.
groups { ml-partition-group { interfaces { <coc3-*> { partition 1 oc-slice 1 interface-type coc1; } <coc1-*> { partition 1-8 interface-type t1; } } } ml-bundle-group-1 { interfaces { <t1-*:"[1-4]"> { encapsulation ppp; unit 0 { family mlppp { bundle lsq-0/1/0.0; } } } } } ml-bundle-group-2 { interfaces { <t1-*:"[5-8]"> { encapsulation ppp; unit 0 { family mlppp { bundle lsq-0/1/0.1; } } }

458

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

} } } interfaces { lsq-0/1/0 { unit 0 { encapsulation multilink-ppp; family inet { address 1.1.1.1/32 { destination 1.1.1.2; } } } unit 1 { encapsulation multilink-ppp; family inet { address 1.1.2.1/32 { destination 1.1.2.2; } } } } coc3-1/0/0 { apply-groups ml-partition-group; sonet-options { aps { preserve-interface; working-circuit aps-group-1; } } } coc1-1/0/0:1 { apply-groups ml-partition-group; } t1-1/0/0:1:1 { apply-groups ml-bundle-group-1; } t1-1/0/0:1:2 { apply-groups ml-bundle-group-1; } t1-1/0/0:1:3 { apply-groups ml-bundle-group-1; } t1-1/0/0:1:4 { apply-groups ml-bundle-group-1; } t1-1/0/0:1:5 { apply-groups ml-bundle-group-2; } t1-1/0/0:1:6 { apply-groups ml-bundle-group-2; } t1-1/0/0:1:7 { apply-groups ml-bundle-group-2; } t1-1/0/0:1:8 {

Copyright 2011, Juniper Networks, Inc.

459

Junos 11.4 Services Interfaces Configuration Guide

apply-groups ml-bundle-group-2; } coc3-2/0/0 { apply-groups ml-partition-group; sonet-options { aps { preserve-interface; protect-circuit aps-group-1; } } } coc1-2/0/0:1 { apply-groups ml-partition-group; } t1-2/0/0:1:1 { apply-groups ml-bundle-group-1; } t1-2/0/0:1:2 { apply-groups ml-bundle-group-1; } t1-2/0/0:1:3 { apply-groups ml-bundle-group-1; } t1-2/0/0:1:4 { apply-groups ml-bundle-group-1; } t1-2/0/0:1:5 { apply-groups ml-bundle-group-2; } t1-2/0/0:1:6 { apply-groups ml-bundle-group-2; } t1-2/0/0:1:7 { apply-groups ml-bundle-group-2; } t1-2/0/0:1:8 { apply-groups ml-bundle-group-2; } }

Configuring LSQ Interface Redundancy for an FRF.15 Bundle The following example shows a configuration for an FRF.15 bundle:
interfaces rlsq0 { redundancy-options { primary lsq-1/2/0; secondary lsq-1/3/0; warm-standby; #either hot-standby or warm-standby is supported } unit 0 { encapsulation multilink-frame-relay-end-to-end; family inet { address 30.1.1.1/24; }

460

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

} }

Configuring LSQ Interface Redundancy for an FRF.16 Bundle The following example shows a configuration for an FRF.16 bundle:
interfaces rlsq0:0 { dce; encapsulation multilink-frame-relay-uni-nni; redundancy-options { primary lsq-1/2/0:0; secondary lsq-1/3/0:0; warm-standby; #either hot-standby or warm-standby is supported } unit 0 { dlci 1000; family inet { address 50.1.1.1/24; } } }

Configuring CoS Scheduling Queues on Logical LSQ Interfaces

For link services IQ (lsq-) interfaces, you can specify a scheduler map for each logical unit. A logical unit represents either an MLPPP bundle or a DLCI configured on a FRF.16 bundle. The scheduler is applied to the traffic sent to an AS or Multiservices PIC running the Layer 2 link services package. If you configure a scheduler map on a bundle, you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level. If you configure a scheduler map on an FRF.16 DLCI, you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level. For more information, see the Junos OS Class of Service Configuration Guide. If you need latency guarantees for multiclass or LFI traffic, you must use channelized IQ PICs for the constituent links. With non-IQ PICs, because queueing is not done at the channelized interface level on the constituent links, latency-sensitive traffic might not receive the type of service that it should. Constituent links from the following PICs support latency guarantees:

Channelized E1 IQ PIC Channelized OC3 IQ PIC Channelized OC12 IQ PIC Channelized STM1 IQ PIC Channelized T3 IQ PIC

Copyright 2011, Juniper Networks, Inc.

461

Junos 11.4 Services Interfaces Configuration Guide

For scheduling queues on a logical interface, you can configure the following scheduler map properties at the [edit class-of-service schedulers] hierarchy level:

buffer-sizeThe queue size; for more information, see Configuring Scheduler Buffer

Size on page 462.

priorityThe transmit priority (low, high, strict-high); for more information, see

Configuring Scheduler Priority on page 463.

shaping-rateThe subscribed transmit rate; for more information, see Configuring

Scheduler Shaping Rate on page 463.

drop-profile-mapThe random early detection (RED) drop profile; for more information,

see Configuring Drop Profiles on page 463. When you configure MLPPP and FRF.12 on M Series and T Series routers, you should configure a single scheduler with non-zero percent transmission rates and buffer sizes for queues 0 through 3, and assign this scheduler to the link services IQ interface (lsq) and to each constituent link. When you configure FRF.16 on M Series and T Series routers, you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI, or you can assign different scheduler maps to the various DLCIs of the bundle, as shown in Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16 on page 488. For the constituent links of an FRF.16 bundle, you do not need to configure a custom scheduler. Because LFI and multiclass are not supported for FRF.16, the traffic from each constituent link is transmitted from queue 0. This means you should allow most of the bandwidth to be used by queue 0. The default scheduler transmission rate and buffer size percentages for queues 0 through 3 are 95, 0, 0, and 5 percent, respectively. This default scheduler sends all user traffic to queue 0 and all network-control traffic to queue 3, and therefore it is well suited to the behavior of FRF.16. You can configure a custom scheduler that explicitly replicates the 95, 0, 0, and 5 percent queuing behaviors, and apply it to the constituent links.

NOTE: On T Series and M320 routers, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0, 0, and 0 percent.

For link services IQ interfaces (lsq), these scheduling properties work as they do in other PICs, except as noted in the following sections.

NOTE: On T Series and M320 routers, lsq interfaces do not support DiffServ code point (DSCP) and DSCP-IPv6 rewrite markers.

Configuring Scheduler Buffer Size

You can configure the scheduler buffer size in three ways: as a temporal value, as a percentage, and as a remainder. On a single logical interface (MLPPP or a FRF.16 DLCI), each queue can have a different buffer size.

462

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

If you specify a temporal value, the queuing algorithm starts dropping packets when it queues more than a computed number of bytes. This number is computed by multiplying logical interface speed by the temporal value. For MLPPP bundles, logical interface speed is equal to the bundle bandwidth, which is the sum of constituent link speeds minus link-layer overhead. For MLFR FRF.16 DLCIs, logical interface speed is equal to bundle bandwidth multiplied by the DLCI shaping rate. In all cases, the maximum temporal value is limited to 200 milliseconds. Buffer size percentages are implicitly converted into temporal values by multiplying the percentage by 200 milliseconds. For example, buffer size specified as buffer-size percent 20 is the same as a 40-millisecond temporal delay. The link services IQ implementation guarantees 200 milliseconds of buffer delay for all interfaces with T1 and higher speeds. For slower interfaces, it guarantees one second of buffer delay. The queueing algorithm evenly distributes leftover bandwidth among all queues that are configured with the buffer-size remainder statement. The queuing algorithm guarantees enough space in the transmit buffer for two MTU-sized packets.

Configuring Scheduler Priority

The transmit priority of each queue is determined by the scheduler and the forwarding class. Each queue receives a guaranteed amount of bandwidth specified with the scheduler transmit-rate statement.

Configuring Scheduler Shaping Rate

You use the shaping rate to set the percentage of total bundle bandwidth that is dedicated to a DLCI. For link services IQ DLCIs, only percentages are accepted, which allows adjustments in response to dynamic changes in bundle bandwidthfor example, when a link goes up or down. This means that absolute shaping rates are not supported on FRF.16 bundles. Absolute shaping rates are allowed for MLPPP and MLFR bundles only. For scheduling between DLCIs in a MLFR FRF.16 bundle, you can configure a shaping rate for each DLCI. A shaping rate is expressed as a percentage of the aggregate bundle bandwidth. Shaping rate percentages for all DLCIs within a bundle can add up to 100 percent or less. Leftover bandwidth is distributed equally to DLCIs that do not have the shaping-rate statement included at the [edit class-of-service interfaces lsq-fpc/pic/port:channel unit logical-unit-number] hierarchy level. If none of the DLCIs in an MLFR FRF.16 bundle specify a DLCI scheduler, the total bandwidth is evenly divided across all DLCIs.

NOTE: For FRF.16 bundles on link services IQ interfaces, only shaping rates based on percentage are supported.

Configuring Drop Profiles

You can configure random early detection (RED) on LSQ interfaces as in other CoS scenarios. To configure RED, include one or more drop profiles and attach them to a scheduler for a particular forwarding class. For more information about RED profiles, see the Junos OS Class of Service Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

463

Junos 11.4 Services Interfaces Configuration Guide

The LSQ implementation performs tail RED. It supports a maximum of 256 drop profiles per PIC. Drop profiles are configurable on a per-queue, per-loss-priority, and per-TCP-bit basis. You can attach scheduler maps with configured RED drop profiles to any LSQ logical interface: an MLPPP bundle, an FRF.15 bundle, or an FRF.16 DLCI. Different queues (forwarding classes) on the same logical interface can have different associated drop profiles. The following example shows how to configure a RED profile on an LSQ interface:
[edit] class-of-service { drop-profiles { drop-low { # Configure suitable drop profile for low loss priority ... } drop-high { # Configure suitable drop profile for high loss priority ... } } scheduler-maps { schedmap { # Best-effort queue will use be-scheduler # Other queues may use different schedulers forwarding-class be scheduler be-scheduler; ... } } schedulers { be-scheduler { # Configure two drop profiles for low and high loss priority drop-profile-map loss-priority low protocol any drop-profile drop-low; drop-profile-map loss-priority high protocol any drop-profile drop-high; # Other scheduler parameters (buffer-size, priority, # and transmit-rate) are already supported. ... } } interfaces { lsq-1/3/0.0 { # Attach a scheduler map (that includes RED drop profiles) # to a LSQ logical interface. scheduler-map schedmap; } } }

NOTE: The RED profiles should be applied only on the LSQ bundles and not on the egress links that constitute the bundle.

464

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces

For link services IQ (lsq-) interfaces, you can specify fragmentation properties for specific forwarding classes. Traffic on each forwarding class can be either multilink encapsulated (fragmented and sequenced) or nonencapsulated (hashed with no fragmentation). By default, traffic in all forwarding classes is multilink encapsulated. When you do not configure fragmentation properties for the queues on MLPPP interfaces, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLPPP interface. For MLFR FRF.16 interfaces, the fragmentation threshold you set at the [edit interfaces interface-name mlfr-uni-nni-bundle-options fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLFR FRF.16 interface. If you do not set a maximum fragment size anywhere in the configuration, packets are still fragmented if they exceed the smallest maximum transmission unit (MTU) or maximum received reconstructed unit (MRRU) of all the links in the bundle. A nonencapsulated flow uses only one link. If the flow exceeds a single link, then the forwarding class must be multilink encapsulated, unless the packet size exceeds the MTU/MRRU. Even if you do not set a maximum fragment size anywhere in the configuration, you can configure the MRRU by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level. The MRRU is similar to the MTU, but is specific to link services interfaces. By default the MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes. For more information, see Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. To configure fragmentation properties on a queue, include the fragmentation-maps statement at the [edit class-of-service] hierarchy level:
[edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { (fragment-threshold bytes | no-fragmentation); multilink-class number; } } }

To set a per-forwarding class fragmentation threshold, include the fragment-threshold statement in the fragmentation map. This statement sets the maximum size of each multilink fragment. To set traffic on a queue to be nonencapsulated rather than multilink encapsulated, include the no-fragmentation statement in the fragmentation map. This statement specifies that an extra fragmentation header is not prepended to the packets received on this queue and that static link load balancing is used to ensure in-order packet delivery.

Copyright 2011, Juniper Networks, Inc.

465

Junos 11.4 Services Interfaces Configuration Guide

For a given forwarding class, you can include either the fragment-threshold or no-fragmentation statement; they are mutually exclusive. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). For a given forwarding class, you can include either the multilink-class or no-fragmentation statement; they are mutually exclusive. For more information about MCML, see Configuring Multiclass MLPPP on LSQ Interfaces on page 467. To associate a fragmentation map with a multilink PPP interface or MLFR FRF.16 DLCI, include the fragmentation-map statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level:
[edit class-of-service interfaces] lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name; } lsq-fpc/pic/port:channel { # MLFR FRF.16 unit logical-unit-number { fragmentation-map map-name; }

For configuration examples, see the following topics:

Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506

For Link Services PIC link services (ls-) interfaces, fragmentation maps are not supported. Instead, you enable LFI by including the interleave-fragments statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. For more information, see Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245.

Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces

Link-layer overhead can cause packet drops on constituent links because of bit stuffing on serial links. Bit stuffing is used to prevent data from being interpreted as control information.

466

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

By default, 4 percent of the total bundle bandwidth is set aside for link-layer overhead. In most network environments, the average link-layer overhead is 1.6 percent. Therefore, we recommend 4 percent as a safeguard. For more information, see RFC 4814, Hash and Stuffing: Overlooked Factors in Network Device Benchmarking. For link services IQ (lsq-) interfaces, you can configure the percentage of bundle bandwidth to be set aside for link-layer overhead. To do this, include the link-layer-overhead statement:
link-layer-overhead percent;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name mlfr-uni-nni-bundle-options] [edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

You can configure the value to be from 0 percent through 50 percent.

Configuring Multiclass MLPPP on LSQ Interfaces

For link services IQ (lsq-) interfaces with MLPPP encapsulation, you can configure multiclass MLPPP (MCML). If you do not configure MCML, fragments from different classes cannot be interleaved. All fragments for a single packet must be sent before the fragments from another packet are sent. Nonfragmented packets can be interleaved between fragments of another packet to reduce latency seen by nonfragmented packets. In effect, latency-sensitive traffic is encapsulated as regular PPP traffic, and bulk traffic is encapsulated as multilink traffic. This model works as long as there is a single class of latency-sensitive traffic, and there is no high-priority traffic that takes precedence over latency-sensitive traffic. This approach to LFI, used on the Link Services PIC, supports only two levels of traffic priority, which is not sufficient to carry the four-to-eight forwarding classes that are supported by M Series and T Series routers. For more information about the Link Services PIC support of LFI, see Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245. For link services IQ interfaces only, you can configure MCML, as defined in RFC 2686, The Multi-Class Extension to Multi-Link PPP. MCML makes it possible to have multiple classes of latency-sensitive traffic that are carried over a single multilink bundle with bulk traffic. In effect, MCML allows different classes of traffic to have different latency guarantees. With MCML, you can map each forwarding class into a separate multilink class, thus preserving priority and latency guarantees.

Copyright 2011, Juniper Networks, Inc.

467

Junos 11.4 Services Interfaces Configuration Guide

NOTE: Configuring both LFI and MCML on the same bundle is not necessary, nor is it supported, because multiclass MLPPP represents a superset of functionality. When you configure multiclass MLPPP, LFI is automatically enabled. The Junos OS implementation of MCML does not support compression of common header bytes, which is referred to in RFC 2686 as prefix elision.

MCML greatly simplifies packet ordering issues that occur when multiple links are used. Without MCML, all voice traffic belonging to a single flow is hashed to a single link to avoid packet ordering issues. With MCML, you can assign voice traffic to a high-priority class, and you can use multiple links. For more information about voice services support on link services IQ interfaces (lsq), see Configuring Services Interfaces for Voice Services on page 522. To configure MCML on a link services IQ interface, you must specify how many multilink classes should be negotiated when a link joins the bundle, and you must specify the mapping of a forwarding class into an MCML class. To specify how many multilink classes should be negotiated when a link joins the bundle, include the multilink-max-classes statement:
multilink-max-classes number;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

The number of multilink classes can be 1 through 8. The number of multilink classes for each forwarding class must not exceed the number of multilink classes to be negotiated. To specify the mapping of a forwarding class into a MCML class, include the multilink-class statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level:
[edit class-of-service fragmentation-maps map-name forwarding-class class-name] multilink-class number;

The multilink class index number can be 0 through 7. The multilink-class statement and no-fragmentation statements are mutually exclusive. To view the number of multilink classes negotiated, issue the show interfaces lsq-fpc/pic/port.logical-unit-number detail command.

Oversubscribing Interface Bandwidth on LSQ Interfaces

The term oversubscribing interface bandwidth means configuring shaping rates (peak information rates [PIRs]) so that their sum exceeds the interface bandwidth.

468

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

On Channelized IQ PICs, Gigabit Ethernet IQ PICs, and FRF.16 link services IQ (lsq-) interfaces on AS and Multiservices PICs, you can oversubscribe interface bandwidth. The logical interfaces (and DLCIs within an FRF.16 bundle) can be oversubscribed when there is leftover bandwidth. The oversubscription is limited to the configured PIR. Any unused bandwidth is distributed equally among oversubscribed logical interfaces or DLCIs. For networks that are not likely to experience congestion, oversubscribing interface bandwidth improves network utilization, thereby allowing more customers to be provisioned on a single interface. If the actual data traffic does not exceed the interface bandwidth, oversubscription allows you to sell more bandwidth than the interface can support. We recommend avoiding oversubscription in networks that are likely to experience congestion. Be careful not to oversubscribe a service by too much, because this can cause degradation in the performance of the router during congestion. When you configure oversubscription, some output queues can be starved if the actual data traffic exceeds the physical interface bandwidth. You can prevent degradation by using statistical multiplexing to ensure that the actual data traffic does not exceed the interface bandwidth.

NOTE: You cannot oversubscribe interface bandwidth when you configure traffic shaping using the method described in Applying Scheduler Maps and Shaping Rate to DLCIs and VLANs.

When configuring oversubscription for FRF.16 bundle interfaces, you can assign traffic control profiles that apply on a physical interface basis. When you apply traffic control profiles to FRF.16 bundles at the logical interface level, member link interface bandwidth is underutilized when there is a small proportion of traffic or no traffic at all on an individual DLCI. Support for traffic control features on the FRF.16 bundle physical interface level addresses this limitation. To configure oversubscription of an interface, perform the following steps:
1.

Include the shaping-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:
[edit class-of-service traffic-control-profiles profile-name] shaping-rate (percent percentage | rate);

NOTE: When configuring oversubscription for FRF.16 bundle interfaces on a physical interface basis, you must specify shaping-rate as a percentage.

On LSQ interfaces, you can configure the shaping rate as a percentage. On IQ and IQ2 interfaces, you can configure the shaping rate as an absolute rate from 1000 through 160,000,000,000 bits per second.

Copyright 2011, Juniper Networks, Inc.

469

Junos 11.4 Services Interfaces Configuration Guide

Alternatively, you can configure a shaping rate for a logical interface and oversubscribe the physical interface by including the shaping-rate statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level. However, with this configuration approach, you cannot independently control the delay-buffer rate, as described in Step 2.

NOTE: For channelized and Gigabit Ethernet IQ interfaces, the shaping-rate and guaranteed-rate statements are mutually exclusive. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. This means there are no service guarantees when you configure a PIR. For these interfaces, you can configure either a PIR or a committed information rate (CIR), but not both. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs. For LSQ and Gigabit Ethernet IQ2 interfaces, you can configure both a PIR and a CIR on an interface. For more information about CIRs, see Configuring Guaranteed Minimum Rate on LSQ Interfaces on page 473.

2. Optionally, you can base the delay buffer calculation on a delay-buffer rate. To do

this, include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:

NOTE: When configuring oversubscription for FRF.16 bundle interfaces on a physical interface basis, you must specify delay-buffer-rate as a percentage.

[edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate);

The delay-buffer rate overrides the shaping rate as the basis for the delay-buffer calculation. In other words, the shaping rate or scaled shaping rate is used for delay-buffer calculations only when the delay-buffer rate is not configured. For LSQ interfaces, if you do not configure a delay-buffer rate, the guaranteed rate (CIR) is used to assign buffers. If you do not configure a guaranteed rate, the shaping rate (PIR) is used in the undersubscribed case, and the scaled shaping rate is used in the oversubscribed case. On LSQ interfaces, you can configure the delay-buffer rate as a percentage. On IQ and IQ2 interfaces, you can configure the delay-buffer rate as an absolute rate from 1000 through 160,000,000,000 bits per second. The actual delay buffer is based on the calculations described in the Junos OS Class of Service Configuration Guide. For an example showing how the delay-buffer rates are applied, see Examples: Oversubscribing an LSQ Interface on page 472.

470

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

Configuring large buffers on relatively low-speed links can cause packet aging. To help prevent this problem, the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. This restriction does not eliminate the possibility of packet aging, so you should be cautious when using the delay-buffer-rate statement. Though some amount of extra buffering might be desirable for burst absorption, delay-buffer rates should not far exceed the service rate of the logical interface. If you configure delay-buffer rates so that the sum exceeds the port speed, the configured delay-buffer rate is not implemented for the last logical interface that you configure. Instead, that logical interface receives a delay-buffer rate of zero, and a warning message is displayed in the CLI. If bandwidth becomes available (because another logical interface is deleted or deactivated, or the port speed is increased), the configured delay-buffer-rate is reevaluated and implemented if possible. If you do not configure a delay-buffer rate or a guaranteed rate, the logical interface receives a delay-buffer rate in proportion to the shaping rate and the remaining delay-buffer rate available. In other words, the delay-buffer rate for each logical interface with no configured delay-buffer rate is equal to:
(remaining delay-buffer rate * shaping rate) / (sum of shaping rates)

The remaining delay-buffer rate is equal to:

(interface speed) (sum of configured delay-buffer rates)
3. To assign a scheduler map to the logical interface, include the scheduler-map

statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:

[edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name;

For information about configuring schedulers and scheduler maps, see the Junos OS Class of Service Configuration Guide.
4. Optionally, you can enable large buffer sizes to be configured. To do this, include the

q-pic-large-buffer statement at the [edit chassis fpc slot-number pic pic-number]

hierarchy level:
[edit chassis fpc slot-number pic pic-number] q-pic-large-buffer;

If you do not include this statement, the delay-buffer size is more restricted. We recommend restricted buffers for delay-sensitive traffic, such as voice traffic. For more information, see the Junos OS Class of Service Configuration Guide.
5. To enable scheduling on logical interfaces, include the per-unit-scheduler statement

at the [edit interfaces interface-name] hierarchy level:

[edit interfaces interface-name ] per-unit-scheduler;

When you include this statement, the maximum number of VLANs supported is 768 on a single-port Gigabit Ethernet IQ PIC. On a two-port Gigabit Ethernet IQ PIC, the maximum number is 384.

Copyright 2011, Juniper Networks, Inc.

471

Junos 11.4 Services Interfaces Configuration Guide

6. To enable scheduling for FRF.16 bundles physical interfaces, include the

no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] no-per-unit-scheduler;
7. To apply the traffic-scheduling profile to the logical interface, include the

output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name;

You cannot include the output-traffic-control-profile statement in the configuration if any of the following statements are included in the logical interface configuration: scheduler-map, shaping-rate, adaptive-shaper, or virtual-channel-group. For a table that shows how the bandwidth and delay buffer are allocated in various configurations, see the Junos OS Class of Service Configuration Guide.

Examples: Oversubscribing an LSQ Interface

Oversubscribing an LSQ Interface with Scheduling Based on the Logical Interface Apply a traffic-control profile to a logical interface representing a DLCI on an FRF.16 bundle.
interfaces { lsq-1/3/0:0 { per-unit-scheduler; unit 0 { dlci 100; } unit 1 { dlci 200; } } } class-of-service { traffic-control-profiles { tc_0 { shaping-rate percent 100; guaranteed-rate percent 60; delay-buffer-rate percent 80; } tc_1 { shaping-rate percent 80; guaranteed-rate percent 40; } } interfaces { lsq-1/3/0 { unit 0 { output-traffic-control-profile tc_0; } unit 1 { output-traffic-control-profile tc_1; } }

472

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

} }

Oversubscribing an LSQ Interface with Scheduling Based on the Physical Interface

Apply a traffic-control profile to the physical interface representing an FRF.16 bundle:

interfaces { lsq-0/2/0:0 { no-per-unit-scheduler; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 100; family inet { address 18.18.18.2/24; } } } class-of-service { traffic-control-profiles { rlsq_tc { scheduler-map rlsq; shaping-rate percent 60; delay-buffer-rate percent 10; } } interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc; } } } scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler; forwarding-class expedited-forwarding scheduler rlsq_scheduler1; } } schedulers { rlsq_scheduler { transmit-rate percent 20; priority low; } rlsq_scheduler1 { transmit-rate percent 40; priority high; } }

Configuring Guaranteed Minimum Rate on LSQ Interfaces

On Gigabit Ethernet IQ PICs, Channelized IQ PICs, and FRF.16 link services IQ (LSQ) interfaces on AS and Multiservices PICs, you can configure guaranteed bandwidth, also known as a committed information rate (CIR). This allows you to specify a guaranteed rate for each logical interface. The guaranteed rate is a minimum. If excess physical

Copyright 2011, Juniper Networks, Inc.

473

Junos 11.4 Services Interfaces Configuration Guide

interface bandwidth is available for use, the logical interface receives more than the guaranteed rate provisioned for the interface. You cannot provision the sum of the guaranteed rates to be more than the physical interface bandwidth, or the bundle bandwidth for LSQ interfaces. If the sum of the guaranteed rates exceeds the interface or bundle bandwidth, the commit operation does not fail, but the software automatically decreases the rates so that the sum of the guaranteed rates is equal to the available bundle bandwidth. To configure a guaranteed minimum rate, perform the following steps:
1.

Include the guaranteed-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:
[edit class-of-service traffic-control-profiles profile-name] guaranteed-rate (percent percentage | rate);

On LSQ interfaces, you can configure the guaranteed rate as a percentage. On IQ and IQ2 interfaces, you can configure the guaranteed rate as an absolute rate from 1000 through 160,000,000,000 bits per second.

NOTE: For channelized and Gigabit Ethernet IQ interfaces, the shaping-rate and guaranteed-rate statements are mutually exclusive. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. This means there are no service guarantees when you configure a PIR. For these interfaces, you can configure either a PIR or a committed information rate (CIR), but not both. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs. For LSQ and Gigabit Ethernet IQ2 interfaces, you can configure both a PIR and a CIR on an interface. For more information about CIRs, see the Junos OS Class of Service Configuration Guide.

2. Optionally, you can base the delay buffer calculation on a delay-buffer rate. To do

this, include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:
[edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate);

On LSQ interfaces, you can configure the delay-buffer rate as a percentage. On IQ and IQ2 interfaces, you can configure the delay-buffer rate as an absolute rate from 1000 through 160,000,000,000 bits per second. The actual delay buffer is based on the calculations described in tables in the Junos OS Class of Service Configuration Guide. For an example showing how the delay-buffer rates are applied, see Example: Configuring Guaranteed Minimum Rate on page 476.

474

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

If you do not include the delay-buffer-rate statement, the delay-buffer calculation is based on the guaranteed rate, the shaping rate if no guaranteed rate is configured, or the scaled shaping rate if the interface is oversubscribed. If you do not specify a shaping rate or a guaranteed rate, the logical interface receives a minimal delay-buffer rate and minimal bandwidth equal to 4 MTU-sized packets. You can configure a rate for the delay buffer that is higher than the guaranteed rate. This can be useful when the traffic flow might not require much bandwidth in general, but in some cases can be bursty and therefore needs a large buffer. Configuring large buffers on relatively low-speed links can cause packet aging. To help prevent this problem, the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. This restriction does not eliminate the possibility of packet aging, so you should be cautious when using the delay-buffer-rate statement. Though some amount of extra buffering might be desirable for burst absorption, delay-buffer rates should not far exceed the service rate of the logical interface. If you configure delay-buffer rates so that the sum exceeds the port speed, the configured delay-buffer rate is not implemented for the last logical interface that you configure. Instead, that logical interface receives a delay-buffer rate of 0, and a warning message is displayed in the CLI. If bandwidth becomes available (because another logical interface is deleted or deactivated, or the port speed is increased), the configured delay-buffer-rate is reevaluated and implemented if possible. If the guaranteed rate of a logical interface cannot be implemented, that logical interface receives a delay-buffer rate of 0, even if the configured delay-buffer rate is within the interface speed. If at a later time the guaranteed rate of the logical interface can be met, the configured delay-buffer rate is reevaluated and if the delay-buffer rate is within the remaining bandwidth, it is implemented. If any logical interface has a configured guaranteed rate, all other logical interfaces on that port that do not have a guaranteed rate configured receive a delay-buffer rate of 0. This is because the absence of a guaranteed rate configuration corresponds to a guaranteed rate of 0 and, consequently, a delay-buffer rate of 0.
3. To assign a scheduler map to the logical interface, include the scheduler-map

statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level:

[edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name;

For information about configuring schedulers and scheduler maps, see the Junos OS Class of Service Configuration Guide.
4. To enable large buffer sizes to be configured, include the q-pic-large-buffer statement

at the [edit chassis fpc slot-number pic pic-number] hierarchy level:

[edit chassis fpc slot-number pic pic-number] q-pic-large-buffer;

If you do not include this statement, the delay-buffer size is more restricted. For more information, see the Junos OS Class of Service Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

475

Junos 11.4 Services Interfaces Configuration Guide

5. To enable scheduling on logical interfaces, include the per-unit-scheduler statement

at the [edit interfaces interface-name] hierarchy level:

[edit interfaces interface-name ] per-unit-scheduler;

When you include this statement, the maximum number of VLANs supported is 767 on a single-port Gigabit Ethernet IQ PIC. On a two-port Gigabit Ethernet IQ PIC, the maximum number is 383.
6. To apply the traffic-scheduling profile to the logical interface, include the

output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level:
[edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name;

Example: Configuring Guaranteed Minimum Rate

Two logical interface units, 0 and 1, are provisioned with a guaranteed minimum of 750 Kbps and 500 Kbps, respectively. For logical unit 1, the delay buffer is based on the guaranteed rate setting. For logical unit 0, a delay-buffer rate of 500 Kbps is specified. The actual delay buffers allocated to each logical interface are 2 seconds of 500 Kbps. The 2-second value is based on the following calculation:
delay-buffer-rate < [8 x 64 Kbps]): 2 seconds of delay-buffer-rate

For more information about this calculation, see the Junos OS Class of Service Configuration Guide.
chassis { fpc 3 { pic 0 { q-pic-large-buffer; } } } interfaces { t1-3/0/1 { per-unit-scheduler; } } class-of-service { traffic-control-profiles { tc-profile3 { guaranteed-rate 750k; scheduler-map sched-map3; delay-buffer-rate 500k; # 500 Kbps is less than 8 x 64 Kbps } tc-profile4 { guaranteed-rate 500k; # 500 Kbps is less than 8 x 64 Kbps scheduler-map sched-map4; } } interface t1-3/0/1 { unit 0 {

476

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

output-traffic-control-profile tc-profile3; } unit 1 { output-traffic-control-profile tc-profile4; } } }

Configuring Link Services and CoS on Services PICs

To configure link services and CoS on an AS or Multiservices PIC, you must perform the following steps:
1.

Enable the Layer 2 service package. You enable service packages per PIC, not per port. When you enable the Layer 2 service package, the entire PIC uses the configured package. To enable the Layer 2 service package, include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level, and specify layer-2:
[edit chassis fpc slot-number pic pic-number adaptive-services] service-package layer-2;

For more information about AS or Multiservices PIC service packages, see Enabling Service Packages on page 39 and Layer 2 Service Package Capabilities and Interfaces on page 448.
2. Configure a multilink PPP or FRF.16 bundle by combining constituent links into a virtual

link, or bundle.

Configuring an MLPPP Bundle

To configure an MLPPP bundle, configure constituent links and bundle properties by including the following statements in the configuration:
[edit interfaces interface-name unit logical-unit-number] encapsulation ppp; family mlppp { bundle lsq-fpc/pic/port.logical-unit-number; } [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds; encapsulation multilink-ppp; fragment-threshold bytes; link-layer-overhead percent; minimum-links number; mrru bytes; short-sequence; family inet { address address; }

For more information about these statements, see the Link and Multilink Properties.

Copyright 2011, Juniper Networks, Inc.

477

Junos 11.4 Services Interfaces Configuration Guide

Configuring an MLFR FRF.16 Bundle

To configure an MLFR FRF.16 bundle, configure constituent links and bundle properties by including the following statements in the configuration:
[edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number; [edit interfaces interface-name ] encapsulation multilink-frame-relay-uni-nni; unit logical-unit-number { family mlfr-uni-nni { bundle lsq-fpc/pic/port:channel; } }

For more information about the mlfr-uni-nni-bundles statement, see the Junos OS System Basics Configuration Guide. MLFR FRF.16 uses channels as logical units. For MLFR FRF.16, you must configure one end as data circuit-terminating equipment (DCE) by including the following statements at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level.
encapsulation multilink-frame-relay-uni-nni; dce; mlfr-uni-nni-options { acknowledge-retries number; acknowledge-timer milliseconds; action-red-differential-delay (disable-tx | remove-link); drop-timeout milliseconds; fragment-threshold bytes; hello-timer milliseconds; link-layer-overhead percent; lmi-type (ansi | itu); minimum-links number; mrru bytes; n391 number; n392 number; n393 number; red-differential-delay milliseconds; t391 number; t392 number; yellow-differential-delay milliseconds; } unit logical-unit-number { dlci dlci-identifier; family inet { address address; } }

For more information about MLFR UNI NNI properties, see Link and Multilink Properties.
3. To configure CoS components for each multilink bundle, enable per-unit scheduling

on the interface, configure a scheduler map, apply the scheduler to each queue, configure a fragmentation map, and apply the fragmentation map to each bundle. Include the following statements:
[edit interfaces]

478

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

lsq-fpc/pic/port { per-unit-scheduler; # Enables per-unit scheduling on the bundle } [edit class-of-service] interfaces { lsq-fpc/pic/port { # Multilink PPP unit logical-unit-number { scheduler-map map-name; # Applies scheduler map to each queue } } lsq-fpc/pic/port:channel { # MLFR FRF.16 unit logical-unit-number { # Scheduler map provides scheduling information for # the queues within a single DLCI. scheduler-map map-name; shaping-rate percent percent; } forwarding-classes { queue queue-number class-name priority (high | low); } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds); priority priority-level; transmit-rate (percent percentage | rate | remainder) <exact>; } } fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes; no-fragmentation; } } }

Associate a fragmentation map with a multilink PPP interface or MLFR FRF.16 DLCI by including the following statements at the [edit class-of-service] hierarchy level:
interfaces { lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name; } } lsq-fpc/pic/port:channel { # MLFR FRF.16 unit logical-unit-number { fragmentation-map map-name; }

Copyright 2011, Juniper Networks, Inc.

479

Junos 11.4 Services Interfaces Configuration Guide

Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP

To configure an NxT1 bundle using MLPPP, you aggregate N different T1 links into a bundle. The NxT1 bundle is called a logical interface, because it can represent, for example, a routing adjacency. To aggregate T1 links into a an MLPPP bundle, include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] hierarchy level:
[edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] bundle lsq-fpc/pic/port.logical-unit-number;

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. These instructions apply to T1 interfaces, but the configuration for E1 interfaces is similar.

To configure the link services IQ interface properties, include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level:
[edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds; encapsulation multilink-ppp; fragment-threshold bytes; link-layer-overhead percent; minimum-links number; mrru bytes; short-sequence; family inet { address address; }

The logical link services IQ interface represents the MLPPP bundle. For the MLPPP bundle, there are four associated queues on M Series routers and eight associated queues on M320 and T Series routers. A scheduler removes packets from the queues according to a scheduling policy. Typically, you designate one queue to have strict priority, and the remaining queues are serviced in proportion to weights you configure. For MLPPP, assign a single scheduler map to the link services IQ interface (lsq) and to each constituent link. The default schedulers for M Series and T Series routers, which assign 95, 0, 0, and 5 percent bandwidth for the transmission rate and buffer size of queues 0, 1, 2, and 3, are not adequate when you configure LFI or multiclass traffic. Therefore, for MLPPP, you should configure a single scheduler with nonzero percent transmission rates and buffer sizes for queues 0 through 3, and assign this scheduler to the link services IQ interface (lsq) and to each constituent link, as shown in Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP on page 483.

NOTE: For M320 and T Series routers, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0, 0, and 0 percent.

480

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

If the bundle has more than one link, you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level:
[edit interfaces lsq-fpc/pic/port] per-unit-scheduler;

To configure and apply the scheduling policy, include the following statements at the [edit class-of-service] hierarchy level:
[edit class-of-service] interfaces { t1-fpc/pic/port unit logical-unit-number { scheduler-map map-name; } } forwarding-classes { queue queue-number class-name; } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds); priority priority-level; transmit-rate (rate | percent percentage | remainder) <exact>; } }

For link services IQ interfaces, a strict-high-priority queue might starve the other three queues because traffic in a strict-high priority queue is transmitted before any other queue is serviced. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues, as described in the Junos OS Class of Service Configuration Guide. After the scheduler removes a packet from a queue, a certain action is taken. The action depends on whether the packet came from a multilink encapsulated queue (fragmented and sequenced) or a nonencapsulated queue (hashed with no fragmentation). Each queue can be designated as either multilink encapsulated or nonencapsulated, independently of the other. By default, traffic in all forwarding classes is multilink encapsulated. To configure packet fragmentation handling on a queue, include the fragmentation-maps statement at the [edit class-of-service] hierarchy level:
fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes; multilink-class number; no-fragmentation; } } }

Copyright 2011, Juniper Networks, Inc.

481

Junos 11.4 Services Interfaces Configuration Guide

For NxT1 bundles using MLPPP, the byte-wise load balancing used in multilink-encapsulated queues is superior to the flow-wise load balancing used in nonencapsulated queues. All other considerations are equal. Therefore, we recommend that you configure all queues to be multilink encapsulated. You do this by including the fragment-threshold statement in the configuration. If you choose to set traffic on a queue to be nonencapsulated rather than multilink encapsulated, include the no-fragmentation statement in the fragmentation map. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). For more information about MCML, see Configuring Multiclass MLPPP on LSQ Interfaces on page 467. For more information about fragmentation maps, see Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. When a packet is removed from a multilink-encapsulated queue, the software gives the packet an MLPPP header. The MLPPP header contains a sequence number field, which is filled with the next available sequence number from a counter. The software then places the packet on one of the N different T1 links. The link is chosen on a packet-by-packet basis to balance the load across the various T1 links. If the packet exceeds the minimum link MTU, or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level, the software splits the packet into two or more fragments, which are assigned consecutive multilink sequence numbers. The outgoing link for each fragment is selected independently of all other fragments. If you do not include the fragment-threshold statement in the fragmentation map, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] hierarchy level is the default for all forwarding classes. If you do not set a maximum fragment size anywhere in the configuration, packets are fragmented if they exceed the smallest MTU of all the links in the bundle. Even if you do not set a maximum fragment size anywhere in the configuration, you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. The MRRU is similar to the MTU, but is specific to link services interfaces. By default the MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes. For more information, see Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. When a packet is removed from a nonencapsulated queue, it is transmitted with a plain PPP header. Because there is no MLPPP header, there is no sequence number information. Therefore, the software must take special measures to avoid packet reordering. To avoid packet reordering, the software places the packet on one of the N different T1 links. The link is determined by hashing the values in the header. For IP, the software computes the hash based on source address, destination address, and IP protocol. For MPLS, the software computes the hash based on up to five MPLS labels, or four MPLS labels and the IP header. For UDP and TCP the software computes the hash based on the source and destination ports, as well as source and destination IP addresses. This guarantees that all packets belonging to the same TCP/UDP flow always pass through the same T1 link, and therefore

482

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

cannot be reordered. However, it does not guarantee that the load on the various T1 links is balanced. If there are many flows, the load is usually balanced. The N different T1 interfaces link to another router, which can be from Juniper Networks or another vendor. The router at the far end gathers packets from all the T1 links. If a packet has an MLPPP header, the sequence number field is used to put the packet back into sequence number order. If the packet has a plain PPP header, the software accepts the packet in the order in which it arrives and makes no attempt to reassemble or reorder the packet.

Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP

[edit chassis] fpc 1 { pic 3 { adaptive-services { service-package layer-2; } } } [edit interfaces] t1-0/0/0 { encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/3/0.1; # This adds t1-0/0/0 to the specified bundle. } } } t1-0/0/1 { encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/3/0.1; } } } lsq-1/3/0 { unit 1 { # This is the virtual link that concatenates multiple T1s. encapsulation multilink-ppp; drop-timeout 1000; fragment-threshold 128; link-layer-overhead 0.5; minimum-links 2; mrru 4500; short-sequence; family inet { address 10.2.3.4/24; } } [edit interfaces] lsq-1/3/0 { per-unit-scheduler; } [edit class-of-service]

Copyright 2011, Juniper Networks, Inc.

483

Junos 11.4 Services Interfaces Configuration Guide

interfaces { lsq-1/3/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1; } } t1-0/0/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1; } t1-0/0/1 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1; } forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; } scheduler-maps { sched-map1 { forwarding-class af scheduler af-scheduler; forwarding-class be scheduler be-scheduler; forwarding-class ef scheduler ef-scheduler; forwarding-class nc scheduler nc-scheduler; } } schedulers { af-scheduler { transmit-rate percent 30; buffer-size percent 30; priority low; } be-scheduler { transmit-rate percent 25; buffer-size percent 25; priority low; } ef-scheduler { transmit-rate percent 40; buffer-size percent 40; priority strict-high; # voice queue } nc-scheduler { transmit-rate percent 5; buffer-size percent 5; priority high; } } fragmentation-maps { fragmap-1 { forwarding-class be { fragment-threshold 180; } forwarding-class ef {

484

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

fragment-threshold 100; } } } [edit interfaces] lsq-1/3/0 { unit 0 { fragmentation-map fragmap-1; } }

Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16

To configure an NxT1 bundle using FRF.16, you aggregate N different T1 links into a bundle. The NxT1 bundle carries a potentially large number of Frame Relay PVCs, identified by their DLCIs. Each DLCI is called a logical interface, because it can represent, for example, a routing adjacency. To aggregate T1 links into an FRF.16 bundle, include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic slot-number] hierarchy level and include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] hierarchy level:
[edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number; [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] bundle lsq-fpc/pic/port:channel;

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. These instructions apply to T1 interfaces, but the configuration for E1 interfaces is similar.

To configure the link services IQ interface properties, include the following statements at the [edit interfaces lsq- fpc/pic/port:channel] hierarchy level:
[edit interfaces lsq- fpc/pic/port:channel] encapsulation multilink-frame-relay-uni-nni; dce; mlfr-uni-nni-options { acknowledge-retries number; acknowledge-timer milliseconds; action-red-differential-delay (disable-tx | remove-link); drop-timeout milliseconds; fragment-threshold bytes; hello-timer milliseconds; link-layer-overhead percent; lmi-type (ansi | itu); minimum-links number; mrru bytes; n391 number; n392 number;

Copyright 2011, Juniper Networks, Inc.

485

Junos 11.4 Services Interfaces Configuration Guide

n393 number; red-differential-delay milliseconds; t391 number; t392 number; yellow-differential-delay milliseconds; } unit logical-unit-number { dlci dlci-identifier; family inet { address address; } }

The link services IQ channel represents the FRF.16 bundle. Four queues are associated with each DLCI. A scheduler removes packets from the queues according to a scheduling policy. On the link services IQ interface, you typically designate one queue to have strict priority. The remaining queues are serviced in proportion to weights you configure. For link services IQ interfaces, a strict-high-priority queue might starve the other three queues because traffic in a strict-high-priority queue is transmitted before any other queue is serviced. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues, as described in the Junos OS Class of Service Configuration Guide. If the bundle has more than one link, you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level:
[edit interfaces lsq-fpc/pic/port:channel] per-unit-scheduler;

For FRF.16, you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI, or you can assign different scheduler maps to the various DLCIs of the bundle, as shown in Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16 on page 488. For the constituent links of an FRF.16 bundle, you do not need to configure a custom scheduler. Because LFI and multiclass are not supported for FRF.16, the traffic from each constituent link is transmitted from queue 0. This means you should allow most of the bandwidth to be used by queue 0. For M Series and T Series routers, the default schedulers transmission rate and buffer size percentages for queues 0 through 3 are 95, 0, 0, and 5 percent. These default schedulers send all user traffic to queue 0 and all network-control traffic to queue 3, and therefore are well suited to the behavior of FRF.16. If desired, you can configure a custom scheduler that explicitly replicates the 95, 0, 0, and 5 percent queuing behavior, and apply it to the constituent links.

NOTE: For M320 and T Series routers, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0, 0, and 0 percent.

To configure and apply the scheduling policy, include the following statements at the [edit class-of-service] hierarchy level:

486

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

[edit class-of-service] interfaces { lsq-fpc/pic/port:channel { unit logical-unit-number { scheduler-map map-name; } } } forwarding-classes { queue queue-number class-name; } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds); priority priority-level; transmit-rate (rate | percent percentage | remainder) <exact>; } }

To configure packet fragmentation handling on a queue, include the fragmentation-maps statement at the [edit class-of-service] hierarchy level:
[edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes; } } }

For FRF.16 traffic, only multilink encapsulated (fragmented and sequenced) queues are supported. This is the default queuing behavior for all forwarding classes. FRF.16 does not allow for nonencapsulated traffic because the protocol requires that all packets carry the fragmentation header. If a large packet is split into multiple fragments, the fragments must have consecutive sequential numbers. Therefore, you cannot include the no-fragmentation statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level for FRF.16 traffic. For FRF.16, if you want to carry voice or any other latency-sensitive traffic, you should not use slow links. At T1 speeds and above, the serialization delay is small enough so that you do not need to use explicit LFI. When a packet is removed from a multilink-encapsulated queue, the software gives the packet an FRF.16 header. The FRF.16 header contains a sequence number field, which is filled with the next available sequence number from a counter. The software then places the packet on one of the N different T1 links. The link is chosen on a packet-by-packet basis to balance the load across the various T1 links.

Copyright 2011, Juniper Networks, Inc.

487

Junos 11.4 Services Interfaces Configuration Guide

If the packet exceeds the minimum link MTU, or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level, the software splits the packet into two or more fragments, which are assigned consecutive multilink sequence numbers. The outgoing link for each fragment is selected independently of all other fragments. If you do not include the fragment-threshold statement in the fragmentation map, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level is the default for all forwarding classes. If you do not set a maximum fragment size anywhere in the configuration, packets are fragmented if they exceed the smallest MTU of all the links in the bundle. Even if you do not set a maximum fragment size anywhere in the configuration, you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level. The MRRU is similar to the MTU but is specific to link services interfaces. By default, the MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes. For more information, see Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. The N different T1 interfaces link to another router, which can be from Juniper Networks or another vendor. The router at the far end gathers packets from all the T1 links. Because each packet has an FRF.16 header, the sequence number field is used to put the packet back into sequence number order.

Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16

Configure an NxT1 bundle using FRF.16 with multiple CoS scheduler maps:
[edit chassis fpc 1 pic 3] adaptive-services { service-package layer-2; } mlfr-uni-nni-bundles 2; # Creates channelized LSQ interfaces/FRF.16 bundles. [edit interfaces] t1-0/0/0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle lsq-1/3/0:1; } } } t1-0/0/1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle lsq-1/3/0:1; } } }

488

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

lsq-1/3/0:1 { # Bundle link consisting of t1-0/0/0 and t1-0/0/1 per-unit-scheduler; encapsulation multilink-frame-relay-uni-nni; dce; # One end needs to be configured as DCE. mlfr-uni-nni-bundle-options { drop-timeout 180; fragment-threshold 64; hello-timer 180; minimum-links 2; mrru 3000; link-layer-overhead 0.5; } unit 0 { dlci 26; # Each logical unit maps a single DLCI. family inet { address 10.2.3.4/24; } } unit 1 { dlci 42; family inet { address 10.20.30.40/24; } } unit 2 { dlci 69; family inet { address 10.20.30.40/24; } } [edit class-of-service] scheduler-maps { sched-map-lsq0 { forwarding-class af scheduler af-scheduler-lsq0; forwarding-class be scheduler be-scheduler-lsq0; forwarding-class ef scheduler ef-scheduler-lsq0; forwarding-class nc scheduler nc-scheduler-lsq0; } sched-map-lsq1 { forwarding-class af scheduler af-scheduler-lsq1; forwarding-class be scheduler be-scheduler-lsq1; forwarding-class ef scheduler ef-scheduler-lsq1; forwarding-class nc scheduler nc-scheduler-lsq1; } } schedulers { af-scheduler-lsq0 { transmit-rate percent 60; buffer-size percent 60; priority low; } be-scheduler-lsq0 { transmit-rate percent 30; buffer-size percent 30; priority low; }

Copyright 2011, Juniper Networks, Inc.

489

Junos 11.4 Services Interfaces Configuration Guide

ef-scheduler-lsq0 { transmit-rate percent 5; buffer-size percent 5; priority strict-high; } nc-scheduler-lsq0 { transmit-rate percent 5; buffer-size percent 5; priority high; } af-scheduler-lsq1 { transmit-rate percent 50; buffer-size percent 50; priority low; } be-scheduler-lsq1 { transmit-rate percent 30; buffer-size percent 30; priority low; } ef-scheduler-lsq1 { transmit-rate percent 15; buffer-size percent 15; priority strict-high; } nc-scheduler-lsq1 { transmit-rate percent 5; buffer-size percent 5; priority high; } } interfaces { lsq-1/3/0:1 { # MLFR FRF.16 unit 0 { scheduler-map sched-map-lsq0; } unit 1 { scheduler-map sched-map-lsq1; } }

Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI
When you configure a single fractional T1 interface, it is called a logical interface, because it can represent, for example, a routing adjacency. The logical link services IQ interface represents the MLPPP bundle. Four queues are associated with the logical interface. A scheduler removes packets from the queues according to a scheduling policy. Typically, you designate one queue to have strict priority, and the remaining queues are serviced in proportion to weights you configure. To configure a single fractional T1 interface using MLPPP and LFI, you associate one DS0 (fractional T1) interface with a link services IQ interface. To associate a fractional T1

490

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

interface with a link services IQ interface, include the bundle statement at the [edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlppp] hierarchy level:
[edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlppp] bundle lsq-fpc/pic/port.logical-unit-number;

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. These instructions apply to T1 interfaces, but the configuration for E1 interfaces is similar.

To configure the link services IQ interface properties, include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level:
[edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds; encapsulation multilink-ppp; fragment-threshold bytes; link-layer-overhead percent; minimum-links number; mrru bytes; short-sequence; family inet { address address; }

For MLPPP, assign a single scheduler map to the link services IQ (lsq) interface and to each constituent link. The default schedulers for M Series and T Series routers, which assign 95, 0, 0, and 5 percent bandwidth for the transmission rate and buffer size of queues 0, 1, 2, and 3, are not adequate when you configure LFI or multiclass traffic. Therefore, for MLPPP, you should configure a single scheduler with nonzero percent transmission rates and buffer sizes for queues 0 through 3, and assign this scheduler to the link services IQ (lsq) interface and to each constituent link and to each constituent link, as shown in Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI on page 493.

NOTE: For M320 and T Series routers, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0, 0, and 0 percent.

To configure and apply the scheduling policy, include the following statements at the [edit class-of-service] hierarchy level:
[edit class-of-service] interfaces { ds-fpc/pic/port.channel { scheduler-map map-name; } } forwarding-classes { queue queue-number class-name;

Copyright 2011, Juniper Networks, Inc.

491

Junos 11.4 Services Interfaces Configuration Guide

} scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds); priority priority-level; transmit-rate (rate | percent percentage | remainder) <exact>; } }

For link services IQ interfaces, a strict-high-priority queue might starve all the other queues because traffic in a strict-high priority queue is transmitted before any other queue is serviced. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue receives infinite credits and does round-robin with high-priority queues, as described in the Junos OS Class of Service Configuration Guide. After the scheduler removes a packet from a queue, a certain action is taken. The action depends on whether the packet came from a multilink encapsulated queue (fragmented and sequenced) or a nonencapsulated queue (hashed with no fragmentation). Each queue can be designated as either multilink encapsulated or nonencapsulated, independently of the other. By default, traffic in all forwarding classes is multilink encapsulated. To configure packet fragmentation handling on a queue, include the fragmentation-maps statement at the [edit class-of-service] hierarchy level:
[edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes; no-fragmentation; } } }

If you require the queue to transmit small packets with low latency, configure the queue to be nonencapsulated by including the no-fragmentation statement. If you require the queue to transmit large packets with normal latency, configure the queue to be multilink encapsulated by including the fragment-threshold statement. If you require the queue to transmit large packets with low latency, we recommend using a faster link and configuring the queue to be nonencapsulated. For more information about fragmentation maps, see Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. When a packet is removed from a multilink-encapsulated queue, it is fragmented. If the packet exceeds the minimum link MTU, or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level, the software splits the packet into two or more fragments, which are assigned consecutive multilink sequence numbers.

492

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

If you do not include the fragment-threshold statement in the fragmentation map, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] hierarchy level is the default for all forwarding classes. If you do not set a maximum fragment size anywhere in the configuration, packets are fragmented if they exceed the smallest MTU of all the links in the bundle. Even if you do not set a maximum fragment size anywhere in the configuration, you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. The MRRU is similar to the MTU, but is specific to link services interfaces. By default the MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes. For more information, see Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. When a packet is removed from a multilink-encapsulated queue, the software gives the packet an MLPPP header. The MLPPP header contains a sequence number field, which is filled with the next available sequence number from a counter. The software then places the packet on the fractional T1 link. Traffic from another queue might be interleaved between two fragments of the packet. When a packet is removed from a nonencapsulated queue, it is transmitted with a plain PPP header. The packet is then placed on the fractional T1 link as soon as possible. If necessary, the packet is placed between the fragments of a packet from another queue. The fractional T1 interface links to another router, which can be from Juniper Networks or another vendor. The router at the far end gathers packets from the fractional T1 link. If a packet has an MLPPP header, the software assumes the packet is a fragment of a larger packet, and the fragment number field is used to reassemble the larger packet. If the packet has a plain PPP header, the software accepts the packet in the order in which it arrives, and the software makes no attempt to reassemble or reorder the packet.

Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI
Configure a single fractional T1 logical interface:
[edit interfaces] lsq-0/2/0 { per-unit-scheduler; unit 0 { encapsulation multilink-ppp; link-layer-overhead 0.5; family inet { address 10.40.1.1/30; } } } ct3-1/0/0 { partition 1 interface-type ct1; } ct1-1/0/0:1 { partition 1 timeslots 1-2 interface-type ds; } ds-1/0/0:1:1 {

Copyright 2011, Juniper Networks, Inc.

493

Junos 11.4 Services Interfaces Configuration Guide

encapsulation ppp; unit 0 { family mlppp { bundle lsq-0/2/0.0; } } } [edit class-of-service] interfaces { ds-1/0/0:1:1 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1; } } forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; } scheduler-maps { sched-map1 { forwarding-class af scheduler af-scheduler; forwarding-class be scheduler be-scheduler; forwarding-class ef scheduler ef-scheduler; forwarding-class nc scheduler nc-scheduler; } } schedulers { af-scheduler { transmit-rate percent 20; buffer-size percent 20; priority low; } be-scheduler { transmit-rate percent 20; buffer-size percent 20; priority low; } ef-scheduler { transmit-rate percent 50; buffer-size percent 50; priority strict-high; # voice queue } nc-scheduler { transmit-rate percent 10; buffer-size percent 10; priority high; } } fragmentation-maps { fragmap-1 { forwarding-class be { fragment-threshold 180; } forwarding-class ef {

494

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

fragment-threshold 100; } } } [edit interfaces] lsq-0/2/0 { unit 0 { fragmentation-map fragmap-1; } }

Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12

To configure a single fractional T1 interface using FRF.16, you associate a DS0 interface with a link services IQ (lsq) interface. When you configure a single fractional T1, the fractional T1 carries a potentially large number of Frame Relay PVCs identified by their DLCIs. Each DLCI is called a logical interface, because it can represent, for example, a routing adjacency. To associate the DS0 interface with a link services IQ interface, include the bundle statement at the [edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlfr-end-to-end] hierarchy level:
[edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlfr-end-to-end] bundle lsq-fpc/pic/port.logical-unit-number;

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. These instructions apply to T1 interfaces, but the configuration for E1 interfaces is similar.

To configure the link services IQ interface properties, include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level:
[edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds; encapsulation multilink-frame-relay-end-to-end; fragment-threshold bytes; link-layer-overhead percent; minimum-links number; mrru bytes; short-sequence; family inet { address address; }

The logical link services IQ interface represents the FRF.12 bundle. Four queues are associated with each logical interface. A scheduler removes packets from the queues according to a scheduling policy. Typically, you designate one queue to have strict priority, and the remaining queues are serviced in proportion to weights you configure. For FRF.12, assign a single scheduler map to the link services IQ interface (lsq) and to each constituent link. For M Series and T Series routers, the default schedulers, which assign 95, 0, 0, and 5 percent bandwidth for the transmission rate and buffer size of queues 0, 1, 2, and 3, are not adequate when you configure LFI or multiclass traffic.

Copyright 2011, Juniper Networks, Inc.

495

Junos 11.4 Services Interfaces Configuration Guide

Therefore, for FRF.12, you should configure schedulers with nonzero percent transmission rates and buffer sizes for queues 0 through 3, and assign them to the link services IQ interface (lsq) and to each constituent link, as shown in Examples: Configuring an LSQ Interface for a Fractional T1 Interface Using FRF.12 on page 498.

NOTE: For M320 and T Series routers, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0, 0, and 0 percent.

To configure and apply the scheduling policy, include the following statements at the [edit class-of-service] hierarchy level:
[edit class-of-service] interfaces { ds-fpc/pic/port.channel { scheduler-map map-name; } } forwarding-classes { queue queue-number class-name; } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds); priority priority-level; transmit-rate (rate | percent percentage | remainder) <exact>; } }

For link services IQ interfaces, a strict-high-priority queue might starve the other three queues because traffic in a strict-high-priority queue is transmitted before any other queue is serviced. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues, as described in the Junos OS Class of Service Configuration Guide. After the scheduler removes a packet from a queue, a certain action is taken. The action depends on whether the packet came from a multilink encapsulated queue (fragmented and sequenced) or a nonencapsulated queue (hashed with no fragmentation). Each queue can be designated as either multilink encapsulated or nonencapsulated, independently of the other. By default, traffic in all forwarding classes is multilink encapsulated. To configure packet fragmentation handling on a queue, include the fragmentation-maps statement at the [edit class-of-service] hierarchy level:
[edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name {

496

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

fragment-threshold bytes; no-fragmentation; } } }

If you require the queue to transmit small packets with low latency, configure the queue to be nonencapsulated by including the no-fragmentation statement. If you require the queue to transmit large packets with normal latency, configure the queue to be multilink encapsulated by including the fragment-threshold statement. If you require the queue to transmit large packets with low latency, we recommend using a faster link and configuring the queue to be nonencapsulated. For more information about fragmentation maps, see Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. When a packet is removed from a multilink-encapsulated queue, it is fragmented. If the packet exceeds the minimum link MTU, or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level, the software splits the packet into two or more fragments, which are assigned consecutive multilink sequence numbers. If you do not include the fragment-threshold statement in the fragmentation map, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] hierarchy level is the default for all forwarding classes. If you do not set a maximum fragment size anywhere in the configuration, packets are fragmented if they exceed the smallest MTU of all the links in the bundle. Even if you do not set a maximum fragment size anywhere in the configuration, you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. The MRRU is similar to the MTU but is specific to link services interfaces. By default, the MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes. For more information, see Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. When a packet is removed from a multilink-encapsulated queue, the software gives the packet an FRF.12 header. The FRF.12 header contains a sequence number field, which is filled with the next available sequence number from a counter. The software then places the packet on the fractional T1 link. Traffic from another queue might be interleaved between two fragments of the packet. When a packet is removed from a nonencapsulated queue, it is transmitted with a plain Frame Relay header. The packet is then placed on the fractional T1 link as soon as possible. If necessary, the packet is placed between the fragments of a packet from another queue. The fractional T1 interface links to another router, which can be from Juniper Networks or another vendor. The router at the far end gathers packets from the fractional T1 link. If a packet has an FRF.12 header, the software assumes the packet is a fragment of a larger packet, and the fragment number field is used to reassemble the larger packet. If the packet has a plain Frame Relay header, the software accepts the packet in the order in which it arrives, and the software makes no attempt to reassemble or reorder the packet.

Copyright 2011, Juniper Networks, Inc.

497

Junos 11.4 Services Interfaces Configuration Guide

A whole packet from a nonencapsulated queue can be placed between fragments of a multilink-encapsulated queue. However, fragments from one multilink-encapsulated queue cannot be interleaved with fragments from another multilink-encapsulated queue. This is the intent of the specification FRF.12, Frame Relay Fragmentation Implementation Agreement. If fragments from two different queues were interleaved, the header fields might not have enough information to separate the fragments.

Examples: Configuring an LSQ Interface for a Fractional T1 Interface Using FRF.12

FRF.12 with Fragmentation and Without LFI This example shows a 128 KB DS0 interface. There is one traffic stream on ge-0/0/0, which is classified into queue 0 (be). Packets are fragmented in the link services IQ (lsq-) interface according to the threshold configured in the fragmentation map.
[edit chassis] fpc 0 { pic 3 { adaptive-services { service-package layer-2; } } } [edit interfaces] ge-0/0/0 { unit 0 { family inet { address 20.1.1.1/24 { arp 20.1.1.2 mac 00.90.1b.12.34.56; } } } } ce1-0/2/0 { partition 1 timeslots 1-2 interface-type ds; } ds-0/2/0:1 { no-keepalives; dce; encapsulation frame-relay; unit 0 { dlci 100; family mlfr-end-to-end { bundle lsq-0/3/0.0; } } } lsq-0/3/0 { per-unit-scheduler; unit 0 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.200.0.78/30;

498

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

} } } fxp0 { unit 0 { family inet { address 172.16.1.162/24; } } } lo0 { unit 0 { family inet { address 10.0.0.1/32; } } } [edit class-of-service] forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; } interfaces { lsq-0/3/0 { unit 0 { fragmentation-map map1; } } } fragmentation-maps { map1 { forwarding-class { be { fragment-threshold 160; } } } }

FRF.12 with Fragmentation and LFI This example shows a 512 KB DS0 bundle and four traffic streams on ge-0/0/0 that are classified into four queues. The fragment size is 160 for queue 0, queue 1, and queue 2. The voice stream on queue 3 has LFI configured.
[edit chassis] fpc 0 { pic 3 { adaptive-services { service-package layer-2; } } }

Copyright 2011, Juniper Networks, Inc.

499

Junos 11.4 Services Interfaces Configuration Guide

[edit interfaces] ge-0/0/0 { unit 0 { family inet { address 20.1.1.1/24 { arp 20.1.1.2 mac 00.90.1b.12.34.56; } } } ce1-0/2/0 { partition 1 timeslots 1-8 interface-type ds; } ds-0/2/0:1 { no-keepalives; dce; encapsulation frame-relay; unit 0 { dlci 100; family mlfr-end-to-end { bundle lsq-0/3/0.0; } } } lsq-0/3/0 { per-unit-scheduler; unit 0 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.200.0.78/30; } } } [edit class-of-service] classifiers { inet-precedence ge-interface-classifier { forwarding-class be { loss-priority low code-points 000; } forwarding-class ef { loss-priority low code-points 010; } forwarding-class af { loss-priority low code-points 100; } forwarding-class nc { loss-priority low code-points 110; } } } forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; } interfaces {

500

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

lsq-0/3/0 { unit 0 { scheduler-map sched2; fragmentation-map map2; } } ds-0/2/0:1 { scheduler-map link-map2; } ge-0/0/0 { unit 0 { classifiers { inet-precedence ge-interface-classifier; } } } } scheduler-maps { sched2 { forwarding-class be scheduler economy; forwarding-class ef scheduler business; forwarding-class af scheduler stream; forwarding-class nc scheduler voice; } link-map2 { forwarding-class be scheduler link-economy; forwarding-class ef scheduler link-business; forwarding-class af scheduler link-stream; forwarding-class nc scheduler link-voice; } } fragmentation-maps { map2 { forwarding-class { be { fragment-threshold 160; } ef { fragment-threshold 160; } af { fragment-threshold 160; } nc { no-fragmentation; } } } schedulers { economy { transmit-rate percent 26; buffer-size percent 26; } business { transmit-rate percent 26; buffer-size percent 26;

Copyright 2011, Juniper Networks, Inc.

501

Junos 11.4 Services Interfaces Configuration Guide

} stream { transmit-rate percent 35; buffer-size percent 35; } voice { transmit-rate percent 13; buffer-size percent 13; } link-economy { transmit-rate percent 26; buffer-size percent 26; } link-business { transmit-rate percent 26; buffer-size percent 26; } link-stream { transmit-rate percent 35; buffer-size percent 35; } link-voice { transmit-rate percent 13; buffer-size percent 13; } } } }

Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15

This example configures an NxT1 bundle using FRF.15 on a link services IQ interface. FRF.15 is similar to FRF.12, as described in Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 on page 495. The difference is that FRF.15 supports multiple physical links in a bundle, whereas FRF.12 supports only one physical link per bundle. For the Junos OS implementation of FRF.15, you can configure one DLCI per physical link.

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. This example refers to T1 interfaces, but the configuration for E1 interfaces is similar.

[edit interfaces] lsq-1/3/0 { per-unit-scheduler; unit 0 { encapsulation multilink-frame-relay-end-to-end; } } unit 1 { encapsulation multilink-frame-relay-end-to-end; } # First physical link

502

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

t1-1/1/0:1 { encapsulation frame-relay; unit 0 { dlci 69; family mlfr-end-to-end { bundle lsq-1/3/0.0; } } } # Second physical link t1-1/1/0:2 { encapsulation frame-relay; unit 0 { dlci 13; family mlfr-end-to-end { bundle lsq-1/3/0.0; } } }

Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP
This example bundles a single T3 interface on a link services IQ interface with MLPPP encapsulation. Binding a single T3 interface to a multilink bundle allows you to configure compressed RTP (CRTP) on the T3 interface. This scenario applies to MLPPP bundles only. The Junos OS does not currently support CRTP over Frame Relay. For more information, see Configuring Services Interfaces for Voice Services on page 522. There is no need to configure LFI at DS3 speeds, because the packet serialization delay is negligible.
[edit interfaces] t3-0/0/0 { unit 0 { family mlppp { bundle lsq-1/3/0.1; } } } lsq-1/3/0.1 { encapsulation multilink-ppp; } compression { rtp { # cRTP parameters go here # port minimum 2000 maximum 64009; } }

This configuration uses a default fragmentation map, which results in all forwarding classes (queues) being sent out with a multilink header.

Copyright 2011, Juniper Networks, Inc.

503

Junos 11.4 Services Interfaces Configuration Guide

To eliminate multilink headers, you can configure a fragmentation map in which all queues have the no-fragmentation statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level, and attach the fragmentation map to the lsq-1/3/0.1 interface, as shown here:
[edit class-of-service] fragmentation-maps { fragmap { forwarding-class { be { no-fragmentation; } af { no-fragmentation; } ef { no-fragmentation; } nc { no-fragmentation; } } } } interfaces { lsq-1/3/0.1 { fragmentation-map fragmap; } }

Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12

This example configures a clear-channel T3 or OC3 interface with multiple logical interfaces (DLCIs) on the link. In this scenario, each DLCI represents a customer. DLCIs are shaped at the egress PIC to a particular speed (NxDS0). This allows you to configure LFI using FRF.12 End-to-End Protocol on Frame Relay DLCIs. To do this, first configure logical interfaces (DLCIs) on the physical interface. Then bundle the DLCIs, so that there is only one DLCI per bundle. The physical interface must be capable of per-DLCI scheduling, which allows you to attach shaping rates to each DLCI. For more information, see the Junos OS Network Interfaces Configuration Guide. To prevent fragment drops at the egress PIC, you must assign a shaping rate to the link services IQ logical interfaces and to the egress DLCIs. Shaping rates on DLCIs specify how much bandwidth is available for each DLCI. The shaping rate on link services IQ interfaces should match the shaping rate assigned to the DLCI that is associated with the bundle. Egress interfaces also must have a scheduler map attached. The queue that carries voice should be strict-high-priority, while all other queues should be low-priority. This makes LFI possible.

504

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

This example shows voice traffic in the ef queue. The voice traffic is interleaved with bulk data. Alternatively, you can use multiclass MLPPP to carry multiple classes of traffic in different multilink classes, as described in Configuring Multiclass MLPPP on LSQ Interfaces on page 467.
[edit interfaces] t3-0/0/0 { per-unit-scheduler; encapsulation frame-relay; unit 0 { dlci 69; family mlfr-end-to-end { bundle lsq-1/3/0.0; } } unit 1 { dlci 42; family mlfr-end-to-end { bundle lsq-1/3/0.1; } } } lsq-1/3/0 { unit 0 { encapsulation multilink-frame-relay-end-to-end; } fragment-threshold 320; # Multilink packets must be fragmented } unit 1 { encapsulation multilink-frame-relay-end-to-end; } fragment-threshold 160; [edit class-of-service] scheduler-maps { sched { # Scheduling parameters that apply to bundles on AS or Multiservices PICs. ... } pic-sched { # Scheduling parameters for egress DLCIs. # The voice queue should be strict-high priority. # All other queues should be low priority. ... } fragmentation-maps { fragmap { forwarding-class { ef { no-fragmentation; } # Voice is carried in the ef queue. # It is interleaved with bulk data. } } } interfaces {

Copyright 2011, Juniper Networks, Inc.

505

Junos 11.4 Services Interfaces Configuration Guide

t3-0/0/0 { unit 0 { shaping-rate 512k; scheduler-map pic-sched; } unit 1 { shaping-rate 128k; scheduler-map pic-sched; } } lsq-1/3/0 { # Assign fragmentation and scheduling to LSQ interfaces. unit 0 { shaping-rate 512k; scheduler-map sched; fragmentation-map fragmap; } unit 1 { shaping-rate 128k; scheduler-map sched; fragmentation-map fragmap; } }

For more information about how FRF.12 works with links services IQ interfaces, see Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 on page 495.

Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP

This example configures an ATM2 IQ interface with MLPPP bundled with link services IQ interfaces. This allows you to configure LFI on ATM virtual circuits. For this type of configuration, the ATM2 IQ interface must have LLC encapsulation. The following ATM PICs are supported in this scenario:

2-port OC-3/STM1 ATM2 IQ 4-port DS3 ATM2 IQ

Virtual circuit multiplexed PPP over AAL5 is not supported. Frame Relay is not supported. Bundling of multiple ATM VCs into a single logical interface is not supported. Unlike DS3 and OC3 interfaces, there is no need to create a separate scheduler map for the ATM PIC. For ATM, you define CoS components at the [edit interfaces at-fpc/pic/port atm-options] hierarchy level, as described in the Junos OS Network Interfaces Configuration Guide.

NOTE: Do not configure RED profiles on ATM logical interfaces that are bundled. Drops do not occur at the ATM interface.

506

Copyright 2011, Juniper Networks, Inc.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines

In this example, two ATM VCs are configured and bundled into two link services IQ bundles. A fragmentation map is used to interleave voice traffic with other multilink traffic. Because MLPPP is used, each link services IQ bundle can be configured for CRTP.
[edit interfaces] at-1/2/0 { atm-options { vpi 0; pic-type atm2; } unit 0 { vci 0.69; encapsulation atm-mlppp-llc; family mlppp { bundle lsq-1/3/0.10; } } unit 1 { vci 0.42; encapsulation atm-mlppp-llc; family mlppp { bundle lsq-1/3/0.11; } } } lsq-1/3/0 { unit 10 { encapsulation multilink-ppp; } # Large packets must be fragmented. # You can specify fragmentation for each forwarding class. fragment-threshold 320; compression { rtp { port minimum 2000 maximum 64009; } } } unit 11 { encapsulation multilink-ppp; } fragment-threshold 160; [edit class-of-service] scheduler-maps { sched { # Scheduling parameters that apply to LSQ bundles on AS or Multiservices PICs. ... } fragmentation-maps { fragmap { forwarding-class { ef { no-fragmentation; } } }

Copyright 2011, Juniper Networks, Inc.

507

Junos 11.4 Services Interfaces Configuration Guide

} interfaces { # Assign fragmentation and scheduling parameters to LSQ interfaces. lsq-1/3/0 { unit 0 { shaping-rate 512k; scheduler-map sched; fragmentation-map fragmap; } unit 1 { shaping-rate 128k; scheduler-map sched; fragmentation-map fragmap; } }

508

Copyright 2011, Juniper Networks, Inc.

CHAPTER 21

Summary of Link Services IQ Configuration Statements

The following sections explain each of the Link Services Intelligent Queuing (IQ) statements. The statements are organized alphabetically.

cisco-interoperability
Syntax Hierarchy Level Release Information Description Options
cisco-interoperability send-lip-remove-link-for-link-reject; [edit interfaces interface-name mlfr-uni-nni-bundle-options]

Statement introduced in Junos OS Release 7.4. FRF.16 interoperability settings.

send-lip-remove-link-for-link-rejectSend Link Integrity Protocol remove link when an

add-link rejection message is received. Usage Guidelines Required Privilege Level See Configuring SONET APS Interoperability with Cisco Systems FRF.16 on page 451. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

509

Junos 11.4 Services Interfaces Configuration Guide

forwarding-class
Syntax
forwarding-class class-name { (fragment-threshold bytes | no-fragmentation); multilink-class number; } [edit class-of-service fragmentation-maps]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, define a forwarding class name and associated fragmentation properties within a fragmentation map. The fragment-threshold and no-fragmentation statements are mutually exclusive.

Default

If you do not include this statement, the traffic in forwarding class class-name is fragmented.
class-nameName of the forwarding class.

Options

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

510

Copyright 2011, Juniper Networks, Inc.

Chapter 21: Summary of Link Services IQ Configuration Statements

fragment-threshold
Syntax Hierarchy Level Release Information Description
fragment-threshold bytes; [edit class-of-service fragmentation-maps forwarding-class class-name]

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, set the fragmentation threshold for an individual forwarding class. If you do not include this statement, the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level is the default for all forwarding classes. If you do not set a maximum fragment size anywhere in the configuration, packets are fragmented if they exceed the smallest maximum transmission unit (MTU) of all the links in the bundle.
bytesMaximum size, in bytes, for multilink packet fragments. Any nonzero value must

Default

Options

be a multiple of 64 bytes. Range: 128 through 16,320 bytes Usage Guidelines Required Privilege Level See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

fragmentation-map
Syntax Hierarchy Level Release Information Description
fragmentation-map map-name; [edit class-of-service interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, associate a fragmentation map with a multilink PPP interface or MLFR FRF.16 DLCI. If you do not include this statement, traffic in all forwarding classes is fragmented.
map-nameName of the fragmentation map.

Default Options Usage Guidelines Required Privilege Level

See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

511

Junos 11.4 Services Interfaces Configuration Guide

fragmentation-maps
Syntax
fragmentation-maps { map-name { forwarding-class class-name { (fragment-threshold bytes | no-fragmentation); multilink-class number; } } } [edit class-of-service]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, define fragmentation properties for individual forwarding classes. If you do not include this statement, traffic in all forwarding classes is fragmented.
map-nameName of the fragmentation map.

Default Options

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

hot-standby
Syntax Hierarchy Level
hot-standby; [edit interfaces rlsqnumber redundancy-options], [edit interfaces rlsqnumber:number redundancy-options]

Release Information Description

Statement introduced in Junos OS Release 7.6. For one-to-one AS or Multiservices PIC redundancy configurations, specify that the failure detection and recovery must take place in less than 5 seconds. For FRF.15 (MLFR) and FRF.16 (MFR) configuration, specify the switch over time of 5 seconds and less for FRF.15 and a maximum of 10 seconds for FRF.16. See Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines

Required Privilege Level

512

Copyright 2011, Juniper Networks, Inc.

Chapter 21: Summary of Link Services IQ Configuration Statements

link-layer-overhead
Syntax Hierarchy Level
link-layer-overhead percent; [edit interfaces interface-name mlfr-uni-nni-bundle-options], [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, configure the percentage of total bundle bandwidth to be set aside for link-layer overhead. Link-layer overhead accounts for the bit stuffing on serial links. Bit stuffing is used to prevent data from being interpreted as control information. Overhead resulting from link-layer encapsulation and framing is computed automatically.
percentPercentage of total bundle bandwidth to be set aside for link-layer overhead.

Options

Range: 0 through 50 percent Default: 0 percent Usage Guidelines Required Privilege Level See Configuring CoS Scheduling Queues on Logical LSQ Interfaces on page 461. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

lsq-failure-options
Syntax
lsq-failure-options { no-termination-request; trigger-link-failure interface-name; } [edit interfaces lsq-fpc/pic/port]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.4. For link services IQ (lsq) interfaces only, define the failure recovery option settings. The remaining statements are explained separately. See Configuring the Association between LSQ and SONET Interfaces on page 450. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

513

Junos 11.4 Services Interfaces Configuration Guide

multilink-class
Syntax Hierarchy Level Release Information Description
multilink-class number; [edit class-of-service fragmentation-maps forwarding-class class-name]

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, map a forwarding class into a multiclass MLPPP (MCML). The multilink-class statement and no-fragmentation statements are mutually exclusive.

Options

numberThe multilink class assigned to this forwarding class.

Range: 0 through 7 Default: None Usage Guidelines See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465 and Configuring Multiclass MLPPP on LSQ Interfaces on page 467. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

multilink-max-classes on page 306

multilink-max-classes
Syntax Hierarchy Level
multilink-max-classes number; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, configure the number of multilink classes to be negotiated when a link joins the bundle.
numberThe number of multilink classes to be negotiated when a link joins the bundle.

Options

Range: 1 through 8 Default: None Usage Guidelines Required Privilege Level See Configuring Multiclass MLPPP on LSQ Interfaces on page 467. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

514

Copyright 2011, Juniper Networks, Inc.

Chapter 21: Summary of Link Services IQ Configuration Statements

no-fragmentation
Syntax Hierarchy Level Release Information Description
no-fragmentation; [edit class-of-service fragmentation-maps forwarding-class class-name]

Statement introduced before Junos OS Release 7.4. For link services IQ (lsq) interfaces only, set traffic on a particular forwarding class to be interleaved, rather than fragmented. This statement specifies that no extra fragmentation header is prepended to the packets received on this queue and that static-link load balancing is used to ensure in-order packet delivery. Static-link load balancing is done based on packet payload. For IP version 4 (IPv4) and IP version 6 (IPv6) traffic, the link is chosen based on a hash computed from the source address, destination address, and protocol. If the IP payload is Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) traffic, the hash also includes source port and destination port. For MPLS traffic, the hash includes all MPLS labels and fields in the payload, whether the MPLS payload is IPv4 or IPv6.

Default

If you do not include this statement, the traffic in forwarding class class-name is fragmented. See Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

no-per-unit-scheduler
Syntax Hierarchy Level Release Information Description
no-per-unit-scheduler; [edit interfaces interface-name]

Statement introduced before Junos OS Release 11.4. To enable traffic control profiles to be applied at FRF.16 bundle (physical) interface level, disable the per-unit scheduler, which is enabled by default. This statement and the shared-scheduler statement are mutually exclusive. See Oversubscribing Interface Bandwidth. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level Related Documentation

Copyright 2011, Juniper Networks, Inc.

515

Junos 11.4 Services Interfaces Configuration Guide

no-termination-request
Syntax Hierarchy Level
no-termination-request; [edit interfaces interface-name ppp-options], [edit interfaces lsq-fpc/pic/port lsq-failure-options]

Release Information

Statement introduced in Junos OS Release 7.4. Support at the [edit interfaces interface-name ppp-options] hierarchy level added in Junos OS Release 8.3. Inhibit PPP termination-request messages to the remote host if the primary circuit fails. See Configuring the Association between LSQ and SONET Interfaces on page 450. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Usage Guidelines Required Privilege Level

per-unit-scheduler
Syntax Hierarchy Level Release Information Description
per-unit-scheduler; [edit interfaces interface-name ]

Statement introduced before Junos OS Release 7.4. For channelized OC12 IQ, channelized T3 IQ, channelized E1 IQ, E3 IQ, and Gigabit Ethernet IQ interfaces only, enable association of scheduler map names with logical interfaces. See Configuring Link Services and CoS on Services PICs on page 477. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

516

Copyright 2011, Juniper Networks, Inc.

Chapter 21: Summary of Link Services IQ Configuration Statements

preserve-interface
Syntax Hierarchy Level Release Information Description
preserve-interface; [edit interfaces interface-name sonet-options aps]

Statement introduced in Junos OS Release 7.6. Provide link PIC replication, providing MLPPP link redundancy at the port level. This feature is supported with SONET APS and the following link PICs:

Channelized OC3 IQ PIC Channelized OC12 IQ PIC Channelized STM1 IQ PIC

Link PIC replication provides the ability to add two sets of links, one from the active SONET PIC and the other from the standby SONET PIC, to the same bundle. If the active SONET PIC fails, links from the standby PIC are used without triggering link renegotiation. All the negotiated state is replicated from the active links to the standby links to prevent link renegotiation. Usage Guidelines Required Privilege Level Related Documentation See Configuring Link State Replication for Redundant Link PICs on page 455. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide

primary
Syntax Hierarchy Level Release Information Description Options
primary interface-name; [edit interfaces rlsqnumber redundancy-options]

Statement introduced in Junos OS Release 7.6. Specify the primary Link Services IQ PIC interface.
interface-nameThe identifier for the Link Services IQ PIC interface, which must be of

the form lsq-fpc/pic/port. Usage Guidelines See Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

517

Junos 11.4 Services Interfaces Configuration Guide

redundancy-options
Syntax
redundancy-options { (hot-standby | warm-standby); primary lsq-fpc/pic/port; secondary lsq-fpc/pic/port; } [edit interfaces rlsqnumber]

Hierarchy Level Release Information Description Options Usage Guidelines

Statement introduced in Junos OS Release 7.6. Specify the primary and secondary (backup) Link Services IQ PIC interfaces. The remaining statements are explained separately. See Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

secondary
Syntax Hierarchy Level Release Information Description Options
secondary interface-name; [edit interfaces rlsqnumber redundancy-options]

Statement introduced in Junos OS Release 7.6. Specify the secondary (backup) Link Services IQ PIC interface.
interface-nameThe identifier for the Link Services IQ PIC interface, which must be of

the form lsq-fpc/pic/port. Usage Guidelines See Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

518

Copyright 2011, Juniper Networks, Inc.

Chapter 21: Summary of Link Services IQ Configuration Statements

trigger-link-failure
Syntax Hierarchy Level Release Information Description
trigger-link-failure interface-name; [edit interfaces lsq-fpc/pic/port lsq-failure-options]

Statement introduced in Junos OS Release 7.4. List of SONET interfaces connected to the LSQ interface that can implement Automatic Protection Switching (APS) if the Link Services IQ PIC fails.
interface-nameName of SONET interface.

Options Usage Guidelines Required Privilege Level

See Configuring the Association between LSQ and SONET Interfaces on page 450. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

warm-standby
Syntax Hierarchy Level Release Information Description
warm-standby; [edit interfaces rlsqnumber redundancy-options]

Statement introduced in Junos OS Release 8.0. For AS or Multiservices PIC redundancy configurations, specify that the failure detection and recovery involves one backup PIC supporting multiple working PICs. Recovery time is not guaranteed. See Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

519

Junos 11.4 Services Interfaces Configuration Guide

520

Copyright 2011, Juniper Networks, Inc.

CHAPTER 22

Voice Services Configuration Guidelines

The Adaptive Services (AS) and Multiservices PICs support the compressed Real-Time Transport Protocol (CRTP) on the lsq-fpc/pic/port interface type. This enables voice over IP (VoIP) traffic to use low-speed links more effectively, by compressing the 40-byte IP/User Datagram Protocol (UDP)/RTP header down to from 2 to 4 bytes in most cases.

NOTE: J Series routers also support VoIP routing through the Avaya TGM550 media gateway module. This is a separate product from the adaptive services suite and is not supported on M Series and T Series routers. For more information, see the Junos OS Feature Support Reference for SRX Series and J Series Devices.

For link services IQ interfaces (lsq) only, you can configure CRTP with multiclass MLPPP (MCML). MCML greatly simplifies packet ordering issues that occur when multiple links are used. Without MCML, all voice traffic belonging to a single flow is hashed to a single link in order to avoid packet ordering issues. With MCML, you can assign voice traffic to a high-priority class, and you can use multiple links. For more information about MCML support on link services IQ interfaces, see Configuring Link Services and CoS on Services PICs on page 477. Link services IQ interfaces use a bundle configuration. For more information, see Layer 2 Service Package Capabilities and Interfaces on page 448 and Multilink and Link Services Logical Interface Configuration Overview on page 1237.

NOTE: On LSQ interfaces, all multilink traffic for a single bundle is sent to a single processor. If CRTP is enabled on the bundle, it adds overhead to the CPU. Because T3 network interfaces support only one link per bundle, make sure you configure a fragmentation map for compressed traffic on these interfaces and specify the no-fragmentation option. For more information, see Configuring Delay-Sensitive Packet Interleaving on page 524 and Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465.

Copyright 2011, Juniper Networks, Inc.

521

Junos 11.4 Services Interfaces Configuration Guide

Voice services do not require a separate service rules configuration, but you need to configure both services interfaces and network interfaces, as described in the following topics:

Configuring Services Interfaces for Voice Services on page 522 Configuring Encapsulation for Voice Services on page 525 Configuring Network Interfaces for Voice Services on page 525 Examples: Configuring Voice Services on page 526

Configuring Services Interfaces for Voice Services

You define voice service properties such as compression by configuring statements and values for a voice services interface, specified by the interface type lsq-. You can include the following statements:
encapsulation mlppp; family inet { address address; } compression { rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } } fragment-threshold bytes;

You can include these statements at the following hierarchy levels:

[edit interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number] [edit logical-systems logical-system-name interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number]

The following sections provide detailed instructions for configuring for voice services on services interfaces:

Configuring the Logical Interface Address for the MLPPP Bundle on page 522 Configuring Compression of Voice Traffic on page 523 Configuring Delay-Sensitive Packet Interleaving on page 524 Example: Configuring Compression of Voice Traffic on page 524

Configuring the Logical Interface Address for the MLPPP Bundle

To configure the logical address for the MLPPP bundle, include the address statement:
address address {

522

Copyright 2011, Juniper Networks, Inc.

Chapter 22: Voice Services Configuration Guidelines

... }

You can configure this statement at the following hierarchy levels:

[edit interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number family inet] [edit logical-systems logical-system-name interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number family inet]

address specifies an IP address for the interface. AS and Multiservices PICs support only

IP version 4 (IPv4) addresses, which are therefore configured under the family inet statement. For information on other addressing properties you can configure that are not specific to service interfaces, see the Junos OS Network Interfaces Configuration Guide.

Configuring Compression of Voice Traffic

You can specify how a services interface handles voice traffic compression by including the compression statement:
compression { rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } }

You can include this statement at the following hierarchy levels:

[edit interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number] [edit logical-systems logical-system-name interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number]

The following statements configure the indicated compression properties:

f-max-period numberSets the maximum number of compressed packets to insert

between the transmission of full headers. If you do not include the statement, the default is 255 packets.

maximum-contexts number <force>Specifies the maximum number of RTP contexts

to accept during negotiation. The optional force statement requires the PIC to use the value specified for maximum RTP contexts, regardless of the negotiated value. This option enables interoperation with Junos OS Releases that base the RTP context value on link speed.

port, minimum port-number, and maximum port-numberSpecify the lower and upper

boundaries for a range of UDP destination port values on which RTP compression takes

Copyright 2011, Juniper Networks, Inc.

523

Junos 11.4 Services Interfaces Configuration Guide

effect. Values for port-number can range from 0 through 65,535. RTP compression is applied to traffic transiting the ports within the specified range.

queues [ queue-numbers ]Specifies one or more of queues q0, q1, q2, and q3 . RTP

compression is applied to the traffic in the specified queues.

NOTE: If you specify both a port range and one or more queues, compression takes place if either condition is met.

Configuring Delay-Sensitive Packet Interleaving

When you configure CRTP, the software automatically enables link fragmentation and interleaving (LFI). LFI reduces excessive delays by fragmenting long packets into smaller packets and interleaving them with real-time frames. This allows real-time and non-real-time data frames to be carried together on lower-speed links without causing excessive delays to the real-time traffic. When the peer interface receives the smaller fragments, it reassembles the fragments into their original packet. For example, short delay-sensitive packets, such as packetized voice, can race ahead of larger delay-insensitive packets, such as common data packets. By default, LFI is always active when you include the compression rtp statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. You control the operation of LFI indirectly by setting the fragment-threshold statement on the same logical interface. For example, if you include the fragment-threshold 256 statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level, all IP packets larger than 256 bytes are fragmented.

Example: Configuring Compression of Voice Traffic

Configure compression on a T1 interface with MLPPP encapsulation. Configure fragmentation for all IP packets larger than 128 bytes.
[edit interfaces] t1-1/0/0 { unit 0 { family mlppp { bundle lsq-1/1/0.1; } } } lsq-1/1/0 { encapsulation mlppp; unit 1 { compression { rtp { port minimum 2000 maximum 64009; } } family inet { address 30.1.1.2/24; }

524

Copyright 2011, Juniper Networks, Inc.

Chapter 22: Voice Services Configuration Guidelines

fragment-threshold 128; } }

Configuring Encapsulation for Voice Services

Voice services interfaces support the following logical interface encapsulation types:

Multilink Point-to-Point Protocol (MLPPP), which is the default encapsulation ATM2 IQ MLPPP over AAL5 LLC Frame Relay PPP

For general information on encapsulation, see the Junos OS Network Interfaces Configuration Guide. You can also configure physical interface encapsulation on voice services interfaces. To configure voice services encapsulation, include the encapsulation statement:
encapsulation type;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For voice services interfaces, the valid values for the type variable are atm-mlppp-llc, frame-relay-ppp or multilink-ppp. You must also configure the physical interface with the corresponding encapsulation type, either Frame Relay or PPP. LSQ interfaces are supported by the following physical interface types: ATM2 IQ, DS3, E1, E3, OC3, OC12, STM1, and T1, including the channelized versions of these interfaces. For examples, see Examples: Configuring Voice Services on page 526.

NOTE: The only protocol type supported with frame-relay-ppp encapsulation is family mlppp.

Configuring Network Interfaces for Voice Services

To complete a voice services interface configuration, you need to configure the physical network interface with either MLPPP encapsulation and a voice services bundle or PPP encapsulation and a compression interface, as described in the following sections:

Configuring Voice Services Bundles with MLPPP Encapsulation on page 526 Configuring the Compression Interface with PPP Encapsulation on page 526

Copyright 2011, Juniper Networks, Inc.

525

Junos 11.4 Services Interfaces Configuration Guide

Configuring Voice Services Bundles with MLPPP Encapsulation

For voice services interfaces, you configure the link bundle as a channel. The physical interface is usually connected to networks capable of supporting MLPPP; the interface types supported for voice traffic are T1, E1, T3, E3, OC3, OC12, and STM1, including channelized versions of these interfaces.

NOTE: For M Series routers and T Series routers, the following caveats apply:

Maximum supported throughput on the bundle interfaces is 45 Mbps. Bundling of the logical interfaces under a T3 physical interface into the same or different bundles is not supported.

To configure a physical interface link for MLPPP, include the following statement:
bundle interface-name;

You can configure this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number family mlppp] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family mlppp]

When you configure family mlppp, no other protocol configuration is allowed. For more information on link bundles, see Configuring the Links in a Multilink or Link Services Bundle on page 1236.

Configuring the Compression Interface with PPP Encapsulation

To configure the physical interface for PPP encapsulation, you also need to specify the services interface to be used for voice compression: a Link Services IQ (lsq-) interface. To configure the compression interface, include the compression-device statement:
compression-device interface-name;

You can configure this statement at the following hierarchy levels:

[edit interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number] [edit logical-systems logical-system-name interfaces (lsq | ls)-fpc/pic/port unit logical-unit-number]

Examples: Configuring Voice Services

Configure voice services using a T1 physical interface and MLPPP bundle encapsulation:
[edit interfaces] t1-0/2/0:1 { encapsulation ppp;

526

Copyright 2011, Juniper Networks, Inc.

Chapter 22: Voice Services Configuration Guidelines

unit 0 { family mlppp { bundle lsq-1/3/0.1; } } } lsq-1/3/0 { unit 1 { encapsulation mlppp; family inet { address 10.5.5.2/30; } compression { rtp { f-max-period 100; queues [ q1 q2 ]; port { minimum 16384; maximum 32767; } } } fragment-threshold 128; } }

Configure voice services using Frame Relay encapsulation without bundling:

[edit interfaces] t1-1/0/0 { encapsulation frame-relay; unit 0 { dlci 100; encapsulation frame-relay-ppp; compression-device lsq-2/0/0.0; } } lsq-2/0/0 { unit 0 { compression { rtp { f-max-period 100; queues [ q1 q2 ]; port { minimum 16000; maximum 32000; } } } family inet { address 10.1.1.1/32; } } }

Copyright 2011, Juniper Networks, Inc.

527

Junos 11.4 Services Interfaces Configuration Guide

Configure voice services using an ATM2 physical interface (the corresponding class-of-service configuration is provided for illustration):
[edit interfaces] at-1/2/0 { atm-options { vpi 0; pic-type atm2; # only ATM2 PICs are supported } unit 0 { vci 0.69; encapsulation atm-mlppp-llc; family mlppp { bundle lsq-1/3/0.10; } } unit 1 { vci 0.42; encapsulation atm-mlppp-llc; family mlppp { bundle lsq-1/3/0.11; } } } lsq-1/3/0 { unit 10 { encapsulation multilink-ppp; } # Large packets need to be fragmented. # Fragmentation can also be specified per forwarding class. fragment-threshold 320; compression { rtp { port minimum 2000 maximum 64009; } } } unit 11 { encapsulation multilink-ppp; } fragment-threshold 160; [edit class-of-service] scheduler-maps { sched { # Scheduling parameters apply to bundles on the AS or Multiservices PIC. # Unlike DS3/SONET interfaces, there is no need to create # a separate scheduler map for the ATM PIC. ATM defines # CoS constructs under the [edit interfaces at-fpc/pic/port] hierarchy. ... } } fragmentation-maps { fragmap { forwarding-class { ef { # In this example, voice is carried in the ef queue.

528

Copyright 2011, Juniper Networks, Inc.

Chapter 22: Voice Services Configuration Guidelines

# It is interleaved with bulk data. # Alternatively, you could use multiclass MLPPP to # carry multiple classes of traffic in different # multilink classes. no-fragmentation; } } } } interfaces { # Assign fragmentation and scheduling parameters to LSQ interfaces. lsq-1/3/0 { unit 0 { shaping-rate 512k; scheduler-map sched; fragmentation-map fragmap; } unit 1 { shaping-rate 128k; scheduler-map sched; fragmentation-map fragmap; } } }

Copyright 2011, Juniper Networks, Inc.

529

Junos 11.4 Services Interfaces Configuration Guide

530

Copyright 2011, Juniper Networks, Inc.

CHAPTER 23

Summary of Voice Services Configuration Statements

The following sections explain each of the voice services statements. The statements are organized alphabetically.

address
Syntax
address address { ... } [edit interfaces interface-name unit logical-unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Hierarchy Level

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Configure the interface address.
addressAddress of the interface.

See Configuring the Logical Interface Address for the MLPPP Bundle on page 522; for a general discussion of address statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

531

Junos 11.4 Services Interfaces Configuration Guide

bundle
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
bundle (lsq-fpc/pic/port | ... ); [edit interfaces lsq-fpc/pic/port unit logical-unit-number family mlppp]

Statement introduced before Junos OS Release 7.4. Associate the voice services interface with the logical interface it is joining.
lsq-fpc/pic/portName of the voice services interface you are linking.

See Configuring Voice Services Bundles with MLPPP Encapsulation on page 526. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

compression
Syntax
compression { rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } } [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the compression properties for voice services traffic. The remaining statements are described separately.

Usage Guidelines Required Privilege Level

See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

532

Copyright 2011, Juniper Networks, Inc.

Chapter 23: Summary of Voice Services Configuration Statements

compression-device
Syntax Hierarchy Level
compression-device interface-name; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.5. Specify the compression interface for voice services traffic. See Configuring the Compression Interface with PPP Encapsulation on page 526. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

encapsulation
Syntax Hierarchy Level
encapsulation type; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the logical link-layer encapsulation type.
atm-mlppp-llcFor ATM2 IQ physical interfaces only, use Multilink Point-to-Point Protocol

(MLPPP) over AAL5 LLC encapsulation.

frame-relay-pppFor Frame Relay circuits, use Frame Relay PPP encapsulation. multilink-pppBy default, voice services logical interfaces use MLPPP encapsulation.

Usage Guidelines

See Configuring Encapsulation for Voice Services on page 525; for information about encapsulation statement options used with other interface types, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

533

Junos 11.4 Services Interfaces Configuration Guide

f-max-period
Syntax Hierarchy Level
f-max-period number; [edit interfaces interface-name unit logical-unit-number compression rtp], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number compression rtp]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the maximum number of compressed packets allowed between the transmission of full headers in a compressed Real-time Transport Protocol (RTP) traffic stream.
numberMaximum number of packets.

Options

Default: 256 Usage Guidelines Required Privilege Level See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

534

Copyright 2011, Juniper Networks, Inc.

Chapter 23: Summary of Voice Services Configuration Statements

family
Syntax
family (inet | mlppp | ...) { address address { ... } bundle interface-name; } [edit interfaces interface-name unit logical-unit-number]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure protocol family information for the logical interface.
familyProtocol family:

inetIP version 4 mlpppMLPPP

The remaining statements are explained separately. Usage Guidelines See Configuring Network Interfaces for Voice Services on page 525; for a general discussion of family statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

535

Junos 11.4 Services Interfaces Configuration Guide

fragment-threshold
Syntax Hierarchy Level
fragment-threshold bytes; [edit interfaces lsq-fpc/pic/port unit logical-unit-number], [edit logical-systems logical-system-name interfaces lsq-fpc/pic/port unit logical-unit-number]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. For voice services interfaces, set the fragmentation threshold, in bytes.
bytesMaximum size, in bytes, for multilink packet fragments. The value must be a

multiple of 64 bytes, because zero is also a multiple of 64 bytes. Range: 128 through 16,320 bytes Default: 0 bytes (no fragmentation) Usage Guidelines Required Privilege Level See Configuring Delay-Sensitive Packet Interleaving on page 524. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. See the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

536

Copyright 2011, Juniper Networks, Inc.

Chapter 23: Summary of Voice Services Configuration Statements

maximum-contexts
Syntax Hierarchy Level
maximum-contexts number <force>; [edit interfaces interface-name unit logical-unit-number compression rtp], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number compression rtp]

Release Information Description Options

Statement introduced in Junos OS Release 7.5. Specify the maximum number of RTP contexts to accept during negotiation.
numberMaximum number of contexts. force(Optional) Requires the PIC to use the value specified for maximum RTP contexts,

regardless of the negotiated value. This option allows the software to interoperate with Junos OS Releases that base the RTP context value on link speed. Usage Guidelines Required Privilege Level See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

port
Syntax
port { minimum port-number; maximum port-number; } [edit interfaces lsq-fpc/pic/port unit logical-unit-number compression rtp], [edit logical-systems logical-system-name interfaces lsq-fpc/pic/port unit logical-unit-number compression rtp]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. For voice services interfaces only, specify a range of User Datagram Protocol (UDP) destination port numbers in which RTP compression takes place.
minimum port-numberSpecify the minimum port number.

Options

Range: 0 through 65,535

maximum port-numberSpecify the maximum port number.

Range: 0 through 65,535 Usage Guidelines Required Privilege Level See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

537

Junos 11.4 Services Interfaces Configuration Guide

queues
Syntax Hierarchy Level
queues [ queue-numbers ]; [edit interfaces interface-name unit logical-unit-number compression rtp], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number compression rtp]

Release Information Description

Statement introduced before Junos OS Release 7.4. For voice services interfaces only, assign queue numbers on which RTP compression takes place.
queues queue-numbersAssign one or more of the following queues: q0, q1, q2, and q3.

Options Usage Guidelines Required Privilege Level

See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

rtp
Syntax
rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } [edit interfaces interface-name unit logical-unit-number compression], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number compression]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the RTP properties for voice services traffic. The remaining statements are described separately.

Usage Guidelines Required Privilege Level

See Configuring Compression of Voice Traffic on page 523. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

538

Copyright 2011, Juniper Networks, Inc.

Chapter 23: Summary of Voice Services Configuration Statements

unit
Syntax
unit logical-unit-number { compression { rtp { f-max-period number; maximum-contexts number <force>; port { minimum port-number; maximum port-number; } queues [ queue-numbers ]; } } compression-device interface-name; encapsulation type; family family { address address { ... } bundle (lsq-fpc/pic/port | ...); } } [edit interfaces interface-name ]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines See Configuring Services Interfaces for Voice Services on page 522; for a general discussion of logical interface properties, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

539

Junos 11.4 Services Interfaces Configuration Guide

540

Copyright 2011, Juniper Networks, Inc.

CHAPTER 24

Class-of-Service Configuration Guidelines

To configure class of service (CoS) features on Adaptive Services (AS) and Multiservices PICs, include the cos statement at the [edit services] hierarchy level:
cos { application-profile profile-name { ftp { data { dscp (alias | bits); forwarding-class class-name; } } sip { video { dscp (alias | bits); forwarding-class class-name; } voice { dscp (alias | bits); forwarding-class class-name; } } } rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; } then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name;

Copyright 2011, Juniper Networks, Inc.

541

Junos 11.4 Services Interfaces Configuration Guide

syslog; } } } } rule-set rule-set-name { [ rule rule-names ]; } }

NOTE: CoS behavior aggregate (BA) classification is not supported on services interfaces.

This chapter contains the following sections:

Restrictions and Cautions for CoS Configuration on Services Interfaces on page 542 Configuring CoS Rules on page 543 Configuring CoS Rule Sets on page 548 Examples: Configuring CoS on Services Interfaces on page 548

Restrictions and Cautions for CoS Configuration on Services Interfaces

The following restrictions and cautions apply to CoS configuration on services interfaces:

The adaptive services interface does not support scheduling, only DiffServ marking and queue assignment. You must configure scheduling at the [edit class-of-service] hierarchy level on the output interface or fabric. In the default configuration, queues 1 and 2 receive 0 percent bandwidth. If packets will be assigned to these queues, you must configure a scheduling map. You must issue a commit full command before using custom forwarding-class names in the configuration. Only the Junos standard DiffServ names can be used in the configuration. Custom names are not recognized. On M Series routers, you can configure rewrite rules that change packet headers and attach the rules to output interfaces. These rules might overwrite the DSCP marking configured on an AS or MultiServices PIC. It is important to keep this adverse effect in mind and use care when creating system-wide configurations. For example, knowing that the AS or MultiServices PIC can mark packets with any ToS or DSCP value and the output interface is restricted to only eight DSCP values, rewrite rules on the output interface condense the mapping from 64 to 8 values with overall loss of granularity. In this case, you have the following options:

Remove the rewrite rules from the output interface. Configure the output interface to include the most important mappings.

542

Copyright 2011, Juniper Networks, Inc.

Chapter 24: Class-of-Service Configuration Guidelines

Configuring CoS Rules

To configure a CoS rule, include the rule rule-name statement at the [edit services cos] hierarchy level:
[edit services cos] rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; } then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } } } }

Each CoS rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The following sections explain how to configure the components of CoS rules:

Configuring Match Direction for CoS Rules on page 543 Configuring Match Conditions In CoS Rules on page 544 Configuring Actions in CoS Rules on page 545 Example: Configuring CoS Rules on page 547

Configuring Match Direction for CoS Rules

Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services cos rule rule-name] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

543

Junos 11.4 Services Interfaces Configuration Guide

match-direction (input | output | input-output);

If you configure match-direction input-output, bidirectional rule creation is allowed. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it. With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the AS or Multiservices PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the AS or Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

Configuring Match Conditions In CoS Rules

To configure CoS match conditions, include the from statement at the [edit services cos rule rule-name term term-name] hierarchy level:
from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; }

The source address and destination address can be either IPv4 or IPv6. You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the CoS rule. For an example, see Examples: Configuring Stateful Firewall Rules on page 118. If you omit the from term, the router accepts all traffic and the default protocol handlers take effect:

User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow. IP creates a unidirectional flow.

544

Copyright 2011, Juniper Networks, Inc.

Chapter 24: Class-of-Service Configuration Guidelines

You can also include application protocol definitions you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Protocol Properties on page 72.

To apply one or more specific application protocol definitions, include the applications statement at the [edit services cos rule rule-name term term-name from] hierarchy level. To apply one or more sets of application protocol definitions you have defined, include the application-sets statement at the [edit services cos rule rule-name term term-name from] hierarchy level.

NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.

Configuring Actions in CoS Rules

To configure CoS actions, include the then statement at the [edit services cos rule rule-name term term-name] hierarchy level:
[edit services cos rule rule-name term term-name] then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } }

The principal CoS actions are as follows:

dscpCauses the packet to be marked with the specified DiffServ code point (DSCP)

value or alias.

forwarding-classCauses the packet to be assigned to the specified forwarding class.

For detailed information about DSCP values and forwarding classes, see Examples: Configuring CoS on Services Interfaces on page 548 or the Junos OS Class of Service Configuration Guide. You can optionally set the configuration to record information in the system logging facility by including the syslog statement at the [edit services cos rule rule-name term term-name then] hierarchy level. This statement overrides any syslog setting included in the service set or interface default configuration.

Copyright 2011, Juniper Networks, Inc.

545

Junos 11.4 Services Interfaces Configuration Guide

For information about some additional CoS actions, see the following sections:

Configuring Application Profiles for Use as CoS Rule Actions on page 546 Configuring Reflexive and Reverse CoS Rule Actions on page 546

Configuring Application Profiles for Use as CoS Rule Actions

You can optionally define one or more application profiles for inclusion in CoS actions. To configure application profiles, include the application-profile statement at the [edit services cos] hierarchy level:
[edit services cos] application-profile profile-name { ftp { data { dscp (alias | bits); forwarding-class class-name; } } sip { video { dscp (alias | bits); forwarding-class class-name; } voice { dscp (alias | bits); forwarding-class class-name; } } }

The application-profile statement includes two main components and three traffic types: ftp with the data traffic type and sip with the video and voice traffic types. You can set the appropriate dscp and forwarding-class values for each component within the application profile.

NOTE: The ftp and sip statements are not supported on Juniper Network MX Series 3D Universal Edge Routers.

You can apply the application profile to a CoS configuration by including it at the [edit services cos rule rule-name term term-name then] hierarchy level.

Configuring Reflexive and Reverse CoS Rule Actions

CoS services are unidirectional. It might be necessary to specify different treatments for flows in opposite directions. Regardless of whether a packet matches the input, output or input-output direction, flows in both directions are created. A forward, reverse, or forward-and-reverse CoS action is associated with each flow. Bear in mind that the flow in the opposite direction might end up having a CoS action associated with it that you have not specifically configured.

546

Copyright 2011, Juniper Networks, Inc.

Chapter 24: Class-of-Service Configuration Guidelines

To control the direction in which service is applied, as distinct from the direction in which the rule match is applied, you can configure the (reflexive | reverse) statement at the [edit services cos rule rule-name term term-name then] hierarchy level:
[edit services cos rule rule-name term term-name then] (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; }

The two actions are mutually exclusive:

reflexive causes the equivalent opposing CoS action to be applied to flows in the

opposite direction.

reverse allows you to define the CoS behavior for flows in the reverse direction.

If you omit the statement, data flows inherit the CoS behavior of the forward control flow.

Example: Configuring CoS Rules

The following example show a CoS configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:
[edit services] cos { rule my-cos-rule { match-direction input-output; term term1 { from { source-address 10.1.3.2/32; applications sip; } then { dscp ef; syslog; } } term term2 { from { destination-address 10.2.3.2; applications http; } then { dscp af21; } } } }

Copyright 2011, Juniper Networks, Inc.

547

Junos 11.4 Services Interfaces Configuration Guide

Configuring CoS Rule Sets

The rule-set statement defines a collection of CoS rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then you specify the order of the rules by including the rule-set statement at the [edit services cos] hierarchy level with a rule statement for each rule:
rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

Examples: Configuring CoS on Services Interfaces

To make settings consistent across Juniper Networks routers, you configure many CoS settings at the [edit class-of-service] hierarchy level to be used on services interfaces. When you commit this configuration along with what you configure at the [edit services cos] hierarchy level, these properties are applied to the AS or MultiServices PIC. The following configuration examples at the [edit class-of-service] hierarchy level can be applied on services interfaces. For more information, see the Junos OS Class of Service Configuration Guide.

NOTE: The first two configurations, mapping forwarding-class name to forwarding-class ID and mapping forwarding-class name to queue number, are mutually exclusive.

Mapping Forwarding-Class Name to Forwarding-Class ID

Map forwarding-class names to forwarding-class IDs:

[edit class-of-service] forwarding-classes { forwarding-class fc0 0; forwarding-class fc1 0; forwarding-class fc2 1; forwarding-class fc3 1; forwarding-class fc4 2; forwarding-class fc5 2; forwarding-class fc6 3; forwarding-class fc7 3; forwarding-class fc8 4; forwarding-class fc9 4; forwarding-class fc10 5; forwarding-class fc11 5; forwarding-class fc12 6;

548

Copyright 2011, Juniper Networks, Inc.

Chapter 24: Class-of-Service Configuration Guidelines

forwarding-class fc13 6; forwarding-class fc14 7; forwarding-class fc15 7; }

Mapping Forwarding-Class Name to Queue Number

Map forwarding-class names to queue numbers:

[edit class-of-service] forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; queue 4 ef1; queue 5 ef2; queue 6 af1; queue 7 nc1; }

Mapping Diffserv Code Point Aliases to DSCP Bits

Map alias names to DSCP bit values. The aliases then can be used instead of the DSCP bits in adaptive services configurations.
[edit class-of-service] code-point-aliases { (dscp | dscp-ipv6 | exp | ieee-802.1 | inet-precedence) { alias | bits; } }

Here is an example:
code-point-aliases { dscp { my1 110001; my2 101110; be 000001; cs7 110000; } }

Copyright 2011, Juniper Networks, Inc.

549

Junos 11.4 Services Interfaces Configuration Guide

550

Copyright 2011, Juniper Networks, Inc.

CHAPTER 25

Summary of Class-of-Service Configuration Statements

The following sections explain each of the class-of-service (CoS) statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

551

Junos 11.4 Services Interfaces Configuration Guide

application-profile
Syntax
application-profile profile-name { ftp { data { dscp (alias | bits); forwarding-class class-name; } } sip { video { dscp (alias | bits); forwarding-class class-name; } voice { dscp (alias | bits); forwarding-class class-name; } } } [edit services cos], [edit services cos rule rule-name term term-name then], [edit services cos rule rule-name term term-name then (reflexive | reverse)]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 8.1. Define or apply a CoS application profile. When you apply a CoS application profile in a CoS rule, terminate the profile name with a semicolon (;).
profile-nameIdentifier for the application profile.

Options

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Application Profiles for Use as CoS Rule Actions on page 546. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

552

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

application-sets
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
applications-sets set-name; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.1. Define one or more target application sets.
set-nameName of the target application set.

See Configuring Match Conditions In CoS Rules on page 544. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
applications [ application-name ]; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.1. Define one or more applications to which the CoS services apply.
application-nameName of the target application.

See Configuring Match Conditions In CoS Rules on page 544. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

553

Junos 11.4 Services Interfaces Configuration Guide

data
Syntax
data { dscp (alias | bits); forwarding-class class-name; } [edit services cos application-profile profile-name ftp]

Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Set the appropriate dscp and forwarding-class value for FTP data. By default, the system will not alter the DSCP or forwarding class for FTP data traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles video on page 564 voice on page 565

destination-address
Syntax Hierarchy Level Release Information
destination-address (address | any-unicast) <except>; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.1. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Specify the destination address for rule matching.
addressDestination IPv4 or IPv6 address or prefix value.

Description Options Usage Guidelines Required Privilege Level

See Configuring Match Conditions In CoS Rules on page 544. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

554

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

destination-prefix-list
Syntax Hierarchy Level Release Information Description
destination-prefix-list list-name <except>; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the destination prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Match Conditions In CoS Rules on page 544. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

dscp
Syntax Hierarchy Level
dscp (alias | bits); [edit services cos application-profile profile-name ftp data], [edit services cos application-profile profile-name sip (video | voice)], [edit services cos rule rule-name term term-name then], [edit services cos rule rule-name term term-name then (reflexive | reverse)]

Release Information Description

Statement introduced in Junos OS Release 8.1. Define the Differentiated Services code point (DSCP) mapping that is applied to the packets.
aliasName assigned to a set of CoS markers. bitsMapping value in the packet header.

Options

Usage Guidelines Required Privilege Level

See Configuring Actions in CoS Rules on page 545. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

555

Junos 11.4 Services Interfaces Configuration Guide

forwarding-class
Syntax Hierarchy Level
forwarding-class class-name; [edit services cos application-profile profile-name ftp data], [edit services cos application-profile profile-name sip (video | voice)], [edit services cos rule rule-name term term-name then], [edit services cos rule rule-name term term-name then (reflexive | reverse)]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 8.1. Define the forwarding class to which packets are assigned.
class-nameName of the target application.

See Configuring Actions in CoS Rules on page 545. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

from
Syntax
from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; } [edit services cos rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 8.1. Specify input conditions for a CoS term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring CoS Rules on page 543. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

556

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

ftp
Syntax
ftp { data { dscp (alias | bits); forwarding-class class-name; } } [edit services cos application-profile profile-name ftp]

Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Set the appropriate dscp and forwarding-class value for FTP. By default, the system does not alter the DSCP or forwarding class for FTP traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles sip on page 561

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output | input-output); [edit services cos rule rule-name]

Statement introduced in Junos OS Release 8.1. Specify the direction in which the rule match is applied.
inputApply the rule match on the input side of the interface. outputApply the rule match on the output side of the interface. input-outputApply the rule match bidirectionally.

Usage Guidelines Required Privilege Level

See Configuring CoS Rules on page 543. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

557

Junos 11.4 Services Interfaces Configuration Guide

(reflexive | reverse)
Syntax
(reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } [edit services cos rule rule-name term term-name then]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.1.

reflexiveApplies the equivalent opposing CoS action to flows in the opposite direction. reverseAllows you to define CoS behavior for flows in the reverse direction.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Reflexive and Reverse CoS Rule Actions on page 546. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

558

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

rule
Syntax
rule rule-name { match-direction (input | output | input-output); term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; } then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } } } } [edit services cos], [edit services cos rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 8.1. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring CoS Rules on page 543. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

559

Junos 11.4 Services Interfaces Configuration Guide

rule-set
Syntax
rule-set rule-set-name { [ rule rule-name ]; } [edit services cos]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 8.1. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

See Configuring CoS Rule Sets on page 548. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services cos { ... } [edit]

Statement introduced in Junos OS Release 8.1. Define the service rules to be applied to traffic.
cosIdentifier for the class-of-service set of rules statements.

See Class-of-Service Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

560

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

sip
Syntax
sip { video { dscp (alias | bits); forwarding-class class-name; } voice { dscp (alias | bits); forwarding-class class-name; } } [edit services cos application-profile profile-name]

Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Set the appropriate dscp and forwarding-class value for SIP traffic. By default, the system will not alter the DSCP or forwarding class for SIP traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles ftp on page 557

source-address
Syntax Hierarchy Level Release Information
source-address address; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.1. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. Source address for rule matching.
addressSource IPv4 or IPv6 address or prefix value.

Description Options Usage Guidelines Required Privilege Level

See Configuring Match Conditions In CoS Rules on page 544. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

561

Junos 11.4 Services Interfaces Configuration Guide

source-prefix-list
Syntax Hierarchy Level Release Information Description
source-prefix-list list-name <except>; [edit services cos rule rule-name term term-name from]

Statement introduced in Junos OS Release 8.2. Specify the source prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Usage Guidelines Required Privilege Level Related Documentation

See Configuring CoS Rules on page 543. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

syslog
Syntax Hierarchy Level
syslog; [edit services cos rule rule-name term term-name then], [edit services cos rule rule-name term term-name then (reflexive | reverse)]

Release Information Description

Statement introduced in Junos OS Release 8.1. Enable system logging. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting overrides any syslog statement setting included in the service set or interface default configuration. See Configuring Actions in CoS Rules on page 545. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

562

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

term
Syntax
term term-name { from { application-sets set-name; applications [ application-names ]; destination-address address; destination-prefix-list list-name <except>; source-address address; source-prefix-list list-name <except>; } then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } } } [edit services cos rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 8.1. Define the CoS term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring CoS Rules on page 543. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

563

Junos 11.4 Services Interfaces Configuration Guide

then
Syntax
then { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; (reflexive | reverse) { application-profile profile-name; dscp (alias | bits); forwarding-class class-name; syslog; } } [edit services cos rule rule-name term term-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.1. Define the CoS term actions. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Actions in CoS Rules on page 545. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide

video
Syntax
video { dscp (alias | bits); forwarding-class class-name; } [edit services cos application-profile profile-name sip]

Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Set the appropriate dscp and forwarding-class values for SIP video traffic. By default, the system will not alter the DSCP or forwarding class for SIP video traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles voice on page 565

564

Copyright 2011, Juniper Networks, Inc.

Chapter 25: Summary of Class-of-Service Configuration Statements

voice
Syntax
voice { dscp (alias | bits); forwarding-class class-name; } [edit services cos application-profile profile-name sip]

Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Set the appropriate dscp and forwarding-class values for SIP voice traffic. By default, the system will not alter the DSCP or forwarding class for SIP voice traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles video on page 564

Copyright 2011, Juniper Networks, Inc.

565

Junos 11.4 Services Interfaces Configuration Guide

566

Copyright 2011, Juniper Networks, Inc.

CHAPTER 26

Service Set Configuration Guidelines

A service set is a collection of services to be performed by an Adaptive Services (AS) or Multiservices PIC. To configure service sets, include the following statements at the [edit services] hierarchy level:
[edit services] service-set service-set-name { (ids-rules rule-names | ids-rule-sets rule-set-name); (ipsec-vpn-rules rule-names | ipsec-vpn-rule-sets rule-set-name); (nat-rules rule-names | nat-rule-sets rule-set-name); (pgcp-rules rule-names | pgcp-rule-sets rule-set-name); (ptsp-rules rule-names | ptsp-rule-sets rule-set-name); (stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name); allow-multicast; extension-service service-name { provider-specific rules; } interface-service { service-interface interface-name; } ipsec-vpn-options { anti-replay-window-size bits; clear-dont-fragment-bit; ike-access-profile profile-name; local-gateway address; no-anti-replay; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes; } max-flows number; next-hop-service { inside-service-interface interface-name.unit-number; outside-service-interface interface-name.unit-number; service-interface-pool name; } syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; }

Copyright 2011, Juniper Networks, Inc.

567

Junos 11.4 Services Interfaces Configuration Guide

} } adaptive-services-pics { traceoptions { file filename <files number> <match regex> <size size> <(world-readable | no-world-readable)>; flag flag; } } logging { traceoptions { file filename <files number> <match regex> <size size> <(world-readable | no-world-readable)>; flag flag; } }

This chapter contains the following sections:

Configuring Service Sets to be Applied to Services Interfaces on page 568 Configuring Service Rules on page 572 Configuring IPsec Service Sets on page 573 Configuring Service Set Limitations on page 578 Configuring System Logging for Service Sets on page 578 Enabling Services PICs to Accept Multicast Traffic on page 580 Tracing Services PIC Operations on page 580 Example: Configuring Service Sets on page 583

Configuring Service Sets to be Applied to Services Interfaces

You configure a services interface to specify the adaptive services interface on which the service is to be performed. Services interfaces are used with either of the service set types described in the following sections.

Configuring Interface Service Sets on page 568 Configuring Next-Hop Service Sets on page 570 Determining Traffic Direction on page 571

Configuring Interface Service Sets

An interface service set is used as an action modifier across an entire interface. To configure the services interface, include the interface-service statement at the [edit services service-set service-set-name] hierarchy level:
[edit services service-set service-set-name] interface-service { service-interface interface-name; }

Only the device name is needed, because the router software manages logical unit numbers automatically. The services interface must be an adaptive services interface

568

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

for which you have configured unit 0 family inet at the [edit interfaces interface-name hierarchy level. When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the PIC. To associate a defined service set with an interface, include a service-set statement with the input or output statement at the [edit interfaces interface-name unit logical-unit-number family inet service] hierarchy level:
[edit interfaces interface-name unit logical-unit-number family inet service] input { service-set service-set-name <service-filter filter-name>; post-service-filter filter-name; } output { service-set service-set-name <service-filter filter-name>; }

If a packet is entering the interface, the match direction is input. If a packet is leaving the interface, the match direction is output. The service set retains the input interface information even after services are applied, so that functions such as filter-class forwarding and destination class usage (DCU) that depend on input interface information continue to work. You configure the same service set on the input and output sides of the interface. You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, the router software assumes the match condition is true and selects the service set for processing automatically.

NOTE: If you configure service sets with filters, they must be configured on the input and output sides of the interface.

You can include more than one service set definition on each side of the interface. If you include multiple service sets, the router software evaluates them in the order in which they appear in the configuration. The system executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions. A maximum of six service sets can be applied to an interface. When you apply multiple service sets to an interface, you must also configure and apply a service filter to the interface. An additional statement allows you to specify a filter for processing the traffic after the input service set is executed. To configure this type of filter, include the post-service-filter statement at the [edit interfaces interface-name unit logical-unit-number family inet service input] hierarchy level:
post-service-filter filter-name;

For an example, see Example: Configuring Service Sets on page 583.

Copyright 2011, Juniper Networks, Inc.

569

Junos 11.4 Services Interfaces Configuration Guide

NOTE: When the MultiServices PIC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level. When this statement is configured, the affected packets are forwarded in the event of a MultiServices PIC failure or offlining, as though interface-style services were not configured. This issue applies only Dynamic Application Awareness for Junos OS configurations using IDP service sets. This forwarding feature worked only with the Packet Forwarding Engine (PFE) initially. Starting with Junos OS Release 11.3, the packet-forwarding feature is extended to packets generated by the Routing Engine for bypass service sets as well.

Configuring Next-Hop Service Sets

A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes. This configuration is useful when services need to be applied to an entire virtual private network (VPN) routing and forwarding (VRF) table, or when routing decisions determine that services need to be performed. When a next-hop service is configured, the AS or Multiservices PIC is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network). To configure the domain, include the service-domain statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
service-domain (inside | outside);

The service-domain setting must match the configuration for the next-hop service inside and outside interfaces. To configure the inside and outside interfaces, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level. The interfaces you specify must be logical interfaces on the same AS PIC. You cannot configure unit 0 for this purpose, and the logical interface you choose must not be used by another service set.
next-hop-service { inside-service-interface interface-name.unit-number; outside-service-interface interface-name.unit-number; }

Traffic on which the service is applied is forced to the inside interface using a static route. For example:
routing-options { static { route 10.1.2.3 next-hop sp-1/1/0.1; } }

570

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

After the service is applied, traffic exits by way of the outside interface. A lookup is then performed in the Packet Forwarding Engine (PFE) to send the packet out of the AS or Multiservices PIC. The reverse traffic enters the outside interface, is serviced, and sent to the inside interface. The inside interface forwards the traffic out of the AS or Multiservices PIC.

Determining Traffic Direction

When you configure next-hop service sets, the AS PIC functions as a two-part interface, in which one part is the inside interface and the other part is the outside interface. The following sequence of actions takes place:
1.

To associate the two parts with logical interfaces, you configure two logical interfaces with the service-domain statement, one with the inside value and one with the outside value, to mark them as either an inside or outside service interface.

2. The router forwards the traffic to be serviced to the inside interface, using the next-hop

lookup table.
3. After the service is applied, the traffic exits from the outside interface. A route lookup

is then performed on the packets to be sent out of the router.

4. When the reverse traffic returns on the outside interface, the applied service is undone;

for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced packets then emerge on the inside interface, the router performs a route lookup, and the traffic exits the router. A service rules match direction, whether input, output, or input/output, is applied with respect to the traffic flow through the AS PIC, not through a specific inside or outside interface. When a packet is sent to an AS PIC, packet direction information is carried along with it. This is true for both interface style and next-hop style service sets.

Interface Style Service Sets

Packet direction is determined by whether a packet is entering or leaving any Packet Forwarding Engine interface (with respect to the forwarding plane) on which the interface-service statement is applied. This is similar to the input and output direction for stateless firewall filters. The match direction can also depend on the network topology. For example, you might route all the external traffic through one interface that is used to protect the other interfaces on the router, and configure various services on this interface specifically. Alternatively, you might use one interface for priority traffic and configure special services on it, but not care about protecting traffic on the other interfaces.

Next-Hop Style Service Sets

Packet direction is determined by the AS PIC interface used to route packets to the AS PIC. If you use the inside-interface statement to route traffic, then the packet direction is input. If you use the outside-interface statement to direct packets to the AS PIC, then the packet direction is output.

Copyright 2011, Juniper Networks, Inc.

571

Junos 11.4 Services Interfaces Configuration Guide

The interface to which you apply the service sets affects the match direction. For example, apply the following configuration:
sp-1/1/0 unit 1 service-domain inside; sp-1/1/0 unit 2 service-domain outside;

If you configure match-direction input, you include the following statements:

[edit] services service-set test1 next-hop-service inside-service-interface sp-1/0/0.1; services service-set test1 next-hop-service outside-service-interface sp-1/0/0.2; services ipsec-vpn rule test-ipsec-rule match-direction input; routing-options static route 10.0.0.0/24 next-hop sp-1/1/0.1;

If you configure match-direction output, you include the following statements:

[edit] services service-set test2 next-hop-service inside-service-interface sp-1/0/0.1; services service-set test2 next-hop-service outside-service-interface sp-1/0/0.2; services ipsec-vpn rule test-ipsec-rule match-direction output; routing-options static route 10.0.0.0/24 next-hop sp-1/1/0.2;

The essential difference between the two configurations is the change in the match direction and the static routes next hop, pointing to either the AS PIC's inside or outside interface.

Configuring Service Rules

You specify the collection of rules and rule sets that constitute the service set. The router performs rule sets in the order in which they appear in the configuration. You can include only one rule set for each service type. You configure the rule names and content for each service type at the [edit services name] hierarchy level for each type:

You configure intrusion detection service (IDS) rules at the [edit services ids] hierarchy level; for more information, see Configuring IDS Rules on page 291. You configure IP Security (IPsec) rules at the [edit services ipsec-vpn] hierarchy level; for more information, see IPsec Properties. You configure Network Address Translation (NAT) rules at the [edit services nat] hierarchy level; for more information, see Network Address Translation. You configure Packet Gateway Control Protocol (PGCP) rules at the [edit services pgcp] hierarchy level; for more information, see Border Gateway Function (BGF). You configure packet-triggered subscribers and policy control (PTSP) rules at the [edit services ptsp] hierarchy level; for more information, see PTSP for Subscriber Access. You configure softwire rules for DS-Lite or 6rd softwires at the [edit services softwire] hierarchy level; for more information, see Softwire Services for Juniper Service Framework (JSF). You configure stateful firewall rules at the [edit services stateful-firewall] hierarchy level; for more information, see Stateful Firewall.

572

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

To configure the rules and rule sets that constitute a service set, include the following statements at the [edit services service-set service-set-name] hierarchy level:
([ ids-rules rule-names ] | ids-rule-sets rule-set-name); ([ ipsec-vpn-rules rule-names ] | ipsec-vpn-rule-sets rule-set-name); ([ nat-rules rule-names ] | nat-rule-sets rule-set-name); ([ pgcp-rules rule-names] | pgcp-rule-sets rule-set-name); ([softwire-rules rule-names] | softwire-rule-sets rule-set-name); ([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);

For each service type, you can include one or more individual rules, or one rule set. If you configure a service set with IPsec rules, it must not contain rules for any other services. You can, however, configure another service set containing rules for the other services and apply both service sets to the same interface.

NOTE: You can also include Dynamic Application Awareness for Junos OS functionality within service sets. To do this, you must include an idp-profile statement at the [edit services service-set] hierarchy level, along with application identification (APPID) rules, and, as appropriate, application-aware access list (AACL) rules and a policy-decision-statistics-profile. Only one service sets can be applied to a single interface when Dynamic Application Awareness functionality is used. For more information, see Intrusion Detection and Prevention, Application Identification, and Application-Aware Access List.

Configuring IPsec Service Sets

IPsec service sets require additional specifications that you configure at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:
[edit services service-set service-set-name ipsec-vpn-options] anti-replay-window-size bits; clear-dont-fragment-bit; ike-access-profile profile-name; local-gateway address; no-anti-replay; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes;

Configuration of these statements is described in the following sections:

Configuring the Local Gateway Address for IPsec Service Sets on page 574 Configuring IKE Access Profiles for IPsec Service Sets on page 575 Configuring Certification Authorities for IPsec Service Sets on page 575 Configuring or Disabling Antireplay Service on page 575 Clearing the Dont-Fragment Bit on page 576

Copyright 2011, Juniper Networks, Inc.

573

Junos 11.4 Services Interfaces Configuration Guide

Configuring Passive-Mode Tunneling on page 577 Configuring the Tunnel MTU Value on page 577

Configuring the Local Gateway Address for IPsec Service Sets

If you configure an IPsec service set, you must also configure a local IPv4 or IPv6 address by including the local-gateway statement:

If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation), you configure the following statement:
local-gateway address;

If the IKE gateway IP address is in a VPN routing and forwarding (VRF) instance, you configure the following statement:
local-gateway address routing-instance instance-name;

You can configure all the link-type tunnels that share the same local gateway address in a single next-hop-style service set. The value you specify for the inside-service-interface statement at the [edit services service-set service-set-name] hierarchy level should match the ipsec-inside-interface value, which you configure at the [edit services ipsec-vpn rule rule-name term term-name from] hierarchy level. For more information about IPsec configuration, see Configuring IPsec Rules on page 346.

IKE Addresses in VRF Instances

You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance. For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify, as in this example:
routing-instances vrf-nxthop { instance-type vrf; interface sp-1/1/0.2; ... } services service-set service-set-1 { next-hop-service { inside-service-interface sp-1/1/0.1; outside-service-interface sp-1/1/0.2; } ... }

For interface service sets, the service-interface statement determines the VRF, as in this example:
routing-instances vrf-intf { instance-type vrf; interface sp-1/1/0.3; interface ge-1/2/0.1; # interface on which service set is applied

574

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

... } services service-set service-set-2 { interface-service { service-interface sp-1/1/0.3; } ... }

Configuring IKE Access Profiles for IPsec Service Sets

For dynamic endpoint tunneling only, you need to reference the IKE access profile configured at the [edit access] hierarchy level. To do this, include the ike-access-profile statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:
[edit services service-set service-set-name ipsec-vpn-options] ike-access-profile profile-name;

The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can reference only one access profile in each service set. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only.

NOTE: If you configure an IKE access profile in a service set, no other service set can share the same local-gateway address. Also, you must configure a separate service set for each VRF. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF.

Configuring Certification Authorities for IPsec Service Sets

You can specify one or more trusted certification authorities by including the trusted-ca statement:
trusted-ca [ ca-profile-names ];

When you configure public key infrastructure (PKI) digital certificates in the IPsec configuration, each service set can have its own set of trusted certification authorities. The names you specify for the trusted-ca statement must match profiles configured at the [edit security pki] hierarchy level; for more information, see the Junos OS System Basics Configuration Guide. For more information about IPsec digital certificate configuration, see Configuring IPsec Rules on page 346.

Configuring or Disabling Antireplay Service

You can include the anti-replay-window-size statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to specify the size of the antireplay window.
anti-replay-window-size bits;

Copyright 2011, Juniper Networks, Inc.

575

Junos 11.4 Services Interfaces Configuration Guide

This statement is useful for dynamic endpoint tunnels for which you cannot configure the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement sets the antireplay window size for all the static tunnels within this service set. If a particular tunnel needs a specific value for antireplay window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled for a particular tunnel in this service set, set the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

NOTE: The anti-replay-window-size and no-anti-replay settings at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level override the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

You can also include the no-anti-replay statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to disable IPsec antireplay service. It occasionally causes interoperability issues for security associations.
no-anti-replay;

This statement is useful for dynamic endpoint tunnels for which you cannot configure the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement disables the antireplay check for all the tunnels within this service set. If antireplay check has to be enabled for a particular tunnel, then set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

NOTE: Setting the anti-replay-window-size and no-anti-replay statements at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Clearing the Dont-Fragment Bit

You can include the clear-dont-fragment-bit statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to clear the Dont Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation.
clear-dont-fragment-bit;

576

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

This statement is useful for dynamic endpoint tunnels, for which you cannot configure the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, setting this statement clears the DF bit on packets entering all the static tunnels within this service set. If you want to clear the DF bit on packets entering a specific tunnel, set the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Configuring Passive-Mode Tunneling

You can include the passive-mode-tunneling statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to enable the service set to tunnel malformed packets.
[edit services service-set service-set-name ipsec-vpn-options] passive-mode-tunneling;

This functionality bypasses the active IP checks, such as version, TTL, protocol, options, address and other land attack checks, and tunnels the packets as is. If this statement is not configured, packets failing the IP checks are dropped in the PIC. In passive mode, the inner packet is not touched; hence, an ICMP error is not generated, if the packet size exceeds the tunnel MTU value. The IPsec tunnel is not treated as a next hop and TTL is not decremented. Because an ICMP error is not generated if the packet size exceeds the tunnel MTU value, the packet will be tunnelled even if it crosses the tunnel MTU threshold.

NOTE: This functionality is similar to that provided by the no-ipsec-tunnel-in-traceroute statement, described in Disabling IPsec Tunnel Endpoint in Traceroute on page 359.

Configuring the Tunnel MTU Value

You can include the tunnel-mtu statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to set the maximum transmission unit (MTU) value for IPsec tunnels.
tunnel-mtu bytes;

This statement is useful for dynamic endpoint tunnels for which you cannot configure the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement sets the tunnel MTU value for all the tunnels within this service set. If you need a specific value for a particular tunnel, then set the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Copyright 2011, Juniper Networks, Inc.

577

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The tunnel-mtu setting at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the value specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Configuring Service Set Limitations

You can set the following limitations on service set capacity:

You can limit the maximum number of flows allowed per service set. To configure the maximum value, include the max-flows statement at the [edit services service-set service-set-name] hierarchy level:
max-flows number;

The max-flows statement permits you to assign a single flow limit value. For IDS service sets only, you can specify various types of flow limits with a finer degree of control. For more information, see the description of the session-limit statement in Configuring IDS Rule Sets on page 297.

You can limit the maximum segment size (MSS) allowed by the Transmission Control Protocol (TCP). To configure the maximum value, include the tcp-mss statement at the [edit services service-set service-set-name] hierarchy level:
tcp-mss number;

The TCP protocol negotiates an MSS value during session connection establishment between two peers. The MSS value negotiated is primarily based on the MTU of the interfaces to which the communicating peers are directly connected to. However in the network, due to variation in link MTU on the path taken by the TCP packets, some packets which are still well within the MSS value may be fragmented when the concerned packet's size exceeds the link's MTU. If the router receives a TCP packet with the SYN bit and MSS option set and the MSS option specified in the packet is larger than the MSS value specified by the tcp-mss statement, the router replaces the MSS value in the packet with the lower value specified by the tcp-mss statement. The range for the tcp-mss mss-value parameter is from 536 through 65535. To view statistics of SYN packets received and SYN packets whose MSS value, is modified, issue the show services service-sets statistics tcp-mss operational mode command. For more information on this topic, see the Junos OS System Basics Configuration Guide.

Configuring System Logging for Service Sets

You specify properties that control how system log messages are generated for the service set. These values override the values configured at the [edit interfaces interface-name services-options] hierarchy level. To configure service-set-specific system logging values, include the syslog statement at the [edit services service-set service-set-name] hierarchy level:

578

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

syslog { host hostname { class services severity-level; facility-override facility-name; log-prefix prefix-value; } }

Configure the host statement with a hostname or an IP address that specifies the system log target server. The hostname local directs system log messages to the Routing Engine. For external system log servers, the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. You can specify only one system logging hostname. Table 15 on page 579 lists the severity levels that you can specify in configuration statements at the [edit services service-set service-set-name syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.

Table 15: System Log Message Severity Levels

Severity Level
any emergency alert

Description
Includes all severity levels System panic or other condition that causes the router to stop functioning Conditions that require immediate correction, such as a corrupted system database Critical conditions, such as hard drive errors Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels Conditions that warrant monitoring Conditions that are not errors but might warrant special handling Events or non-rror conditions of interest

critical error

warning notice info

We recommend setting the system logging severity level to error during normal operation. To monitor PIC resource usage, set the level to warning. To gather information about an intrusion attack when an intrusion detection system error is detected, set the level to notice for a specific service set. To debug a configuration or log NAT functionality, set the level to info. For more information about system log messages, see the Junos OS System Log Messages Reference.

Copyright 2011, Juniper Networks, Inc.

579

Junos 11.4 Services Interfaces Configuration Guide

To select the class of messages to be logged to the specified system log host, include the class statement at the [edit services service-set service-set-name syslog host hostname] hierarchy level:
class class-name;

To use one particular facility code for all logging to the specified system log host, include the facility-override statement at the [edit services service-set service-set-name syslog host hostname] hierarchy level:
facility-override facility-name;

The supported facilities are: authorization, daemon, ftp, kernel, user, and local0 through local7. To specify a text prefix for all logging to this system log host, include the log-prefix statement at the [edit services service-set service-set-name syslog host hostname] hierarchy level:
log-prefix prefix-value;

Enabling Services PICs to Accept Multicast Traffic

To allow multicast traffic to be sent to the Adaptive Services or Multiservices PIC, include the allow-multicast statement at the [edit services service-set service-set-name] hierarchy level. If this statement is not included, multicast traffic is dropped by default. This statement applies only to multicast traffic using a next-hop service set; interface service set configuration is not supported. Only unidirectional flows are created for multicast packets. For a configuration example, see Example: Configuring NAT for Multicast Traffic on page 219.

Tracing Services PIC Operations

Tracing operations track all adaptive services operations and record them in a log file. The logged error descriptions provide detailed information to help you solve problems faster. By default, no events are traced. If you include the traceoptions statement at the [edit services adaptive-services-pics] or [edit services logging] hierarchy level, the default tracing behavior is the following:

Important events are logged in a file called serviced located in the /var/log directory. When the file serviced reaches 128 kilobytes (KB), it is renamed serviced.0, then serviced.1, and so on, until there are three trace files. Then the oldest trace file (serviced.2) is overwritten. (For more information about how log files are created, see the Junos OS System Log Messages Reference.) Log files can be accessed only by the user who configures the tracing operation.

You cannot change the directory (/var/log) in which trace files are located. However, you can customize the other trace file settings by including the following statements:

580

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>; flag { all; command-queued; config; handshake; init; interfaces; mib; removed-client; show; }

You include these statements at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level. These statements are described in the following sections:

Configuring the Adaptive Services Log Filename on page 581 Configuring the Number and Size of Adaptive Services Log Files on page 581 Configuring Access to the Log File on page 582 Configuring a Regular Expression for Lines to Be Logged on page 582 Configuring the Trace Operations on page 582

Configuring the Adaptive Services Log Filename

By default, the name of the file that records trace output is serviced. You can specify a different name by including the file statement at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level:
file filename;

Configuring the Number and Size of Adaptive Services Log Files

By default, when the trace file reaches 128 kilobytes (KB) in size, it is renamed filename.0, then filename.1, and so on, until there are three trace files. Then the oldest trace file (filename.2) is overwritten. You can configure the limits on the number and size of trace files by including the following statements at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level:
file <filename> files number size size;

For example, set the maximum file size to 2 MB, and the maximum number of files to 20. When the file that receives the output of the tracing operation (filename) reaches 2 MB, filename is renamed filename.0, and a new file called filename is created. When the new filename reaches 2 MB, filename.0 is renamed filename.1 and filename is renamed filename.0. This process repeats until there are 20 trace files. Then the oldest file (filename.19) is overwritten by the newest file (filename.0).

Copyright 2011, Juniper Networks, Inc.

581

Junos 11.4 Services Interfaces Configuration Guide

The number of files can be from 2 through 1000 files. The file size of each file can be from 10 KB through 1 gigabyte (GB).

Configuring Access to the Log File

By default, log files can be accessed only by the user who configures the tracing operation. To specify that any user can read all log files, include the file world-readable statement at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level:
file <filename> world-readable;

To explicitly set the default behavior, include the file no-world-readable statement at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level:
file <filename> no-world-readable;

Configuring a Regular Expression for Lines to Be Logged

By default, the trace operation output includes all lines relevant to the logged events. You can refine the output by including the match statement at the [edit services adaptive-services-pics traceoptions file filename] or [edit services logging traceoptions] hierarchy level and specifying a regular expression (regex) to be matched:
file <filename> match regular-expression;

Configuring the Trace Operations

By default, if the traceoptions configuration is present, only important events are logged. You can configure the trace operations to be logged by including the following statements at the [edit services adaptive-services-pics traceoptions] or [edit services logging traceoptions] hierarchy level:
flag { all; configuration; routing-protocol; routing-socket; snmp; }

Table 16 on page 582 describes the meaning of the adaptive services tracing flags.

Table 16: Adaptive Services Tracing Flags

Flag
all command-queued config

Description
Trace all operations. Trace command enqueue events. Log reading of the configuration at the [edit services] hierarchy level.

Default Setting
Off Off Off

582

Copyright 2011, Juniper Networks, Inc.

Chapter 26: Service Set Configuration Guidelines

Table 16: Adaptive Services Tracing Flags (continued)

Flag
handshake init interfaces mib removed-client show

Description
Trace handshake events. Trace initialization events. Trace interface events. Trace GGSN SNMP MIB events. Trace client cleanup events. Trace CLI command servicing.

Default Setting
Off Off Off Off Off Off

To display the end of the log, issue the show log serviced | last operational mode command:
[edit] user@host# run show log serviced | last

Example: Configuring Service Sets

Apply two service sets, my-input-service-set and my-output-service-set, on an interface-wide basis. All traffic has my-input-service-set applied to it. After the service set is applied, additional filtering is done using my_post_service_input_filter.
[edit interfaces fe-0/1/0] unit 0 { family inet { service { input { service-set my-input-service-set; post-service-filter my_post_service_input_filter; } output { service-set my-output-service-set; } } } }

Copyright 2011, Juniper Networks, Inc.

583

Junos 11.4 Services Interfaces Configuration Guide

584

Copyright 2011, Juniper Networks, Inc.

CHAPTER 27

Summary of Service Set Configuration Statements

The following sections explain each of the service set configuration statements. The statements are organized alphabetically.

adaptive-services-pics
Syntax
adaptive-services-pics { traceoptions { file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } } [edit services]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. The file option was added in Release 8.0. Define global services properties. The remaining statement is explained separately. See Tracing Services PIC Operations on page 580. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

585

Junos 11.4 Services Interfaces Configuration Guide

allow-multicast
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
allow-multicast; [edit services service-set service-set-name]

Statement introduced in Junos OS Release 8.0. Allow multicast traffic to be sent to the Adaptive Services or Multiservices PIC. See Enabling Services PICs to Accept Multicast Traffic on page 580. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

586

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

anti-replay-window-size
Syntax Hierarchy Level Release Information Description
anti-replay-window-size bits; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 10.0. Specify the size of the IPsec antireplay window. This statement is useful for dynamic endpoint tunnels for which you cannot configure the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement sets the antireplay window size for all the static tunnels within this service set. If a particular tunnel needs a specific value for antireplay window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled for a particular tunnel in this service set, set the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

NOTE: The anti-replay-window-size and no-anti-replay settings at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level override the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Options

bitsSize of the antireplay window, in bits.

Default: 64 bits (AS PICs), 128 bits (Multiservices PICs and DPCs) Range: 64 through 4096 bits Usage Guidelines See Configuring IPsec Service Sets on page 573 or Configuring or Disabling IPsec Anti-Replay on page 352. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

587

Junos 11.4 Services Interfaces Configuration Guide

bypass-traffic-on-exceeding-flow-limits
Syntax Hierarchy Level Release Information Description
bypass-traffic-on-exceeding-flow-limits; [editservices service-set service-set-name service-set-options]

Statement introduced in Junos OS Release 10.1. Enable packets to bypass without creating a new session when the flow in the service set exceeds the limit that is set by the max-flows statement at the [edit services service-set service-set-name] hierarchy level. See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

bypass-traffic-on-pic-failure
Syntax Hierarchy Level Release Information Description
bypass-traffic-on-pic-failure; [edit services service-set service-set-name service-set-options]

Statement introduced in Junos OS Release 10.1. When the MultiServices PIC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement. When this statement is configured, the affected packets are forwarded in the event of a MultiServices PIC failure or offlining, as though interface-style services were not configured. This issue applies only to Dynamic Application Awareness for Junos OS configurations with IDP service sets.

Usage Guidelines Required Privilege Level

See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

588

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

clear-dont-fragment-bit
Syntax Hierarchy Level Release Information Description
clear-dont-fragment-bit; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 10.0. Clear the Dont Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation. This statement is useful for dynamic endpoint tunnels, for which you cannot configure the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, setting this statement clears the DF bit on packets entering all the static tunnels within this service set. If you want to clear the DF bit on packets entering a specific tunnel, set the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Usage Guidelines

See Configuring IPsec Service Sets on page 573 or Configuring Actions in IPsec Rules on page 349. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

589

Junos 11.4 Services Interfaces Configuration Guide

facility-override
Syntax Hierarchy Level Release Information Description Options
facility-override facility-name; [edit services service-set service-set-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Override the default facility for system log reporting.
facility-nameName of the facility that overrides the default assignment. Valid entries

are:
authorization daemon ftp kernel local0 through local7 user

Usage Guidelines Required Privilege Level

See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

host
Syntax
host hostname { facility-override facility-name; interface-service prefix-value; services severity-level; } [edit services service-set service-set-name syslog]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the hostname for the system logging utility.
hostnameName of the system logging utility host machine.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

590

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

ids-rules
Syntax Hierarchy Level Release Information Description
(ids-rules rule-name | ids-rule-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced before Junos OS Release 7.4. Specify the intrusion detection service (IDS) rules or rule set included in this service set. You can configure multiple rules, but only one rule set for each service.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Rules on page 572. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ike-access-profile
Syntax Hierarchy Level Release Information Description Options
ike-access-profile profile-name; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 7.4. Define the access profile for the IPsec traffic on dynamic tunnels.
profile-nameIdentifier for access profile, which must match the name configured at the [edit access profile name client * ike] hierarchy level.

Usage Guidelines

See Configuring Dynamic Endpoints for IPsec Tunnels on page 353 or Configuring IPsec Service Sets on page 573. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

591

Junos 11.4 Services Interfaces Configuration Guide

interface-service
Syntax
interface-service { service-interface name; } [edit services service-set service-set-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the device name for the interface service Physical Interface Card (PIC).
service-interface nameName of the service device associated with the interface-wide

service set. Usage Guidelines Required Privilege Level See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ipsec-vpn-options
Syntax
ipsec-vpn-options { anti-replay-window-size bits; clear-dont-fragment-bit; ike-access-profile profile-name; local-gateway address; no-anti-replay; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes; } [edit services service-set service-set-name]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify IP Security (IPsec) service options. The remaining statements are explained separately. See Configuring Service Rules on page 572. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

592

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

ipsec-vpn-rules
Syntax Hierarchy Level Release Information Description
(ipsec-vpn-rules rule-name | ipsec-vpn-rule-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced before Junos OS Release 7.4. Specify the IPsec rules or rule set included in this service set. You can configure multiple rules, but only one rule set for each service.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Rules on page 572. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

local-gateway
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
local-gateway address; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced before Junos OS Release 7.4. Define the local IPv4 or IPv6 address for the IPsec traffic.
addressLocal address.

See Configuring Service Rules on page 572. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

593

Junos 11.4 Services Interfaces Configuration Guide

log-prefix
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
log-prefix prefix-value; [edit services service-set service-set-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Set the system logging prefix value.
prefix-valueSystem logging prefix value.

See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

logging
Syntax
logging { traceoptions { file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } } [edit services]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 8.0. Define global services properties. The remaining statement is explained separately. See Tracing Services PIC Operations on page 580. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

594

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

max-flows
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
max-flows number; [edit services service-set service-set-name]

Statement introduced before Junos OS Release 7.4. Maximum number of flows allowed for the service set.
numberMaximum number of flows.

See Configuring Service Set Limitations on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

595

Junos 11.4 Services Interfaces Configuration Guide

message-rate-limit
Syntax Hierarchy Level
message-rate-limit messages-per-second interfaces interface-name { services-options { cgn-pic; disable-global-timeout-override; ignore-errors <alg> <tcp>; inactivity-non-tcp-timeout seconds; inactivity-tcp-timeout seconds; inactivity-timeout seconds; open-timeout seconds; session-limit { maximum number; rate new-sessions-per-second; } session-timeout seconds; syslog { } } }

Release Information Description

Statement introduced Junos OS Release 11.1. Maximum system log messages per second allowed from this interface.

NOTE: The message-rate-limit command can be configured only for physical service interfaces (sp-x/x/x) and not for redundancy services PIC interfaces (rspx).

Options

messages-per-secondThis option configures the maximum number of system log

messages per second that can be formatted and sent from the PIC to either the Routing Engine (local) or to an external server (remote). The default rates are 10,000 for the Routing Engine and 200,000 for an external server. Usage Guidelines Required Privilege Level See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

596

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

nat-rules
Syntax Hierarchy Level Release Information Description
(nat-rules rule-name | nat-rule-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced before Junos OS Release 7.4. Specify the Network Address Translation (NAT) rules or rule set included in this service set. You can configure multiple rules, but only one rule set for each service.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Rules on page 572. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

597

Junos 11.4 Services Interfaces Configuration Guide

next-hop-service
Syntax
next-hop-service { inside-service-interface interface-name.unit-number; outside-service-interface interface-name.unit-number; service-interface-pool name; } [edit services service-set service-set-name]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. service-interface-pool option added in Junos OS Release 9.3. Specify interface names or a service interface pool for the forwarding next-hop service set. You cannot specify both a service interface pool and an inside or outside interface.
inside-service-interface interface-name.unit-numberName and logical unit number of

Description

Options

the service interface associated with the service set applied inside the network.
outside-service-interface interface-name.unit-numberName and logical unit number of

the service interface associated with the service set applied outside the network.
service-interface-pool nameName of the pool of logical interfaces configured at the [edit services service-interface-pools pool pool-name] hierarchy level. You can

configure a service interface pool only if the service set has a PGCP rule configured. The service set cannot contain any other type of rule. Usage Guidelines Required Privilege Level See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

598

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

no-anti-replay
Syntax Hierarchy Level Release Information Description
no-anti-replay; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 10.0. Disable IPsec antireplay service for this service set, which occasionally causes interoperability issues for security associations. This statement is useful for dynamic endpoint tunnels for which you cannot configure the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement disables the antireplay check for all the tunnels within this service set. If antireplay check has to be enabled for a particular tunnel, then set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

NOTE: Setting the anti-replay-window-size and no-anti-replay statements at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Usage Guidelines

See Configuring IPsec Service Sets on page 573 or Configuring or Disabling IPsec Anti-Replay on page 352. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Required Privilege Level

passive-mode-tunneling
Syntax Hierarchy Level Release Information Description
passive-mode-tunneling; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 10.0. Allows tunneling of malformed packets. When this statement is enabled, traffic bypasses the usual active IP checks. The IPsec tunnel is not treated as a next hop and TTL is not decremented. If the packet size exceeds the tunnel MTU value, an ICMP error is not generated. See Configuring IPsec Service Sets on page 573. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

599

Junos 11.4 Services Interfaces Configuration Guide

pgcp-rules
Syntax Hierarchy Level Release Information Description
(pgcp-rules rule-name | pgcp-rules-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced in Junos OS Release 8.4. Specify the Packet Gateway Control Protocol (PGCP) rules or rule set included in this service set. You can configure multiple rules but only one rule set for each service.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

port (syslog)
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
port port-number; [edit interfaces interface-name services-options syslog host hostname]

Statement introduced in Junos OS Release 11.1. UDP port for system log messages on the host. The default port is 514.
port-numberPort number for system log messages.

See Configuring System Logging for Services Interfaces on page 616. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

600

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

ptsp-rules
Syntax Hierarchy Level Release Information Description
(ptsp-rules rule-name | ptsp-rules-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced in Junos OS Release 10.2. Specify the PTSP rules or rule set included in this service set. You can configure multiple rules but only one rule set for each service.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

service-interface
Syntax Hierarchy Level Release Information Description
service-interface interface-name; [edit services service-set service-set-name interface-service]

Statement introduced before Junos OS Release 7.4. Specify the name for the adaptive services interface associated with an interface-wide service set.
interface-nameIdentifier of the service interface.

Options Usage Guidelines Required Privilege Level

See Configuring Service Sets to be Applied to Services Interfaces on page 568. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

601

Junos 11.4 Services Interfaces Configuration Guide

service-set
Syntax
service-set service-set-name { allow-multicast; extension-service service-name { provider-specific-rules-configuration; } (ids-rules rule-name | ids-rule-sets rule-set-name); interface-service { service-interface interface-name; } ipsec-vpn-options { anti-replay-window-size bits; clear-dont-fragment-bit; ike-access-profile profile-name; local-gateway address; no-anti-replay; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes; } (ipsec-vpn-rules rule-name | ipsec-vpn-rule-sets rule-set-name); max-flows number; (nat-rules rule-name | nat-rule-sets rule-set-name); next-hop-service { inside-service-interface interface-name.unit-number; outside-service-interface interface-name.unit-number; service-interface-pool name; } (pgcp-rules rule-name | pgcp-rule-sets rule-set-name); (ptsp-rules rule-name | ptsp-rule-sets rule-set-name); (softwire-rules rule-name | softwire-rule-sets rule-set-name); (stateful-firewall-rules rule-name | stateful-firewall-rule-sets rule-set-name); syslog { host hostname { class class-name; facility-override facility-name; log-prefix prefix-value; port port-number; services severity-level; } } } [edit services]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. The pgcp-rules and pgcp-rule-sets options were added in Release 8.4. The ptsp-rules and ptsp-rule-sets options were added in Release 10.2. The softwire-rules and softwire-rule-sets options were added in Release 10.4. Define the service set.

Description

602

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

Options

service-set-nameIdentifies the service set.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Service Set Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

603

Junos 11.4 Services Interfaces Configuration Guide

services
See the following sections:

services (Hierarchy) on page 604 services (System Logging) on page 605

services (Hierarchy)
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
services { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic. See Service Set Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

604

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

services (System Logging)

Syntax Hierarchy Level Release Information Description Options
services severity-level; [edit services service-set service-set-name syslog host hostname]

Statement introduced before Junos OS Release 7.4. Specify the severity level for system logging messages.
severity-levelAssigns a severity level to the facility. Valid entries are:

alertConditions that should be corrected immediately. anyMatches any level. criticalCritical conditions. emergencyPanic conditions. errorError conditions. infoInformational messages. noticeConditions that require special handling. warningWarning messages.

Usage Guidelines Required Privilege Level

See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

605

Junos 11.4 Services Interfaces Configuration Guide

stateful-firewall-rules
Syntax Hierarchy Level Release Information Description
(stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced before Junos OS Release 7.4. Specify the stateful firewall rules or rule set included in this service set. You can configure multiple rules, but only one rule set for each service.
rule-nameIdentifier for the collection of terms that make up this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Usage Guidelines Required Privilege Level

See Configuring Service Rules on page 572. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

syslog
Syntax
syslog { host hostname { services severity-level; facility-override facility-name; interface-service prefix-value; } } [edit services service-set service-set-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure generation of system log messages for the service set. The system log information is passed to the kernel for logging in the /var/log directory. These settings override the values defined at the [edit interfaces interface-name services-options] hierarchy level; for more information on configuring those values, see Configuring System Logging for Services Interfaces on page 616. The remaining statements are described separately. See Configuring System Logging for Service Sets on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

606

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

tcp-mss
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
tcp-mss number; [edit services service-set service-set-name]

Statement introduced in Junos OS Release 9.5. Specify the TCP Maximum Segment Size (MSS) allowed for the service set.
numberMSS value.

See Configuring Service Set Limitations on page 578. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

607

Junos 11.4 Services Interfaces Configuration Guide

traceoptions
Syntax
traceoptions { file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } [edit services adaptive-services-pics], [edit services logging]

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4. file option added in Release 8.0. Configure Adaptive Services or Multiservices PIC tracing operations. The messages are output to /var/log/serviced.
file filenameName of the file to receive the output of the tracing operation. All files are

Description

Options

placed in the directory /var/log.

files number(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 files Default: 3 files
flag flagTracing operation to perform:

allTrace everything. command-queuedTrace command enqueue events. configTrace configuration events. handshakeTrace handshake events. initTrace initialization events. interfacesTrace interface events. mibTrace GGSN SNMP MIB events. removed-clientTrace client cleanup events. showTrace CLI command servicing.

match regex(Optional) Match output to a defined regular expression (regex).

608

Copyright 2011, Juniper Networks, Inc.

Chapter 27: Summary of Service Set Configuration Statements

Default: If you do not include this option, the trace operation output includes all lines relevant to the logged events.
no-world-readable(Optional) Prevent any user from reading the log file. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB
world-readable(Optional) Allow any user to read the log file.

Usage Guidelines Required Privilege Level

See Tracing Services PIC Operations on page 580. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

trusted-ca
Syntax Hierarchy Level Release Information Description Options
trusted-ca ca-profile-name; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 7.5. Identify one or more trusted IPsec certification authorities.
ca-profile-nameName of certification authority profile, which is configured at the [edit security pki] hierarchy level.

Usage Guidelines Required Privilege Level

See Configuring IPsec Service Sets on page 573. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

609

Junos 11.4 Services Interfaces Configuration Guide

tunnel-mtu
Syntax Hierarchy Level Release Information Description
tunnel-mtu bytes; [edit services service-set service-set-name ipsec-vpn-options]

Statement introduced in Junos OS Release 10.0. Maximum transmission unit (MTU) size for IPsec tunnels. This statement is useful for dynamic endpoint tunnels for which you cannot configure the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. For static IPsec tunnels, this statement sets the tunnel MTU value for all the tunnels within this service set. If you need a specific value for a particular tunnel, then set the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

NOTE: The tunnel-mtu setting at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the value specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Options

bytesMTU size.

Default: 1500 bytes Range: 256 through 9192 bytes Usage Guidelines See Configuring IPsec Service Sets on page 573 or Specifying the MTU for IPsec Tunnels on page 352. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

mtu on page 1287

610

Copyright 2011, Juniper Networks, Inc.

CHAPTER 28

Service Interface Configuration Guidelines

For the interfaces on a router to function, you must configure them, specifying properties such as the interface location (that is, which slot the Flexible PIC Concentrator [FPC] is installed in and which location on the FPC the Physical Interface Card [PIC] is installed in), the interface type (such as SONET/SDH or Asynchronous Transfer Mode [ATM]), encapsulation, and interface-specific properties. You can configure the interfaces that are currently present in the router, and you can also configure interfaces that are not currently present but that you might add in the future. When a configured interface appears, the Junos OS detects its presence and applies the appropriate configuration to it. For more information on the general configuration of interfaces, see the Junos OS Network Interfaces Configuration Guide. You can configure two different sets of properties at the interface level:

Properties that apply to an entire Adaptive Services (AS) or Multiservices PIC interface on a global level, including default values for system logging and timeout properties. Assignment of service sets and filters to a network interface.

To configure default properties for the adaptive services interface, include the sp-fpc/pic/port or rspnumber statement at the [edit interfaces] hierarchy level:
[edit interfaces] (sp-fpc/pic/port | rspnumber) { services-options { cgn-pic; disable-global-timeout-override; ignore-errors <alg> <tcp>; inactivity-non-tcp-timeout seconds; inactivity-tcp-timeout seconds; inactivity-timeout seconds; open-timeout seconds; session-limit { maximum number; rate new-sessions-per-second; } session-timeout seconds; syslog { host hostname { facility-override facility-name; log-prefix prefix-value; port port-number;

Copyright 2011, Juniper Networks, Inc.

611

Junos 11.4 Services Interfaces Configuration Guide

services severity-level; } message-rate-limit messages-per-second; } } }

To apply services on network interfaces, include the unit statement at the [edit interfaces interface-name] hierarchy level:
unit logical-unit-number { clear-dont-fragment-bit; encapsulation type; family inet { address address { ... } mtu bytes; service { input { [ service-set service-set-name <service-filter filter-name> ]; post-service-filter filter-name; } output { [ service-set service-set-name <service-filter filter-name> ]; } } service-domain (inside | outside); } }

To configure AS or Multiservices PIC redundancy, include the redundancy-options statement at the [edit interfaces rsp number] hierarchy level:
rspnumber { redundancy-options { primary sp-fpc/pic/port; secondary sp-fpc/pic/port; } }

To configure an MX-DPC interface to be used exclusively for carrier-grade NAT (CGN) include the cgn-pic statement at the [edit interfaces interface-name services-options] hierarchy level. This chapter contains the following sections:

Services Interface Naming Overview on page 613 Configuring the Address and Domain for Services Interfaces on page 614 Configuring Default Timeout Settings for Services Interfaces on page 614 Configuring System Logging for Services Interfaces on page 616 Enabling Fragmentation on GRE Tunnels on page 617 Applying Filters and Services to Interfaces on page 618

612

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

Configuring AS or Multiservices PIC Redundancy on page 620 Examples: Configuring Services Interfaces on page 623

Services Interface Naming Overview

Each interface has an interface name, which specifies the media type, the slot the FPC is located in, the location on the FPC that the PIC is installed in, and the PIC port. The interface name uniquely identifies an individual network connector in the system. You use the interface name when configuring interfaces and when enabling various functions and properties, such as routing protocols, on individual interfaces. The system uses the interface name when displaying information about the interface, for example, in the show interfaces command. The interface name is represented by a physical part, a logical part, and a channel part in the following format:
physical<:channel>.logical

The channel part of the name is optional for all interfaces except channelized DS3, E1, OC12, and STM1 interfaces. The physical part of an interface name identifies the physical device, which corresponds to a single physical network connector. This part of the interface name has the following format:
type-fpc/pic/port type is the media type, which identifies the network device. For service interfaces, it can

be one of the following:

cpFlow collector interface. esEncryption interface. grGeneric routing encapsulation tunnel interface. greThis interface is internally generated and not configurable. ipIP-over-IP encapsulation tunnel interface. ipipThis interface is internally generated and not configurable. lsLink services interface. lsqLink services intelligent queuing (IQ) interface; also used for voice services. mlMultilink interface. moMonitoring services interface. The logical interface mo-fpc/pic/port.16383 is an

internally generated, nonconfigurable interface for router control traffic.

mtMulticast tunnel interface. This interface is automatically generated, but you can

configure properties on it if needed.

mtunThis interface is internally generated and not configurable. rlsqRedundancy LSQ interface.

Copyright 2011, Juniper Networks, Inc.

613

Junos 11.4 Services Interfaces Configuration Guide

rspRedundancy adaptive services interface. spAdaptive services interface. The logical interface sp-fpc/pic/port.16383 is an

internally generated, nonconfigurable interface for router control traffic.

tapThis interface is internally generated and not configurable. vpVoice over IP (VoIP) interface, configured on J Series Services Routers only. vtVirtual loopback tunnel interface.

Configuring the Address and Domain for Services Interfaces

On the AS or Multiservices PIC, you configure a source address for system log messages by including the address statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:
address address { ... }

Assign an IP address to the interface by configuring the address value. The AS or Multiservices PIC generally supports only IP version 4 (IPv4) addresses configured using the family inet statement, but IPsec services support IP version 6 (IPv6) addresses as well, configured using the family inet6 statement. For information on other addressing properties you can configure that are not specific to service interfaces, see the Junos OS Network Interfaces Configuration Guide. The service-domain statement specifies whether the interface is used within the network or to communicate with remote devices. The software uses this setting to determine which default stateful firewall rules to apply, and to determine the default direction for service rules. To configure the domain, include the service-domain statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
service-domain (inside | outside);

If you are configuring the interface in a next-hop service-set definition, the service-domain setting must match the configuration for the inside-service-interface and outside-service-interface statements; for more information, see Configuring Service Sets to be Applied to Services Interfaces on page 568.

Configuring Default Timeout Settings for Services Interfaces

You can specify global default settings for certain timers that apply for the entire interface. There are two statements of this type:

inactivity-timeoutSets the inactivity timeout period for established flows, after which

they are no longer valid.

open-timeoutSets the timeout period for Transmission Control Protocol (TCP) session

establishment, for use with SYN-cookie defenses against network intrusion.

614

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

To configure a setting for the inactivity timeout period, include the inactivity-timeout statement at the [edit interfaces interface-name services-options] hierarchy level:
[edit interfaces interface-name services-options] inactivity-timeout seconds;

The default value is 30 seconds. The range of possible values is from 4 through 86,400 seconds. Any value you configure in the application protocol definition overrides the value specified here; for more information, see Configuring Application Protocol Properties on page 72. To configure a setting for the TCP session establishment timeout period, include the open-timeout statement at the [edit interfaces interface-name services-options] hierarchy level:
[edit interfaces interface-name services-options] open-timeout seconds;

The default value is 30 seconds. The range of possible values is from 4 through 86,400 seconds. Any value you configure in the intrusion detection service (IDS) definition overrides the value specified here; for more information, see Intrusion Detection Properties. Use of Keep-Alive Messages for Greater Control of TCP Inactivity Timeouts Keep-alive messages are generated automatically to prevent TCP inactivity timeouts. The default number of keep-alive messages is 4. However, you can configure the number of keep-alive messages by entering the tcp-tickles statement at the [edit interaces interface-name service-options] hierarchy level. When timeout is generated for a bidirectional TCP flow, keep-alive packets are sent to reset the timer. If number of consecutive keep-alive packets sent in a flow reaches the default or configured limit, the conversation is deleted. There are several possible scenarios, depending on the setting of the inactivity-timer and the default or configured maximum number of keep-alive messages.

If the configured value of keep-alive messages is zero and inactivity-timeout is NOT configured (in which case the default timeout value of 30 is used), no keep-alive packets are sent. The conversation is deleted when any flow in the conversation is idle for more than 30 seconds. If the configured value of keep-alive messages is zero and the inactivity-timeout is configured, no keep-alive packets are sent, and the conversation is deleted when any flow in the conversation is idle for more than the configured timeout value. If the default or configured maximum number of keep-alive messages is some positive integer, and any of the flows in a conversation is idle for more than the default or configured value for inactivity-timeout keep-alive packets are sent. If hosts do not respond to the configured number of consecutive keep-alive packets, the conversation is deleted. The interval between keep-alive packets will be 1 second. However, if the host sends back an ACK packet, the corresponding flow becomes active, and keep-alive packets are not sent until the flow becomes idle again.

Copyright 2011, Juniper Networks, Inc.

615

Junos 11.4 Services Interfaces Configuration Guide

Configuring System Logging for Services Interfaces

You specify properties that control how system log messages are generated for the interface as a whole. If you configure different values for the same properties at the [edit services service-set service-set-name] hierarchy level, the service-set values override the values configured for the interface. For more information on configuring service-set properties, see Configuring System Logging for Service Sets on page 578. To configure interface-wide default system logging values, include the syslog statement at the [edit interfaces interface-name services-options] hierarchy level:
[edit interfaces interface-name services-options] syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; port port-number; } }

Configure the host statement with a hostname or an IP address that specifies the system log target server. The hostname local directs system log messages to the Routing Engine. For external system log servers, the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. You can specify only one system logging hostname. Table 17 on page 616 lists the severity levels that you can specify in configuration statements at the [edit interfaces interface-name services-options syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.

Table 17: System Log Message Severity Levels

Severity Level
any emergency alert

Description
Includes all severity levels System panic or other condition that causes the router to stop functioning Conditions that require immediate correction, such as a corrupted system database Critical conditions, such as hard drive errors Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels Conditions that warrant monitoring Conditions that are not errors but might warrant special handling

critical error

warning notice

616

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

Table 17: System Log Message Severity Levels (continued)

Severity Level
info

Description
Events or nonerror conditions of interest

We recommend setting the system logging severity level to error during normal operation. To monitor PIC resource usage, set the level to warning. To gather information about an intrusion attack when an intrusion detection system error is detected, set the level to notice for a specific interface. To debug a configuration or log Network Address Translation (NAT) functionality, set the level to info. For more information about system log messages, see the Junos OS System Log Messages Reference. To use one particular facility code for all logging to the specified system log host, include the facility-override statement at the [edit interfaces interface-name services-options syslog host hostname] hierarchy level:
[edit interfaces interface-name services-options] facility-override facility-name;

The supported facilities include authorization, daemon, ftp, kernel, user, and local0 through local7. To specify a text prefix for all logging to this system log host, include the log-prefix statement at the [edit interfaces interface-name services-options syslog host hostname] hierarchy level:
[edit interfaces interface-name services-options] log-prefix prefix-value;

Enabling Fragmentation on GRE Tunnels

To enable fragmentation of IPv4 packets in generic routing encapsulation (GRE) tunnels, include the clear-dont-fragment-bit statement and a maximum transmission unit (MTU) setting for the tunnel as part of an existing GRE configuration at the [edit interfaces] hierarchy level:
[edit interfaces] gr-fpc/pic/port { unit logical-unit-number { clear-dont-fragment-bit; ... family inet { mtu 1000; ... } } }

This statement clears the Dont Fragment (DF) bit in the packet header, regardless of the packet size. If the packet size exceeds the tunnel MTU value, the packet is fragmented

Copyright 2011, Juniper Networks, Inc.

617

Junos 11.4 Services Interfaces Configuration Guide

before encapsulation. The maximum MTU size configurable on the AS or Multiservices PIC is 9192 bytes.

NOTE: The clear-dont-fragment-bit statement is supported only on MX Series routers and all M Series routers except the M320 router.

Fragmentation is enabled only on IPv4 packets being encapsulated in IPv4-based GRE tunnels.

NOTE: This configuration is supported only on GRE tunnels on AS or Multiservices interfaces. If you commit gre-fragmentation as the encapsulation type on a standard Tunnel PIC interface, the following console log message appears when the PIC comes online:
gr-fpc/pic/port: does not support this encapsulation

The Packet Forwarding Engine updates the IP identification field in the outer IP header of GRE-encapsulated packets, so that reassembly of the packets is possible after fragmentation. The previous CLI constraint check that required you to configure either the clear-dont-fragment-bit statement or a tunnel key with the allow-fragmentation statement is no longer enforced.

Applying Filters and Services to Interfaces

When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces on the router. To associate a defined service set with an interface, include the service-set statement with the input or output statement at the [edit interfaces interface-name unit logical-unit-number family inet service] hierarchy level:
[edit interfaces interface-name unit logical-unit-number family inet service] input { service-set service-set-name <service-filter filter-name>; post-service-filter filter-name; } output { service-set service-set-name <service-filter filter-name>; }

NOTE: When you enable services on an interface, reverse-path forwarding is not supported. You cannot configure services on the management interface (fxp0) or the loopback interface (lo0).

You can configure different service sets on the input and output sides of the interface. However, for service sets with bidirectional service rules, you must include the same service set definition in both the input and output statements. Any service set you include in the service statement must be configured with the interface-service statement at the

618

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

[edit services service-set service-set-name] hierarchy level; for more information, see

Configuring Service Sets to be Applied to Services Interfaces on page 568.

NOTE: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an Internet Control Message Protocol (ICMP) error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction. Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service.

Configuring Service Filters

You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, the router software assumes that the match condition is true and selects the service set for processing automatically. To configure service filters, include the firewall statement at the [edit] hierarchy level:
firewall { family inet { service-filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } } } }

NOTE: You must specify inet as the address family to configure a service filter.

You configure service filters in a similar way to firewall filters. Service filters have the same match conditions as firewall filters, but the following specific actions:

countAdd the packet to a counter total. logLog the packet.

Copyright 2011, Juniper Networks, Inc.

619

Junos 11.4 Services Interfaces Configuration Guide

port-mirrorPort-mirror the packet. sampleSample the packet. serviceForward the packet for service processing. skipOmit the packet from service processing.

For more information about configuring firewall filters, see the Junos OS Routing Policy Configuration Guide. You can also include more than one service set definition on each side of the interface. If you include multiple service sets, the router software evaluates them in the order specified in the configuration. It executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions. An additional statement allows you to specify a filter for processing the traffic after the input service set is executed. To configure this type of filter, include the post-service-filter statement at the [edit interfaces interface-name unit logical-unit-number family inet service input] hierarchy level:
post-service-filter filter-name;

NOTE: The software performs postservice filtering only when it has selected and executed a service set. If the traffic does not meet the match criteria for any of the configured service sets, the postservice filter is ignored.

For an example of applying a service set to an interface, see Examples: Configuring Services Interfaces on page 623. For more information on applying filters to interfaces, see the Junos OS Network Interfaces Configuration Guide. For general information on filters, see the Junos OS Routing Policy Configuration Guide.

NOTE: After NAT processing is applied to packets, they are not subject to output service filters. The service filters affect only untranslated traffic.

Configuring AS or Multiservices PIC Redundancy

You can configure AS or Multiservices PIC redundancy on M Series and T Series routers, except TX Matrix routers, that have multiple AS or Multiservices PICs. To configure redundancy, you specify a redundancy services PIC (rsp) interface in which the primary PIC is active and a secondary PIC is on standby. If the primary PIC fails, the secondary PIC becomes active, and all service processing is transferred to it. If the primary AS or Multiservices PIC is restored, it remains on standby and does not preempt the secondary PIC; you need to manually restore the services to the primary PIC. To determine which PIC is currently active, issue the show interfaces redundancy command.

620

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

Failover to the secondary PIC occurs under the following conditions:

The primary PIC, FPC, or Packet Forwarding Engine goes down, resets, or is physically removed from the router. The PIC or FPC is taken offline using the request chassis pic fpc-slot slot-number pic-slot slot-number offline or request chassis fpc slot slot-number offline command. For more information, see the Junos OS System Basics and Services Command Reference. The driver watchdog timer expires. The request interface switchover command is issued. For more information, see the Junos OS Interfaces Command Reference.

NOTE: Adaptive Services and Multiservices PICs in Layer-2 mode (running Layer 2 services) are not rebooted when a MAC flow-control situation is detected.

The physical interface type rsp specifies the pairings between primary and secondary sp interfaces to enable redundancy. To configure an AS or Multiservices PIC as the backup, include the redundancy-options statement at the [edit interfaces rspnumber] hierarchy level:
[edit interfaces rspnumber] redundancy-options { primary sp-fpc/pic/port; secondary sp-fpc/pic/port; }

NOTE: You can include a similar redundancy configuration for Link Services IQ (LSQ) PICs at the [edit interfaces rlsqnumber] hierarchy level. For more information, see Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453.

Copyright 2011, Juniper Networks, Inc.

621

Junos 11.4 Services Interfaces Configuration Guide

The following constraints apply to redundant AS or Multiservices PIC configurations:

The services supported in redundancy configurations include stateful firewall, NAT, IDS, and IPsec. Services mounted on the AS or Multiservices PIC that use interface types other than sp- interfaces, such as tunneling and voice services, are not supported. For information on flow monitoring redundancy, see Configuring Services Interface Redundancy with Flow Monitoring on page 1084.

NOTE: For IPsec functionality, the router no longer needs to renegotiate security associations (SAs) during warm standby PIC switchover. Instead, the warm standby feature has been made stateful by periodically setting a checkpoint between the working state of the PIC and the Routing Engine, which should lessen the downtime during switchover. If you prefer to retain the earlier behavior, you can include the clear-ipsec-sas-on-pic-restart statement at the [edit services ipsec-vpn] hierarchy level. If you enable this capability, the router renegotiates the IPsec SAs on warm standby PIC switchover. For more information, see Clearing Security Associations on page 332.

We recommend that you pair the same model type in RSP configurations, such as two ASMs or two AS2 PICs. If you pair unlike models, the two PICs may perform differently. You can specify an AS or Multiservices PIC (sp interface) as the primary for only one rsp interface. An sp interface can be a secondary for multiple rsp interfaces. However, the same sp interface cannot be configured as a primary interface in one rsp configuration and as a secondary in another configuration. When the secondary PIC is active, if another primary PIC that is paired with it in an rsp configuration fails, no failover takes place. When you configure an AS or Multiservices PIC within a redundant configuration, the sp interface cannot have any configured services. Apply the configurations at the [edit interfaces rspnumber] hierarchy level, using, for example, the unit and services-options statements. Exceptions include the multiservice-options statement used in flow monitoring configurations, which can be configured separately for the primary and secondary sp interfaces, and the traceoptions statement. All the operational mode commands that apply to sp interfaces also apply to rsp interfaces. You can issue show commands for the rsp interface or the primary and secondary sp interfaces. If a secondary PIC fails while it is in use, the rsp interface returns to the not present state. If the primary PIC comes up later, service is restored to it.

For a sample configuration, see Examples: Configuring Services Interfaces on page 623.

622

Copyright 2011, Juniper Networks, Inc.

Chapter 28: Service Interface Configuration Guidelines

Examples: Configuring Services Interfaces

Apply the my-service-set service set on an interface-wide basis. All traffic that is accepted by my_input_filter has my-input-service-set applied to it. After the service set is applied, additional filtering is done using the my_post_service_input_filter filter.
[edit interfaces fe-0/1/0] unit 0 { family inet { filter { input my_input_filter; output my_output_filter; } service { input { service-set my-input-service-set; post-service-filter my_post_service_input_filter; } output { service-set my-output-service-set; } } } }

Configure two redundancy interfaces, rsp0 and rsp1, and associated services.
[edit interfaces] rsp0 { redundancy-options { primary sp-0/0/0; secondary sp-1/3/0; } unit 0 { family inet; } unit 30 { family inet; service-domain inside; } unit 31 { family inet; service-domain outside; } } rsp1 { redundancy-options { primary sp-0/1/0; secondary sp-1/3/0; } unit 0 { family inet; } unit 20 { family inet;

Copyright 2011, Juniper Networks, Inc.

623

Junos 11.4 Services Interfaces Configuration Guide

service-domain inside; } unit 21 { family inet; service-domain outside; } } [edit services] service-set null-sfw-with-nat { stateful-firewall-rules allow-all; nat-rules rule1; next-hop-service { inside-service-interface rsp0.30; outside-service-interface rsp0.31; } } [edit routing-instances] vpna { interface rsp0.0; }

624

Copyright 2011, Juniper Networks, Inc.

CHAPTER 29

Summary of Service Interface Configuration Statements

The following sections explain each of the service interface configuration statements. The statements are organized alphabetically.

address
Syntax
address address { ... } [edit interfaces interface-name unit logical-unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Hierarchy Level

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Configure the interface address.
addressAddress of the interface.

See Configuring the Address and Domain for Services Interfaces on page 614; for a general discussion of address statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

625

Junos 11.4 Services Interfaces Configuration Guide

cgn-pic
Syntax Hierarchy Level Release Information Description
cgn-pic; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 11.2. Restrict usage of the service PIC to CGN. All memory is available for CGN and will be used for CGN scaling. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

clear-dont-fragment-bit
Syntax Hierarchy Level
clear-dont-fragment-bit; [edit interfaces gr-fpc/pic/port unit logical-unit-number], [edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. Clear the Dont Fragment (DF) bit on all IP version 4 (IPv4) packets entering the generic routing encapsulation (GRE) tunnel on Adaptive Services (AS) or Multiservices interfaces. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation. The statement is supported only on MX Series routers and all M Series routers except the M320 router. See Enabling Fragmentation on GRE Tunnels on page 617. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

626

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

dial-options
Syntax
dial-options { ipsec-interface-id name; l2tp-interface-id name; (shared | dedicated); } [edit interfaces sp-fpc/pic/port unit logical-unit-number], [edit interfaces si-fpc/pic/port unit logical-unit-number], [edit logical-systems logical-system-name interfaces sp-fpc/pic/port unit logical-unit-number], [edit logical-systems logical-system-name interfaces si-fpc/pic/port unit logical-unit-number]

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4. The [edit ...si-...] hierarchy levels introduced in Junos OS Release 11.4. Specify the options for configuring logical interfaces for group and user sessions in L2TP or IPsec dynamic endpoint tunneling.
ipsec-interface-id name(M Series routers only) Interface identifier for group of dynamic

Description

Options

peers. This identifier must be replicated at the [edit access profile name client * ike] hierarchy level.
l2tp-interface-id nameInterface identifier that must be replicated at the [edit access profile name] hierarchy level.

(shared | dedicated)Specify whether a logical interface can host one (dedicated) or multiple (shared) sessions at one time. The shared option is not supported for L2TP LNS interfaces on MX Series routers. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

(M Series routers) Configuring the Identifier for Logical Interfaces that Provide L2TP Services on page 422 Configuring Dynamic Endpoints for IPsec Tunnels on page 353 (MX Series routers) Configuring Options for the LNS Inline Services Logical Interface

Copyright 2011, Juniper Networks, Inc.

627

Junos 11.4 Services Interfaces Configuration Guide

facility-override
Syntax Hierarchy Level Release Information Description Options
facility-override facility-name; [edit interfaces interface-name services-options syslog host hostname]

Statement introduced before Junos OS Release 7.4. Override the default facility for system log reporting.
facility-nameName of the facility that overrides the default assignment. Valid entries

include:
authorization daemon ftp kernel local0 through local7 user

Usage Guidelines Required Privilege Level

See Configuring System Logging for Services Interfaces on page 616. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

628

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

family
Syntax
family inet { address address { ... } service { input { [ service-set service-set-name <service-filter filter-name> ]; post-service-filter filter-name; } output { [ service-set service-set-name <service-filter filter-name> ]; } } } [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure protocol family information for the logical interface.
familyProtocol family. Valid settings for service interfaces include inet (IPv4) and mpls.

The remaining statements are explained separately. Usage Guidelines See Configuring the Address and Domain for Services Interfaces on page 614 or; for a general discussion of family statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

629

Junos 11.4 Services Interfaces Configuration Guide

host
Syntax
host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; port port-number; } [edit interfaces interface-name services-options syslog]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the hostname for the system logging utility.
hostnameName of the system logging utility host machine. This can be the local Routing

Engine or an external server address. The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

inactivity-timeout
Syntax Hierarchy Level Release Information Description
inactivity-timeout seconds; [edit interfaces interface-name services-options]

Statement introduced before Junos OS Release 7.4. Configure the inactivity timeout period for established flows. The timeout value configured in the application protocol definition overrides this value.
secondsTimeout period.

Options

Default: 30 seconds Range: 4 through 86,400 seconds Usage Guidelines Required Privilege Level See Configuring Default Timeout Settings for Services Interfaces on page 614. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

630

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

input
Syntax
input { service-set service-set-name <service-filter filter-name>; post-service-filter filter-name; } [edit interface interface-name unit logical-unit-number family inet service], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet service]

Hierarchy Level

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the input service sets and filters to be applied to traffic. The remaining statements are explained separately. See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. For a complete description, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

631

Junos 11.4 Services Interfaces Configuration Guide

log-prefix
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
log-prefix prefix-value; [edit interfaces interface-name services-options syslog host hostname]

Statement introduced before Junos OS Release 7.4. Set the system logging prefix value.
prefix-valueSystem logging prefix value.

See Configuring System Logging for Services Interfaces on page 616. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

maximum
Syntax Hierarchy Level Release Information Description Required Privilege Level
maximum number; [edit interfaces interface-name services-options session-limit]

Statement introduced in Junos OS Release 9.6. Specify the maximum number of sessions allowed simultaneously. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

open-timeout
Syntax Hierarchy Level Release Information Description
open-timeout seconds; [edit interfaces interface-name services-options]

Statement introduced before Junos OS Release 7.4. Configure a timeout period for Transmission Control Protocol (TCP) session establishment.
secondsTimeout period.

Options

Default: 30 seconds Range: 4 through 86,400 seconds Usage Guidelines Required Privilege Level See Configuring Default Timeout Settings for Services Interfaces on page 614. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

632

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

output
Syntax
output { [ service-set service-set-name <service-filter filter-name> ]; } [edit interface interface-name unit logical-unit-number family inet service], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet service]

Hierarchy Level

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the output service sets and filters to be applied to traffic. The remaining statements are explained separately. See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

post-service-filter
Syntax Hierarchy Level
post-service-filter filter-name; [edit interfaces interface-name unit logical-unit-number family inet service input], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet service input]

Release Information Description

Statement introduced before Junos OS Release 7.4. Define the filter to be applied to traffic after service processing. The filter is applied only if a service set is configured and selected. You can configure a postservice filter on the input side of the interface only.
filter-nameIdentifier for the post-service filter.

Options Usage Guidelines Required Privilege Level

See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

633

Junos 11.4 Services Interfaces Configuration Guide

primary
Syntax Hierarchy Level Release Information Description Options
primary interface-name; [edit interfaces (rsp0 | rsp1) redundancy-options]

Statement introduced before Junos OS Release 7.4. Specify the primary adaptive services interface.
interface-nameThe identifier for the AS or Multiservices PIC interface, which must be

of the form sp-fpc/pic/port. Usage Guidelines Required Privilege Level See Configuring AS or Multiservices PIC Redundancy on page 620. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

rate
Syntax Hierarchy Level Release Information Description Required Privilege Level
rate new-sessions-per-second; [edit interfaces interface-name services-options session-limit]

Statement introduced in Junos OS Release 9.6. Specify the maximum number of new sessions allowed per second. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

634

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

redundancy-options
Syntax
redundancy-options { primary sp-fpc/pic/port; secondary sp-fpc/pic/port; } [edit interfaces (rsp0 | rsp1)]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary (backup) adaptive services interfaces. The remaining statements are explained separately. See Configuring AS or Multiservices PIC Redundancy on page 620. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

secondary
Syntax Hierarchy Level Release Information Description Options
secondary interface-name; [edit interfaces (rsp0 | rsp1) redundancy-options]

Statement introduced before Junos OS Release 7.4. Specify the secondary (backup) adaptive services interface.
interface-nameThe identifier for the adaptive services interface, which must be of the

form sp-fpc/pic/port. Usage Guidelines Required Privilege Level See Configuring AS or Multiservices PIC Redundancy on page 620. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

635

Junos 11.4 Services Interfaces Configuration Guide

service
Syntax
service { input { [ service-set service-set-name <service-filter filter-name> ]; post-service-filter filter-name; } output { [ service-set service-set-name <service-filter filter-name> ]; } } [edit interfaces interface-name unit logical-unit-number family inet], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet]

Hierarchy Level

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the service sets and filters to be applied to an interface. The remaining statements are explained separately. See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

service-domain
Syntax Hierarchy Level
service-domain (inside | outside); [edit interfaces interface-name unit logical-unit-number family inet], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the service interface domain. If you specify this interface using the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level, the interface domain must match that specified with the inside-service-interface and outside-service-interface statements.
insideInterface used within the network. outsideInterface used outside the network.

Options

Usage Guidelines Required Privilege Level

See Configuring the Address and Domain for Services Interfaces on page 614. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

636

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

service-filter
Syntax Hierarchy Level
service-filter filter-name; [edit interfaces interface-name unit logical-unit-number family inet service (input | output)], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet service (input | output)]

Release Information Description

Statement introduced before Junos OS Release 7.4. Define the filter to be applied to traffic before it is accepted for service processing. Configuration of a service filter is optional; if you include the service-set statement without a service-filter definition, the router software assumes that the match condition is true and selects the service set for processing automatically.
filter-nameIdentifies the filter to be applied in service processing.

Options Usage Guidelines Required Privilege Level

See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

service-set
Syntax Hierarchy Level
service-set service-set-name; [edit interfaces interface-name unit logical-unit-number family inet service (input | output)], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet service (input | output)]

Release Information Description

Statement introduced before Junos OS Release 7.4. Define one or more service sets to be applied to an interface. If you define multiple service sets, the router software evaluates the filters in the order in which they appear in the configuration.
service-set-nameIdentifies the service set.

Options Usage Guidelines Required Privilege Level

See Applying Filters and Services to Interfaces on page 618. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

637

Junos 11.4 Services Interfaces Configuration Guide

services
Syntax Hierarchy Level Release Information Description Options
services severity-level; [edit interfaces interface-name services-options syslog host hostname]

Statement introduced before Junos OS Release 7.4. Specify the system logging severity level.
severity-levelAssigns a severity level to the facility. Valid entries include:

alertConditions that should be corrected immediately. anyMatches any level. criticalCritical conditions. emergencyPanic conditions. errorError conditions. infoInformational messages. noticeConditions that require special handling. warningWarning messages.

Usage Guidelines Required Privilege Level

See Configuring System Logging for Services Interfaces on page 616. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

638

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

services-options
Syntax
services-options { cgn-pic; disable-global-timeout-override; ignore-errors <alg> <tcp>; inactivity-non-tcp-timeout seconds; inactivity-tcp-timeout seconds; inactivity-timeout seconds; open-timeout seconds; session-limit { maximum number; rate new-sessions-per-second; } session-timeout seconds; syslog { host hostname { facility-override facility-name; log-prefix prefix-value; port port-number; services severity-level; } message-rate-limit messages-per-second; } tcp-tickles tcp-tickles; } [edit interfaces interface-name]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Define the service options to be applied on an interface. The remaining statements are explained separately. See Interface Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

639

Junos 11.4 Services Interfaces Configuration Guide

session-limit
Syntax
session-limit { maximum number; rate new-sessions-per-second; } [edit interfaces interface-name services-options ]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.6. Restrict the maximum number of sessions and the session rate on Multiservices PICs.
session-limitRestricts the maximum number of sessions and the session rate for

Multiservices PICs. The remaining statements are explained separately. Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

syslog
Syntax
syslog { host hostname { services severity-level; facility-override facility-name; log-prefix prefix-value; port port-number; } message-rate-limit messages-per-second; } [edit interfaces interface-name services-options]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure generation of system log messages for the service set. System log information is passed to the kernel for logging in the /var/log directory. Any values configured in the service set definition override these values. The remaining statements are described separately. See Configuring System Logging for Services Interfaces on page 616. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

640

Copyright 2011, Juniper Networks, Inc.

Chapter 29: Summary of Service Interface Configuration Statements

tcp-tickles
Syntax Hierarchy Level Release Information Description
tcp-tickles tcp-tickles; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 11.4. Define the maximum number of keep-alive messages sent before a TCP session is allowed to timeout.
tcp-ticklesNumber of keep-alive messages.

Options

Range: 0 through 30 Default: 4 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Default Timeout Settings for Services Interfaces on page 614

Copyright 2011, Juniper Networks, Inc.

641

Junos 11.4 Services Interfaces Configuration Guide

unit
Syntax
unit logical-unit-number { family inet { address address { } service { input { [ service-set service-set-name <service-filter filter-name> ]; post-service-filter filter-name; } output { [ service-set service-set-name <service-filter filter-name> ]; } } service-domain (inside | outside); } } [edit interfaces interface-name ]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines For a general discussion of logical interface properties, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

642

Copyright 2011, Juniper Networks, Inc.

CHAPTER 30

PGCP Configuration Guidelines for the BGF Feature

To configure the border gateway function (BGF), include the pgcp statement at the [edit services] hierarchy level:
[edit services] pgcp { gateway gateway-name { cleanup-timeout seconds; gateway-address gateway-address; fast-update-filters { maximum-terms number-of-terms; maximum-fuf-percentage percentage; } gateway-controller gateway-controller-name { controller-address ip-address; controller-port port-number; interim-ah-scheme { algorithm algorithm; } } gateway-port gateway-port; graceful-restart { maximum-synchronization-mismatches number-of-mismatches; seconds; } data-inactivity-detection { inactivity-delay; latch-deadlock-delay seconds; no-rtcp-check; send-notification-on-delay; inactivity-duration seconds; stop-detection-on-drop; report-service-change { service-change-type (forced-906) | forced-910); } } h248-options { audit-observed-events-returns; encoding { no-dscp-bit-mirroring;

Copyright 2011, Juniper Networks, Inc.

643

Junos 11.4 Services Interfaces Configuration Guide

use-lower-case } h248-profile { profile-name profile-name; profile-version version-number; } service-change { control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); } down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } virtual-interface-up { cancel-graceful (none | restart-918); warm (none | restart-900); } } context-indications { state-loss (forced-910 | forced-915 | none); } use-wildcard-response; } } h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify); } base-root { mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-originated-pending-limit { default number-of-messages;

644

Copyright 2011, Juniper Networks, Inc.

Chapter 30: PGCP Configuration Guidelines for the BGF Feature

maximum number-of-messages; minimum number-of-messages; } mgc-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } } diffserv { dscp { default (dscp-value | alias | do-not-change); } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous); { hanging-termination-detection { timerx seconds; } ipsec-transport-security-association security-association-name; notification-behavior { notification-regulation default (once | 0 - 100); } platform { device interface-name; routing-engine; } segmentation { mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } mgc-maximum-pdu-size { default bytes;

Copyright 2011, Juniper Networks, Inc.

645

Junos 11.4 Services Interfaces Configuration Guide

maximum bytes; minimum bytes; } } traffic-management { max-burst-size { default bytes; maximum bytes; minimum bytes; rtcp { (fixed-value bytes-per-second | percentage percentage); } } peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } sustained-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } } inactivity-timer { inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } } } h248-timers { initial-average-ack-delay milliseconds; maximum-net-propagation-delay milliseconds; maximum-waiting-delay milliseconds; tmax-retransmission-delay milliseconds; } max-concurrent-calls number-of-calls; monitor { media { rtcp; rtp; } } service-state (in-service | out-of-service-forced | out-of-service-graceful); session-mirroring {

646

Copyright 2011, Juniper Networks, Inc.

Chapter 30: PGCP Configuration Guidelines for the BGF Feature

delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } } rule rule-name { gateway gateway-name; nat-pool nat-pool-name; } rule-set rule-set-name { rule rule-name; } session-mirroring { delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } traceoptions { file <filename filename> <files number> <match regex> <size size> <world-readable | no-world-readable>; flag { bgf-core { common trace-level; default trace-level; firewall trace-level; gate-logic trace-level; pic-broker trace-level; policy trace-level; statistics trace-level; } default trace-level; h248-stack { control-association trace-level; default trace-level; messages; media-gateway trace-level; } sbc-utils { common trace-level; configuration trace-level; default trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; messaging trace-level; user-interface trace-level;

Copyright 2011, Juniper Networks, Inc.

647

Junos 11.4 Services Interfaces Configuration Guide

} } } virtual-interface number { nat-pool nat-pool-name; routing-instance instance-name { service-interface interface-name.unit-number; } service-state (in-service | out-of-service-forced | out-of-service-graceful); } }

For information about using the PGCP statements to configure the BGF feature, see the Session Border Control Solutions Guide Using BGF and IMSG.

648

Copyright 2011, Juniper Networks, Inc.

CHAPTER 31

Summary of PGCP Configuration Statements

The following sections explain each of the PGCP statements, which are used to configure the BGF feature. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

649

Junos 11.4 Services Interfaces Configuration Guide

administrative
See the following sections:

administrative (Control Association) on page 650 administrative (Virtual Interface) on page 651

administrative (Control Association)

Syntax Hierarchy Level
administrative (forced-905 | forced-908 | none); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications down]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Unregistration Messages in ServiceChange commands that it sends to the gateway controller when a control association transitions to Out-of-Service because of an administrative operation. If you do not specify an option, the virtual BGF includes FO/905 (forced-905).
forced-905Termination is being taken out of service. The virtual BGF is transitioning to

Default Options

Out-of-Service because of an administrative operation.

forced-908Termination is being taken out of service. The virtual BGF is transitioning to

Out-of-Service because of an administrative operation or error.

noneThe virtual BGF does not send a ServiceChange command to the gateway

controller. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

650

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

administrative (Virtual Interface)

Syntax Hierarchy Level
administrative (forced-905 | forced-906 | none); [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications virtual-interface-down]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Service-Interruption ServiceChange commands that it sends to the gateway controller when a virtual interface changes to Out-of-Service because of an administrative operation. If you do not specify an option, the virtual BGF includes FO/905 (forced-905).
forced-905Termination is being taken out of service. The virtual interface is transitioning

Default Options

to Out-of-Service because of an administrative operation.

forced-906Loss of lower-layer connectivity. The virtual interface is transitioning to

Out-of-Service because of a loss of Layer 2 connectivity caused by the logical or physical interface being administratively disabled.
noneVirtual BGF does not send a ServiceChange command.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

651

Junos 11.4 Services Interfaces Configuration Guide

algorithm
Syntax Hierarchy Level
algorithm algorithm; [edit services pgcp gateway gateway-name gateway-controller gateway-controller-name interim-ah-scheme]

Release Information Description

Statement introduced in Junos OS Release 8.4. Specify the algorithm for the interim AH scheme. Once you set the algorithm for the interim AH scheme, to disable the interim AH scheme, you need to remove the algorithm and restart the PGCP service.
algorithmAlgorithm used for the interim AH scheme. HMAC null is currently the only

Options

algorithm supported. Values: hmac-null Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

application-data-inactivity-detection
Syntax
application-data-inactivity { ip-flow-stop-detection (regulated-notify | immediate-notify); } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Activate or deactivate regulated notification of media inactivity events. The statement is explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Notification Behavior to Prevent Excessive Media Inactivity Notifications in Session Border Control Solutions Guide Using BGF and IMSG

652

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

audit-observed-events-returns
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
audit-observed-events-returns; [edit services pgcp gateway gateway-name h248-options]

Statement introduced in Junos OS Release 9.3. Enable a history of media inactivity events to be viewed by the gateway controller. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Notification Behavior to Prevent Excessive Media Inactivity Notifications in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

653

Junos 11.4 Services Interfaces Configuration Guide

base-root
Syntax
base-root { mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } mgc-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.5. Configure default values for properties in the base root package defined in Annex E of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

654

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

bgf-core
Syntax
bgf-core { default trace-level; firewall trace-level; gate-logic trace-level; pic-broker trace-level; policy trace-level; statistics trace-level; } [edit services pgcp gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure trace-level options for the BGF core component of the virtual BGF.
default trace-levelDefault trace level for all bgf-core messages. firewall trace-levelTrace level for the firewall subcomponent, which controls firewall

filters, connections, and all relevant firewall activities.

gate-logic trace-levelTrace level for the gate-logic subcomponent, which controls gate

common logic, gate lookup, and gate manager activities.

pic-broker trace-levelTrace level for the pic-broker subcomponent, which controls gates

on the PIC.
policy trace-levelTrace level for the policy subcomponent, which controls media function

and socket policy.

statistics trace-levelTrace level for the statistics subcomponent, which provides pgcpd

statistics.
trace-levelTrace-level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

655

Junos 11.4 Services Interfaces Configuration Guide

Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

656

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

cancel-graceful
See the following sections:

cancel-graceful (Control Association) on page 657 cancel-graceful (Virtual Interface) on page 658

cancel-graceful (Control Association)

Syntax Hierarchy Level
cancel-graceful (none | restart-918); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications up]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Notification ServiceChange commands that it sends to the gateway controller when the control association transitions from the Draining state to the Forwarding state. If you do not specify an option, the virtual BGF does not send a ServiceChange command.
noneThe virtual BGF does not send a ServiceChange command to the gateway

Default Options

controller.
restart-918The control association has returned to the Forwarding state.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

657

Junos 11.4 Services Interfaces Configuration Guide

cancel-graceful (Virtual Interface)

Syntax Hierarchy Level
cancel-graceful (none | restart-918); [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications virtual-interface-up]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Notification ServiceChange commands that it sends to the gateway controller when the virtual interface transitions from In-Service to Out-of-Service-Graceful. If you do not specify an option, the virtual BGF does not send a ServiceChange command.
noneVirtual BGF does not send a ServiceChange command. restart-918Cancel graceful. The virtual interface has entered the Draining state.

Default Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

cleanup-timeout
Syntax Hierarchy Level Release Information Description
cleanup-timeout seconds; [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 8.4. Configure the number of seconds before the virtual BGF automatically deletes all gates following a disconnection from the gateway controller.
secondsInterval before inactivity detection starts.

Options

Range: 0 through 65,535 seconds Default: 3600 seconds Required Privilege Level Related Documentation interface-levelTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

658

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

context-indications
Syntax
context-indications { state-loss (forced-910 | forced-915 | none); } [edit services pgcp gateway gateway-name h248-options service-change]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Service-Interruption ServiceChange commands that it sends to the gateway controller when the gates of a context no longer provide their configured services. When the virtual BGF sends a Service-Interruption message, both terminations in the context become Out-of-Service. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Contexts in

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

659

Junos 11.4 Services Interfaces Configuration Guide

control-association-indications
Syntax
control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); } down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } } [edit services pgcp gateway gateway-name h248-options service-change]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in ServiceChange commands that it sends to the gateway controller when the state of the control association changes. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

660

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

controller-address
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
controller-address ip-address; [edit services pgcp gateway gateway-name gateway-controller gateway-controller-name]

Statement introduced in Junos OS Release 8.4. Configure an IP address for the gateway controller.
ip-addressIP address of the gateway controller.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Gateway Controller in Session Border Control Solutions Guide Using BGF
and IMSG

controller-failure
Syntax Hierarchy Level
controller-failure (failover-909 | restart-902); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications disconnect]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Registration Request ServiceChange commands when it attempts to reregister with the gateway controller or register with a new gateway controller after the control association is disconnected. If you do not specify an option, the virtual BGF includes RS/902 (restart-902).
failover-909Gateway controller impending failure. The virtual BGF is reregistering with

Default Options

a new gateway controller following a disconnection of the virtual BGF and gateway controller.
restart-902Warm boot. The virtual BGF is attempting to reregister with existing states

after a gateway controller failure. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

661

Junos 11.4 Services Interfaces Configuration Guide

controller-port
Syntax Hierarchy Level Release Information Description
controller-port port-number; [edit services pgcp gateway gateway-name gateway-controller gateway-controller-name]

Statement introduced in Junos OS Release 8.4. Configure the port number of the gateway controller listening port. The virtual BGF sends H.248 messages to this port.
port-numberPort number of the gateway controller.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

data-inactivity-detection
Syntax
data-inactivity-detection { inactivity-delay seconds; inactivity-duration seconds; latch-deadlock-delay seconds; no-rtcp-check; send-notification-on-delay; stop-detection-on-drop; report-service-change { service-change-type (forced-906) | forced-910); } } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Configure data inactivity detection to detect latch deadlocks or other media inactivity on a gate. The statements are described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

662

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

default
Syntax Hierarchy Level Release Information Description
default trace-level; [edit services pgcp gateway gateway-name traceoptions flag]

Statement introduced in Junos OS Release 9.5. Configure the minimum trace level for all selected PGCP trace options. This option overrides individual trace options that are set at a lower level.
warning trace-levelEnter one of the following trace levels as the trace-level:

Default Options

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

663

Junos 11.4 Services Interfaces Configuration Guide

delivery-function
Syntax
delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } [edit services pgcp session-mirroring], [edit services pgcp gateway gateway-name session-mirroring]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.2 Configure the delivery function that receives the session mirroring information. You can configure only one delivery function.
delivery-function-nameName of the delivery function that receives the session mirroring

Options

information. Required Privilege Level Related Documentation pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Setting Up Session Mirroring in Session Border Control Solutions Guide Using BGF and
IMSG

destination-address
Syntax Hierarchy Level
destination-address destination-address; [edit services pgcp session-mirroring delivery-function delivery-function-name], [edit services pgcp gateway gateway-name session-mirroring delivery-function delivery-function-name]

Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the address of the delivery function server to which the BGF sends session-mirroring information.
destination-addressAddress of the server to which the BGF sends session-mirroring

Options

information. Required Privilege Level Related Documentation pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Setting Up Session Mirroring in Session Border Control Solutions Guide Using BGF and
IMSG

664

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

destination-port
Syntax Hierarchy Level
destination-port destination-port; [edit services pgcp session-mirroring delivery-function delivery-function-name], [edit services pgcp gateway gateway-name session-mirroring delivery-function delivery-function-name]

Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the port on the delivery function server that receives session-mirroring information.
destination-portPort on the delivery function server that receives session-mirroring

Options

information. Range: 1 through 65,535 Required Privilege Level Related Documentation pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Setting Up Session Mirroring in Session Border Control Solutions Guide Using BGF and
IMSG

detect
Syntax Hierarchy Level
detect; [edit services pgcp gateway gateway-name h248-properties inactivity-timer inactivity-timeout]

Release Information Description

Statement introduced in Junos OS Release 9.2. Specify whether the BGF detects inactivity timeout events received from the BGF by default. The BGF does not detect inactivity timeout events by default. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Required Privilege Level Related Documentation

Detecting Gateway Controller Failures in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

665

Junos 11.4 Services Interfaces Configuration Guide

diffserv
Syntax
diffserv { dscp { default (dscp-value | alias | do-not-change); } } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.0. Configure default values for properties in the Differentiated Services (DiffServ) package defined in Annex A.2 of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005. Statements are explained separately. interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

disable-session-mirroring
Syntax Hierarchy Level
disable-session-mirroring; [edit services pgcp session-mirroring], [edit services pgcp gateway gateway-name session-mirroring]

Release Information Description

Statement introduced in Junos OS Release 9.2. Disable or enable session mirroring on the BGF. To disable session mirroring, enter set disable-session-mirroring. To enable session mirroring, enter delete disable-session-mirroring. pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Disabling Session Mirroring in Session Border Control Solutions Guide Using BGF and IMSG

666

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

disconnect
Syntax
disconnect { controller-failure (failover-909 | restart-902) reconnect (disconnected-900 | restart-902) } [edit services pgcp gateway gateway-name h248-options service-change control-association-indications]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Registration Request ServiceChange commands when it attempts to reregister with the gateway controller or register with a new gateway controller after the control association is disconnected. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in Service Change Commands in Session Border
Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

667

Junos 11.4 Services Interfaces Configuration Guide

down
Syntax
down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } [edit services pgcp gateway gateway-name h248-options service-change control-association-indications]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Unregistration Messages in ServiceChange commands that it sends to the gateway controller when a control association transitions to Out-of-Service because of a failure. The failure can be the result of a services PIC or DPC, or because the services PIC or DPC was powered off or removed. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG Configuring the Method and Reason in ServiceChange Commands for Virtual Interfacesin Session Border Control Solutions Guide Using BGF and IMSG

668

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

dscp
Syntax
dscp { default (dscp-value | alias | do-not-change); } [edit services pgcp gateway gateway-name h248-properties diffserv]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.0. Configure default values for DSCP marking that the virtual BGF uses for outgoing traffic when the DSCP value is not already defined by the gateway controller. The default DSCP value that the virtual BGF uses is zero (0x00).
dscp-valueSpecify a string of eight bits or a 1-byte hexadecimal value using the format:

Default Options

0xXX. Currently, only six bits are used by the packet.

aliasSpecify a standard DSCP name. The standard name is translated to an 8-bit string

with the two least significant bits (LSBs) as zeros; for example, EF=10111000.
do-not-changeSpecify that no DSCP action be performed on the PIC or DPC. The egress

value on the gate is the same as the ingress DSCP value. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

Quality of Service for VoIP Traffic Overview in Session Border Control Solutions Guide
Using BGF and IMSG

encoding
Syntax
encoding { no-dscp-bit-mirroring; use-lower-case; } [edit services pgcp gateway gateway-name h248-options]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.3. use-lower-case option introduced in Release 9.5. Change encoding defaults. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

669

Junos 11.4 Services Interfaces Configuration Guide

event-timestamp-notification
Syntax
event-timestamp-notification { request-timestamp (requested | suppressed | autonomous); } [edit services pgcp gateway gateway-name h248properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Enable or disable access by the gateway controller to timestamp information for media inactivity event notifications. The statement is explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Quality of Service for VoIP Traffic Overview in Session Border Control Solutions Guide
Using BGF and IMSG

failover-cold
Syntax Hierarchy Level
failover-cold (failover-920 | restart-901); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications up]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Registration ServiceChange commands when it attempts to register with a new gateway controller following a cold failover. If you do not specify an option, the virtual BGF includes RS/901 (restart-901).
failover-920Cold failover. The virtual BGF is registering following a graceful Routing

Default Options

Engine switchover. The installed state is reset.

restart-901Cold boot. The virtual BGF is transitioning to In-Service. The previously

installed state is not retained. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

670

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

failover-warm
Syntax Hierarchy Level
failover-warm (failover-919 | restart-902); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications up]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Registration ServiceChange commands when it attempts to register with a new gateway controller following a warm failover. If you do not specify an option, the virtual BGF includes RS/902 (restart-902).
failover-919Gateway controller impending failure. The virtual BGF is registering with a

Default Options

new gateway controller after the virtual BGF and the gateway controller were disconnected.
restart-902Warm boot. The virtual BGF is transitioning to In-Service. The previously

installed state is retained. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

671

Junos 11.4 Services Interfaces Configuration Guide

failure
Syntax Hierarchy Level
failure (forced-904 | forced-908 | none); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications down]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Unregistration or Notification Messages in ServiceChange commands when a control association transitions to Out-of-Service. If you do not specify an option, the virtual BGF sends ServiceChange command forced-904 to the gateway controller.
forced-904Termination malfunctioning. The virtual BGF is transitioning to Out-of-Service

Default

Options

because of a failure.
forced-908The virtual BGF is transitioning to Out-of-Service due to administrator action

or a failure.
noneThe virtual BGF does not send a ServiceChange command to the gateway

controller. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

672

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

fast-update-filters
Syntax
fast-update-filters { maximum-terms number-of-terms; maximum-fuf-percentage percentage-of-gates; } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.1. Limit the number of FUF terms installed on the Packet Forwarding Engine for a virtual BGF to improve performance when the software is collecting statistics on packets that are dropped because they exceed the rate limits set in fast update filters (FUFs). The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Improving Performance While Collecting Gate Statistics in Session Border Control

Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

673

Junos 11.4 Services Interfaces Configuration Guide

file
Syntax
file <filename> <files files> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; [edit services pgcp traceoptions]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure the trace file for tracing BGF components.
filename filenameName of the file to which the tracing messages are written.

Default: bsg_trace
files number-of-filesNumber of trace files. The tracing mechanism can rotate between

any given number of files, allowing for trace message inspection without interfering with the normal work of the application. Default: 3
match regular expressionRegular expression to match with incoming messages. Messages

that do not match the regular expression are not written to the trace file.
size maximum-trace-file-sizeSize parameter (in bytes) to trigger rotation of files. The

trace mechanism rotates files based on the current file size. When the size is bigger than the maximum configured size, the files are rotated. Default: 1048576
world-readable | no-world-readableAllow all users to use the log file or disallow all users

from using the log file. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

674

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

flag
Syntax
flag { default trace-level; bgf-core { default trace-level; firewall trace-level; gate-logic trace-level; pic-broker trace-level; policy trace-level; statistics trace-level; } h248-stack { default trace-level; messages; control-association trace-level; media-gateway trace-level; } sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } } [edit services pgcp gateway gateway-name traceoptions]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Configure trace options for components of the BGF. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

675

Junos 11.4 Services Interfaces Configuration Guide

gateway
Syntax
pgcp { gateway gateway-name { cleanup-timeout seconds; gateway-address gateway-address; gateway-controller gateway-controller-name { local-controller | remote-controller; controller-address ip-address; controller-port port-number; interim-ah-scheme { algorithm algorithm; } } gateway-port gateway-port; service-state (in-service | out-of-service-forced | out-of-service-graceful); graceful-restart { maximum-synchronization-mismatches number-of-mismatches; seconds; } data-inactivity-detection { inactivity-delay seconds; latch-deadlock-delay seconds; send-notification-on-delay; inactivity-duration seconds; no-rtcp-check; stop-detection-on-drop; report-service-change { service-change-type (forced-906 | forced-910); } } h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify); } base-root { mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } mgc-originated-pending-limit { default number-of-messages; maximum number-of-messages;

676

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

minimum number-of-messages; } normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } } diffserv { dscp { default (dscp-value | alias | do-not-change); } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous); } hanging-termination-detection { timerx seconds; } ipsec-transport-security-association security-association-name; notification-behavior { notification-regulation default (once | 0-100); } platform { device interface-name; routing-engine; } segmentation { mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } mgc-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } } traffic-management { max-burst-size {

Copyright 2011, Juniper Networks, Inc.

677

Junos 11.4 Services Interfaces Configuration Guide

default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } rtcp-include; } sustained-data-rate (All Streams) { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } rtcp-include; } } inactivity-timer { inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } } } h248-options { accept-emergency-calls-while-graceful; audit-observed-events-returns; encoding { no-dscp-bit-mirroring; use-lower-case; } h248-profile { profile-name profile-name; profile-version version-number; } implicit tcp-latch; implicit-tcp-source-filter; service-change { control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); }

678

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none ); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } virtual-interface-up { cancel-graceful (Virtual Interface) (none | restart-918); warm (none | restart-900); } } context-indications { state-loss (forced-910 | forced-915 | none); } use-wildcard-response; } } h248-timers { initial-average-ack-delay milliseconds; maximum-net-propagation-delay milliseconds; maximum-waiting-delay milliseconds; tmax-retransmission-delay milliseconds; } max-concurrent-calls number-of-calls; monitor { media { rtcp; rtp; } } service-state (in-service | out-of-service-forced | out-of-service-graceful); session-mirroring { delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } } }

Hierarchy Level

[edit services pgcp]

Copyright 2011, Juniper Networks, Inc.

679

Junos 11.4 Services Interfaces Configuration Guide

Release Information

Statement introduced in Junos OS Release 8.4. graceful-restart option introduced in Junos OS Release 8.5. h248-options option introduced in Junos OS Release 8.5. h248-properties option introduced in Junos OS Release 8.5. monitor option introduced in Junos OS Release 9.0. session-mirroring option introduced in Junos OS Release 9.2. data-inactivity-detection option introduced in Junos OS Release 9.3. overload-control option introduced in Junos OS Release 9.3. platform option introduced in Junos OS Release 9.6. h248profile option introduced in Junos OS Release 10.0. ipsec-transport-security-association option introduced in Junos OS Release 10.0. Configure a virtual BGF on the router.
gateway-nameIdentifier of the virtual BGF. You can configure an IP address as the

Description Options

gateway name. However, the IP address is not used in the operation of the virtual BGF. The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interfacecontrolTo add this statement to the configuration.

BGF VoIP Solution Overview in Session Border Control Solutions Guide Using BGF and
IMSG

BGF VoIP Solution Architecture in Session Border Control Solutions Guide Using BGF and
IMSG

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

gateway-address
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
gateway-address gateway-address; [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 8.4. Configure the IP address of the virtual BGF.
gateway-addressIP address of the virtual BGF that you are configuring on the router.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

680

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

gateway-controller
Syntax
gateway-controller gateway-controller-name { local-controller | remote-controller; <controller-address ip-address;> <controller-port port-number;> interim-ah-scheme { algorithm algorithm; } } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.4. local-controller option introduced in Junos OS Release 9.4. remote-controller option introduced in Junos OS Release 9.4. Configure a gateway controller.
gateway-controller-nameName of the gateway controller or BSG. You can configure an

Description Options

IP address as the gateway controller name. However, the IP address is not used for the connection to the gateway controller.
local-controller | remote-controllerType of gateway controller.

remote-controller. Configure the gateway controller as a remote controller if you are

using an external gateway controller. You must specify controller-address and controller-port.

local-controller. Configure the gateway controller as a local controller if you are using

a border signaling gateway (BSG). The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

681

Junos 11.4 Services Interfaces Configuration Guide

gateway-port
Syntax Hierarchy Level Release Information Description Options
gateway-port gateway-port; [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 8.4. Configure a port number for the virtual BGF.
gateway-portPort number of the virtual BGF that you are configuring on the router.

Range: 0 through 65,535 Default: 2944 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

682

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

graceful
See the following sections:

graceful (Control Association) on page 683 graceful (Virtual Interface) on page 684

graceful (Control Association)

Syntax Hierarchy Level
graceful (graceful-905 | none); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications down]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Notification ServiceChange commands that it sends to the gateway controller when the control association transitions from In-Service to Out-of-Service-Graceful. If you do not specify an option, the virtual BGF does not send a ServiceChange command.
graceful-905Termination is being taken out of service. The control association has

Default Options

entered the Draining state.

noneThe virtual BGF does not send a ServiceChange command to the gateway

controller. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

683

Junos 11.4 Services Interfaces Configuration Guide

graceful (Virtual Interface)

Syntax Hierarchy Level
graceful (graceful-905 | none); [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications virtual-interface-down]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Notification ServiceChange commands that it sends to the gateway controller when the virtual interface transitions from In-Service to Out-of-Service-Graceful. If you do not specify an option, the virtual BGF does not send a ServiceChange command.
graceful-905Termination is being taken out of service. The interface has entered the

Default Options

Draining state.
noneVirtual BGF does not send a ServiceChange command.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

graceful-restart
Syntax
graceful-restart { maximum-synchronization-mismatches seconds; seconds; } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.5. Configure graceful restart properties that are used during synchronization between the pgcpd process and the Multiservices PIC or DPC. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring Synchronization Properties in Case of Routing Engine Failure in Session

Border Control Solutions Guide Using BGF and IMSG

684

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

h248-options
Syntax
h248-options { accept-emergency-calls-while-graceful; audit-observed-events-returns; encoding { no-dscp-bit-mirroring; use-lower-case; } h248-profile { profile-name profile-name; profile-version version-number; } implicit-tcp-latch; implicit-tcp-source-filter; service-change { control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); } down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } virtual-interface-up { cancel-graceful (none | restart-918); warm (none | restart-900); } } context-indications { state-loss (forced-910 | forced-915 | none); } use-wildcard-response; } } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. accept-emergency-calls-while-graceful option introduced in Junos OS Release 10.2. audit-observed-events-returns option introduced in Junos OS Release 9.3.

Copyright 2011, Juniper Networks, Inc.

685

Junos 11.4 Services Interfaces Configuration Guide

encoding option introduced in Junos OS Release 9.3. service-change option introduced in Junos OS Release 9.3. use-lower-case option introduced in Junos OS Release 9.5. h248-profile option introduced in Junos OS Release 10.0. -latch option introduced in Junos OS Release 10.4. -source-filter option introduced in Junos OS Release 10.4.

Description Options

Configure options that affect virtual BGF H.248 behavior.

accept-emergency-calls-while-gracefulAccept emergency calls when the BGF is in a

draining state due to a graceful shutdown.

-latchIf explicit latching has been applied (using using ipnapt/latch) on either gate of

a gate pair, implicit latching is not applied. If explicit latching has not been applied on either gate, latching is applied to both gates of the gate pair. When either of the gates latches, latching is automatically disabled on the other gate.
-source-filter-source-filterApplies source address (but not source port) filtering on

incoming packets, using the current remote destination address if explicit source filtering has not been applied by use of gm/saf or ipnapt/latch. The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Preventing Excessive Media Inactivity Notifications in Session Border Control Solutions

Guide Using BGF and IMSG

Enabling Wildcards for ServiceChange Notifications in Session Border Control Solutions

Guide Using BGF and IMSG

Configuring Implicit Latching for TCP Gates in Session Border Control Solutions Guide
Using BGF and IMSG

686

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

h248-profile
Syntax
h248-profile { profile-name profile-name; profile-version version-number; } [edit services pgcp gateway gateway-name h248-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.0. Configure the profile that the BGF declares in the initial registration ServiceChange request. The profile is declared according to the H.248 standard. That is, profile-name/profile-version. For example, ETSI_BGF/1. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the H.248 Profile in Session Border Control Solutions Guide Using BGF and
IMSG

Copyright 2011, Juniper Networks, Inc.

687

Junos 11.4 Services Interfaces Configuration Guide

h248-properties
Syntax
h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify) } base-root { mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } mgc-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } } diffserv { dscp { default (dscp-value | alias | do-not-change); } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous) { hanging-termination-detection { timerx seconds; } segmentation { mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds;

688

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

} mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } mgc-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } } traffic-management { max-burst-size { default bytes-persecond; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } sustained-data-rate (All Streams) { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } rtcp-include; } inactivity-timer { inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } } }

Copyright 2011, Juniper Networks, Inc.

689

Junos 11.4 Services Interfaces Configuration Guide

Hierarchy Level Release Information

[edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 8.5. diffserv option introduced in Junos OS Release 9.0. inactivity-timer option introduced in Junos OS Release 9.2. traffic-management option introduced in Junos OS Release 9.2. application-data-inactivity-detection option introduced in Junos OS Release 9.3. event-timestamp-notification option introduced in Junos OS Release 9.3. Configure default values for H.248 properties. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Required Privilege Level Related Documentation

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

Configuring H.248 Segmentation Properties in Session Border Control Solutions Guide

Using BGF and IMSG

690

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

h248-stack
Syntax
h248-stack { default trace-level; messages trace-level; control-association trace-level; media-gateway trace-level; } [edit services pgcp gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure trace-level options for the H.248 stack component of the virtual BGF.
default trace-levelDefault trace level for all h248-stack messages. messagesWhen this option is set, H.248 messages are written to the log file. control-association trace-levelTrace level for traces relevant to the H.248 control

association.
media-gateway trace-levelTrace level for libpgcp. trace-levelTrace-level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

691

Junos 11.4 Services Interfaces Configuration Guide

h248-timers
Syntax
h248-timers { initial-average-ack-delay milliseconds; maximum-net-propagation-delay milliseconds; maximum-waiting-delay milliseconds; tmax-retransmission-delay milliseconds; } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description Options Required Privilege Level

Statement introduced in Junos OS Release 8.4. Configure H.248 timers for the PGCP connection. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

hanging-termination-detection
Syntax
hanging-termination-detection { timerx seconds; } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.2. Enable and configure hanging termination detection. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

692

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

inactivity-delay
Syntax Hierarchy Level Release Information Description
inactivity-delay seconds; [edit services pgcp gateway gateway-name data-inactivity-detection]

Statement introduced in Junos OS Release 9.3. Configure the time after which the virtual BGF begins checking for data packets on terminations that do not include a latch event.
secondsTime interval before checking for media inactivity.

Options

Range: 0 through 3600 Default: 5 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

inactivity-duration
Syntax Hierarchy Level Release Information Description
inactivity-duration seconds; [edit services pgcp gateway gateway-name data-inactivity-detection]

Statement introduced in Junos OS Release 9.3. Configure the time interval that determines inactivity. When the virtual BGF determines that the time since the last packet was received exceeds this duration, the virtual BGF generates an inactivity notification or service change request. The duration timer is the same for terminations with latch events and for terminations without latch events.
secondsTime during which no packets are received.

Options

Range: 5 through 86400 Default: 30 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

693

Junos 11.4 Services Interfaces Configuration Guide

inactivity-timeout
Syntax
inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } [edit services pgcp gateway gateway-name h248-properties inactivity-timer]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the inactivity timeout event. The inactivity timeout event is used to detect that the inactivity timer has expired. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Detecting Gateway Controller Failures in Session Border Control Solutions Guide Using
BGF and IMSG

694

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

inactivity-timer
Syntax
inactivity-timer { inactivity-timeout { detect; maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } } } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the inactivity timer package, which allows the BGF to use message inactivity to detect that its active gateway controller has failed. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Detecting Gateway Controller Failures in Session Border Control Solutions Guide Using
BGF and IMSG

initial-average-ack-delay
Syntax Hierarchy Level Release Information Description
initial-average-ack-delay milliseconds; [edit services pgcp gateway gateway-name h248-timers]

Statement introduced in Junos OS Release 8.4. Configure the value of the average acknowledgment delay (AAD) that the virtual BGF uses before the first AAD is measured. The AAD is explained in Annex D of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005.
millisecondsAssumed initial average delay.

Options

Range: 0 through 65,535 Default: 4000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

695

Junos 11.4 Services Interfaces Configuration Guide

interim-ah-scheme
Syntax
interim-ah-scheme { algorithm hmac-null; } [edit services pgcp gateway gateway-name gateway-controller gateway-controller-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 8.4. Set up the BGF to use the interim AH scheme. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Example: Using the BGF to Provide VoIP Solutions in a Next-Generation Network in

Session Border Control Solutions Guide Using BGF and IMSG

ip-flow-stop-detection
Syntax Hierarchy Level
ip-flow-stop-detection (regulated-notify | immediate-notify); [edit services pgcp gateway gateway-name h248-properties application-data-inactivity-detection]

Release Information Description Options

Statement introduced in Junos OS Release 9.3. Configure regulated or non-regulated (immediate) notification of media inactivity events.
regulated-notifyActivate regulated notification of media inactivity events. immediate-notifyActivate non-regulated notification of media inactivity events.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Notification Behavior to Prevent Excessive Media Inactivity Notifications in Session Border Control Solutions Guide Using BGF and IMSG

696

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

ipsec-transport-security-association
Syntax Hierarchy Level Release Information Description Options
ipsec-transport-security-association security-association-name; [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 10.0. Specify the IPsec security association to be used for this virtual BGF.
security-association-nameName of the IPsec security association to be used for this

virtual BGF. This is a security association that you configured at the [edit services ipsec] hierarchy level. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Security for BGF Overview in Session Border Control Solutions Guide Using BGF and IMSG Configuring IPsec to Protect H.248 Messages in Transport Mode in Session Border Control
Solutions Guide Using BGF and IMSG

latch-deadlock-delay
Syntax Hierarchy Level Release Information Description
latch-deadlock-delay seconds [edit services pgcp gateway gateway-name data-inactivity-detection]

Statement introduced in Junos OS Release 9.3. Configure the time after which the virtual BGF begins checking for data packets on terminations that include a latch event.
secondsTime interval before checking for data packets.

Options

Range: 0 through 3600 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

697

Junos 11.4 Services Interfaces Configuration Guide

max-burst-size
See the following sections:

max-burst-size (All Streams) on page 698 max-burst-size (RTCP Streams) on page 699

max-burst-size (All Streams)

Syntax
max-burst-size { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; } [edit services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.2. maximum and minimum options introduced in Junos OS Release 9.5. Configure the maximum burst size for gate streams of any protocol, including RTP. The virtual BGF uses the default value of 1000 bytes if the Policy command in H.248 messages in ON and both of the following apply:

Description Default

The maximum burst size is not set in the H.248 message. There is no CLI configuration for maximum burst size.

Options

default bytes-per-secondDefault maximum burst size.

Range: 20 through 4,294,967,295

maximum bytes-per-secondMaximum burst size.

Range: 20 through 4,294,967,295

minimum bytes-per-secondMinimum maximum burst size.

Range: 20 through 4,294,967,295 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

698

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

max-burst-size (RTCP Streams)

Syntax
max-burst-size { rtcp { (fixed-value bytes | percentage percentage); } } [edit services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.2. maximum and minimum options introduced in Junos OS Release 9.5. Configure the maximum burst size for for RTP/RTCP gate streams. You can configure this rate as a fixed value or as a percentage of the RTP gates rate. The virtual BGF uses the default value of 100 percent of the RTP gate's maximum burst size if the Policy command in H.248 messages in ON and both of the following apply:

Description

Default

The maximum burst size is not set in the H.248 message. There is no CLI configuration for maximum burst size.

Options

fixed-value Value entered is a fixed number of bytes per second. bytes-per-secondmaximum burst size.

Range: 20 through 4,294,967,295

percentage Value entered is a percentage of the RTP gates rate. percentageMaximum burst size as a percentage of the RTP gate's rate.

Range: 1 through 1000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

699

Junos 11.4 Services Interfaces Configuration Guide

max-concurrent-calls
Syntax Hierarchy Level Release Information Description
max-concurrent-calls number-of-calls; [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 9.2. Configure the maximum number of concurrent calls on the virtual BGF. If you configure multiple virtual BGFs for one service PIC or DPC, you can use this statement to achieve a fair distribution of resources between the virtual BGFs. For example, the Multiservices 500 PIC is capable of 10,000 concurrent calls, and you can divide this number between its associated virtual BGFs. You can overbook concurrent calls to avoid resource idleness. The configured total of all virtual BGF maximum concurrent calls can be greater than the PIC or DPC limit. For example, bgf-1 and bgf-2 are connected to single PIC. If you configure 6000 maximum concurrent calls on bgf-1 and 8000 on bgf-2, bgf-1 can open up to 6000 concurrent calls, and bgf-2 can open up to 8000 concurrent calls. However, when the total number of calls reaches 10,000, neither of the virtual BGFs will be able to open a new context. If the resources on the PIC are exhausted and no more calls are allowed, the virtual BGF sends an H.248 error message to the gateway controller in response to new call requests.

NOTE: You must take the virtual BGF out of service before changing max-concurrent-calls and restart the pgcpd process after returning the virtual BGF to service.

Options

number-of-callsMaximum number of concurrent calls on the virtual BGF.

Range: 0 through 10,000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

700

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

maximum-fuf-percentage
Syntax Hierarchy Level Release Information Description
maximum-fuf-percentage percentage [edit services pgcp gateway gateway-name fast-update-filters]

Statement introduced in Junos OS Release 9.1. Along with the maximum-terms statement, limit the number of FUF terms installed on the Packet Forwarding Engine for a virtual BGF. This limit is the maximum value of the maximum-terms and maximum-fuf-percentage statements.
percentageMaximum percentage of gates with FUF filters relative to all gates currently

Options

installed for the virtual BGF. Range: 0 through 100 Default: 10 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Improving Performance While Collecting Gate Statistics in Session Border Control

Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

701

Junos 11.4 Services Interfaces Configuration Guide

maximum-inactivity-time
Syntax
maximum-inactivity-time { default 10-millisecond-units; maximum 10-millisecond-units; minimum 10-millisecond-units; } [edit services pgcp gateway gateway-name h248-properties inactivity-timer inactivity-timeout]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.2. maximum and minimum options introduced in Junos OS Release 9.5. Specify default, maximum, and minimum values for the maximum inactivity time. The default value is used if the gateway controller requests that the BGF detect the inactivity timeout event, but the gateway controller does not set a value for the maximum inactivity time. The maximum and minimum values are used to set limits for the maximum inactivity time set by the gateway controller. The BGF issues an error message if the value received from the gateway controller violates the configured minimum or maximum. If the BGF does not receive a message from the gateway controller before the maximum inactivity time expires, it sends a Notify message to the gateway controller. This timer resets each time the BGF receives a message from the gateway controller.
default 10millisecond-unitsDefault value for the maximum inactivity time.

Description

Options

Range: 100 through 65,535 (10-millisecond units) Default: 12,000

maximum 10millisecond-unitsMaximum value for the maximum inactivity time.

Range: 100 through 65,535 (10-millisecond units) Default: 12,000

minimum 10millisecond-unitsMinimum value for the maximum inactivity time.

Range: 100 through 65,535 (10-millisecond units) Default: 12,000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Detecting Gateway Controller Failures in Session Border Control Solutions Guide Using
BGF and IMSG

702

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

maximum-net-propagation-delay
Syntax Hierarchy Level Release Information Description
maximum-net-propagation-delay milliseconds; [edit services pgcp gateway gateway-name h248-timers]

Statement introduced in Junos OS Release 8.4. Configure the assumed maximum network propagation delay time. This value is used to calculate the LONG-TIMER as explained in Annex D of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005.
millisecondsDuration of the maximum network propagation delay time.

Options

Range: 0 through 65,535 milliseconds Default: 40,000 Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

maximum-synchronization-mismatches
Syntax Hierarchy Level Release Information Description
maximum-synchronization-mismatches number-of-mismatches; [edit services pgcp gateway gateway-name graceful-restart]

Statement introduced in Junos OS Release 8.5. Configure the maximum number of mismatches allowed during the synchronization procedure between the pgcpd process and the PIC or DPC. If the number of mismatches exceeds this number, the pgcpd process clears the state of the PIC or DPC and the state of the pgcpd process.
number-of-mismatchesMaximum number of mismatches allowed during the

Options

synchronization procedure with the PIC or DPC. Range: 0 through 3000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Synchronization Properties in Case of Routing Engine Failure in Session

Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

703

Junos 11.4 Services Interfaces Configuration Guide

maximum-terms
Syntax Hierarchy Level Release Information Description
maximum-terms number-of-terms [edit services pgcp gateway gateway-name fast-update-filters]

Statement introduced in Junos OS Release 9.1. Along with the maximum-fuf-percentage statement, limit the number of FUF terms installed on the Packet Forwarding Engine for a virtual BGF. This limit is the maximum value of the maximum-terms and maximum-fuf-percentage statements.
number-of-termsMaximum number of FUF terms installed for the virtual BGF.

Options

Range: 0 through 20000 Default: 20000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Improving Performance While Collecting Gate Statistics in Session Border Control

Solutions Guide Using BGF and IMSG

maximum-waiting-delay
Syntax Hierarchy Level Release Information Description
maximum-waiting-delay milliseconds; [edit services pgcp gateway gateway-name h248-timers]

Statement introduced in Junos OS Release 8.4. Define a maximum waiting delay (MWD) value. When the virtual BGF loses its connection to a gateway controller, it attempts to reconnect to the gateway controller. If the virtual BGF cannot reconnect to the gateway controller, it traverses its list of gateway controllers and attempts to connect to one of the gateway controllers. If the virtual BGF finishes traversing its list of gateway controllers, and has not connected to a gateway controller, the virtual BGF waits for a random value between 0 and MWD milliseconds before it begins another attempt to connect to a gateway controller. See section 9.2 of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005.
millisecondsMaximum time the virtual BGF waits before contacting a new gateway

Options

controller when the connection to the controlling gateway controller is lost. Range: 1 through 36,000 milliseconds Default: 3000 Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

704

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

media
Syntax
media { rtcp; rtp; } [edit services pgcp gateway gateway-name monitor]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.0. Enable Real-Time Control Protocol (RTCP) and Real-Time Transport Protocol (RTP) application-level gateways (ALGs) for media flows and monitor packets. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Monitoring RTP and RTCP Traffic in Session Border Control Solutions Guide Using BGF
and IMSG

Copyright 2011, Juniper Networks, Inc.

705

Junos 11.4 Services Interfaces Configuration Guide

mg-maximum-pdu-size
Syntax
mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } [edit services pgcp gateway gateway-name h248-properties segmentation]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MG maximum PDU size property of the segmentation package.
default bytesDefault maximum size of messages that the gateway controller sends to

Description

Options

the BGF. Range: 512 through 65,507

maximum bytesMaximum maximum size of messages that the gateway controller

sends to the BGF. Range: 512 through 65,507

minimum bytesMinimum maximum size of messages that the gateway controller sends

to the BGF. Range: 512 through 65,507 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Segmentation Properties in Session Border Control Solutions Guide

Using BGF and IMSG

706

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

mg-originated-pending-limit
Syntax
mg-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MG originated pending limit property of the base root package.
default number-of-messagesDefault number of transaction pending messages that the

Description

Options

gateway controller can receive from the virtual BGF. Range: 1 through 512
maximum number-of-messagesMaximum number of transaction pending messages

that the gateway controller can receive from the virtual BGF. Range: 1 through 512
minimum number-of-messagesMinimum number of transaction pending messages that

the gateway controller can receive from the virtual BGF. Range: 1 through 512 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

707

Junos 11.4 Services Interfaces Configuration Guide

mg-provisional-response-timer-value
Syntax
mg-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MG provisional response timer property of the base root package.
default millisecondsDefault time within which the gateway controller waits for a pending

Description

Options

response from the virtual BGF if a transaction cannot be completed. Range: 500 through 3000
maximum millisecondsMaximum time within which the gateway controller waits for a

pending response from the virtual BGF if a transaction cannot be completed. Range: 500 through 3000
minimum millisecondsMinimum time within which the gateway controller waits for a

pending response from the virtual BGF if a transaction cannot be completed. Range: 500 through 3000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

708

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

mg-segmentation-timer
Syntax
mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties segmentation]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MG segmentation timer value property of the segmentation package.
default millisecondsDefault time within which the gateway controller waits to receive

Description

Options

outstanding message segments from the virtual BGF after it receives the SegmentationCompleteToken. Range: 500 through 30000
maximum millisecondsMaximum time within which the gateway controller waits to

receive outstanding message segments from the virtual BGF after it receives the SegmentationCompleteToken. Range: 500 through 30000
minimum millisecondsMinimum time within which the gateway controller waits to

receive outstanding message segments from the virtual BGF after it receives the SegmentationCompleteToken. Range: 500 through 30000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Segmentation Properties in Session Border Control Solutions Guide

Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

709

Junos 11.4 Services Interfaces Configuration Guide

mgc-maximum-pdu-size
Syntax
mgc-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } [edit services pgcp gateway gateway-name h248-properties segmentation]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, minimum, and maximum values for the MGC maximum PDU size property of the segmentation package.
default bytesDefault maximum size of messages that the virtual BGF sends to the

Description

Options

gateway controller. Range: 512 through 65,507

maximum bytesMaximum size of messages that the virtual BGF sends to the gateway

controller. Range: 512 through 65,507

minimum bytesMinimum maximum size of messages that the virtual BGF sends to the

gateway controller. Range: 512 through 65,507 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Segmentation Properties in Session Border Control Solutions Guide

Using BGF and IMSG

710

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

mgc-originated-pending-limit
Syntax
mgc-originated-pending-limit { default number-of-messages; maximum number-of-messages; minimum number-of-messages; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MGC originated pending limit property of the base root package.
default number-of-messagesDefault number of transaction pending messages that the

Description

Options

virtual BGF can receive from the gateway controller. Range: 1 through 512
maximum number-of-messagesMaximum number of transaction pending messages

that the virtual BGF can receive from the gateway controller. Range: 1 through 512
minimum number-of-messagesMinimum number of transaction pending messages that

the virtual BGF can receive from the gateway controller. Range: 1 through 512 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

711

Junos 11.4 Services Interfaces Configuration Guide

mgc-provisional-response-timer-value
Syntax
mgc-provisional-response-timer-value { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MGC provisional response timer value property of the base root package.
default millisecondsDefault time within which the virtual BGF waits for a pending

Description

Options

response from the gateway controller if a transaction cannot be completed. Range: 500 through 3000
maximum millisecondsMaximum time within which the virtual BGF waits for a pending

response from the gateway controller if a transaction cannot be completed. Range: 500 through 3000
minimum millisecondsMinimum time within which the virtual BGF waits for a pending

response from the gateway controller if a transaction cannot be completed. Range: 500 through 3000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

712

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

mgc-segmentation-timer
Syntax
mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties segmentation]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the MGC segmentation timer value property of the segmentation package.
default millisecondsDefault time within which the virtual BGF waits to receive

Description

Options

outstanding message segments from the gateway controller after it receives the SegmentationCompleteToken. Range: 500 through 30000
maximum millisecondsDefault time within which the virtual BGF waits to receive

outstanding message segments from the gateway controller after it receives the SegmentationCompleteToken. Range: 500 through 30000
minimum millisecondsDefault time within which the virtual BGF waits to receive

outstanding message segments from the gateway controller after it receives the SegmentationCompleteToken. Range: 500 through 30000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Segmentation Properties in Session Border Control Solutions Guide

Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

713

Junos 11.4 Services Interfaces Configuration Guide

monitor
Syntax
monitor { media { rtcp; rtp; } } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.0. Enable Real-Time Control Protocol (RTCP) and Real-Time Transport Protocol (RTP) application-level gateways (ALGs) for media flows and monitor packets. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Monitoring RTP and RTCP Traffic in Session Border Control Solutions Guide Using BGF
and IMSG

network-operator-id
Syntax Hierarchy Level
network-operator-id network-operator-id; [edit services pgcp session-mirroring delivery-function deliver-function-name], [edit services pgcp gateway gateway-name session-mirroring delivery-function deliver-function-name]

Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the network operator ID. The BGF includes the network operator ID in the header of mirrored packets that it sends to the delivery function. It is used to identify the operator.
network-operator-idThe network operator ID can be up to five characters.

Options Required Privilege Level Related Documentation

pgcpsession-mirroringTo view this statement in the configuration. pgcpsession-mirroring-controlTo add this statement to the configuration.

Configuring Session Mirroring in Session Border Control Solutions Guide Using BGF and
IMSG

714

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

no-dscp-bit-mirroring
Syntax Hierarchy Level Release Information Description Default Required Privilege Level
no-dscp-bit-mirroring; [edit services pgcp gateway gateway-name h248-options encoding]

Statement introduced in Junos OS Release 9.3. Disable mirroring of DSCP bits. DSCP bits are mirrored by default. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

no-rtcp-check
Syntax Hierarchy Level Release Information Description Required Privilege Level
no-rtcp-check; [edit services pgcp gateway gateway-name h248-properties data-inactivity-detection]

Statement introduced in Junos OS Release 9.5. Prevent checking for inactivity on RTCP streams. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

715

Junos 11.4 Services Interfaces Configuration Guide

normal-mg-execution-time
Syntax
normal-mg-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the normal MG execution time property of the base root package.
default millisecondsDefault interval within which the gateway controller waits for a

Description

Options

response to transactions from the virtual BGF. Range: 500 through 29000
maximum millisecondsMaximum interval within which the gateway controller waits for

a response to transactions from the virtual BGF. Range: 500 through 29000
minimum millisecondsMinimum interval within which the gateway controller waits for

a response to transactions from the virtual BGF. Range: 500 through 29000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

716

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

normal-mgc-execution-time
Syntax
normal-mgc-execution-time { default milliseconds; maximum milliseconds; minimum milliseconds; } [edit services pgcp gateway gateway-name h248-properties base-root]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.5. maximum and minimum options introduced in Junos OS Release 9.5. Set default, maximum, and minimum values for the normal MGC execution time property of the base root package.
default millisecondsDefault interval within which the virtual BGF waits for a response

Description

Options

to transactions from the gateway controller. Range: 500 through 29000

maximum millisecondsMaximum interval within which the virtual BGF waits for a

response to transactions from the gateway controller. Range: 500 through 29000
minimum millisecondsMinimum interval within which the virtual BGF waits for a response

to transactions from the gateway controller. Range: 500 through 29000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Base Root Properties in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

717

Junos 11.4 Services Interfaces Configuration Guide

notification-behavior
Syntax
notification-behavior { notification-regulation default (once | 0 100); } [edit services pgcp gateway gateway-name h248-properties ]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Configure the default frequency for regulated media inactivity notifications sent by the BGF. The statement is explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

notification-rate-limit
Syntax Hierarchy Level Release Information Description Options
notification-rate-limit rate; [edit services pgcp]

Statement introduced in Junos OS Release 9.3. Configure the maximum notifications sent per second by the PIC or DPC.
rateMaximum number of notifications per second the PIC or DPC sends to a gateway

controller. Range: 10 through 10,000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

718

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

notification-regulation
Syntax Hierarchy Level Release Information Description
notification-regulation (once | 0 100); [edit services pgcp gateway gateway-name h248-properties notification-behavior]

Statement introduced in Junos OS Release 9.3. Configure the default frequency for sending media inactivity notifications for regulated events.
onceSend only one media inactivity notification for a regulated event to the gateway

Options

controller.
0 100The percentage of media inactivity notifications for regulated events to send

to the gateway controller. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

overload-control
Syntax
overload-control { queue-limit-percentage percentage; reject-all-commands-threshold percentage; reject-new-calls-threshold percentage; } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.3. reject-all-commands-threshold and reject-new-calls-threshold options introduced in Junos OS Release 9.5. Configure the BGF to send overload messages to the gateway controller based on the status of its work queue. The overload messages cause the gateway controller to lower the rate at which it admits packets for processing. The statement is described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description

Options Required Privilege Level Related Documentation

Configuring Overload Control for Voice Calls in Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

719

Junos 11.4 Services Interfaces Configuration Guide

peak-data-rate
See the following sections:

peak-data-rate (All Streams) on page 720 peak-data-rate (RTCP) on page 721

peak-data-rate (All Streams)

Syntax
peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; } [edit services services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.2. maximum and minimum options introduced in Junos OS Release 9.5. Configure the peak data rate for gate streams of any protocol. The BGF uses the default value of 10,000 bytes per second if the Policy command in H.248 messages is ON and both of the following apply:

Description Default

The peak data rate is not set in the H.248 message. There is no CLI configuration for peak data rate.

Options

default bytes-per-secondDefault peak data rate.

Range: 125 through 4,294,967,295

maximum bytes-per-secondMaximum peak data rate.

Range: 125 through 4,294,967,295

minimum bytes-per-secondMinimum peak data rate.

Range: 125 through 4,294,967,295 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

720

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

peak-data-rate (RTCP)
Syntax
peak-data-rate { rtcp (fixed-value bytes | percentage percentage); } [edit services services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the peak data rate for RTP/RTCP gate streams. You can configure this rate as a fixed value or as a percentage of the RTP gates rate. The BGF uses the default value of 5 percent of the RTP gate's rate if the Policy command in H.248 messages in ON and both of the following apply:

Default

The peak data rate is not set in the H.248 message. There is no CLI configuration for peak data rate.

Options

fixed-value Value entered is a fixed number of bits per second. bytes-per-secondPeak data rate.

Range: 125 through 4,294,967,295

percentage Value entered is a percentage of the RTP gates rate. percentageValue entered is a percentage of the RTPs gate rate.

Range: 0 through 1000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Rate Limiting for the BGF in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

721

Junos 11.4 Services Interfaces Configuration Guide

platform
Syntax
platform { device interface-name; routing-engine; } [edit services pgcp gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the platform on which the virtual BGF runs. The virtual BGF can run on the Routing Engine or on a Multiservices PIC or MS-DPC. The Multiservices 500 PIC is not supported for virtual BGFs. If you are using high availability, you can configure the virtual BGF to run on a virtual redundant Multiservices PIC (rms) interface
deviceCauses the virtual BGF to run on a Multiservices PIC, MS-DPC, or an rms interface. interface-nameName of the service interface. If you are using high availability, enter the rms interface number. routing-engineCauses the virtual BGF to run on the Routing Engine. By default, virtual

Options

BGFs run on the Routing Engine. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Virtual BGF in Session Border Control Solutions Guide Using BGF and IMSG

722

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

profile-name
Syntax Hierarchy Level Release Information Description
profile-name profile-name; [edit services pgcp gateway gateway-name h248-options h248-profile]

Statement introduced in Junos OS Release 10.0. Configure the H.248 profile name that the BGF declares in initial registration ServiceChange requests.
profile-nameName of the H.248 profile.

Options

Syntax: 1-64 bytes in length. The name must start with a letter. Allowed characters are [a-zA-Z0-9_] Default: ETSI_BGF, which is the ETSI Ia standard (ETSI ES 283 018 v1.1.4). Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the H.248 Profile in Session Border Control Solutions Guide Using BGF and
IMSG

profile-version
Syntax Hierarchy Level Release Information Description
profile-version version-number; [edit services pgcp gateway gateway-name h248-options h248-profile]

Statement introduced in Junos OS Release 10.0. Configure the H.248 profile version that the BGF declares in initial registration ServiceChange requests.
version-numberH.248 profile version number.

Options

Range: 1 through 99 Default: 1 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the H.248 Profile in Session Border Control Solutions Guide Using BGF and
IMSG

Copyright 2011, Juniper Networks, Inc.

723

Junos 11.4 Services Interfaces Configuration Guide

queue-limit-percentage
Syntax Hierarchy Level Release Information Description
queue-limit-percentage percentage; [edit services pgcp gateway gateway-name overload-control]

Statement introduced in Junos OS Release 9.3. Configure the queue limit percentage (percentage of the maximum work queue size currently in use) that indicates overload. When the gateway controller activates overload control, the BGF generates an overload notification for each transaction on a gate that contains an ADD if the work queue utilization has reach this limit. When 100 percent of the queue is in use, transactions are dropped with error 510 (insufficient resources).
percentagePercentage of the overload control work queue in use that triggers creation

Options

of an overload notification. Range: 25 through 100 Default: 80 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Overload Control for Voice Calls in Session Border Control Solutions Guide
Using BGF and IMSG

724

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

reconnect
Syntax Hierarchy Level
reconnect (disconnected-900 | restart-902); [edit services pgcp gateway gateway-name h248-options service-change control-association-indications disconnect]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Registration Request ServiceChange commands when it attempts to reregister with the gateway controller or register with a new gateway controller after the control association is disconnected. If you do not specify an option, the virtual BGF includes DC/900 (disconnected-900).
disconnected-900Service restored. The virtual BGF is registering with the last controlling

Default Options

gateway controller following a disconnection of the virtual BGF and gateway controller.
restart-902Warm boot. The virtual BGF is transitioning to In-Service, and the previously

installed state is retained. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

reject-all-commands-threshold
Syntax Hierarchy Level Release Information Description
reject-all-commands-threshold percentage; [edit services pgcp gateway gateway-name overload-control]

Statement introduced in Junos OS Release 9.5. Specify the maximum percentage of the work queue that can be in use before the virtual BGF rejects all non-emergency transactions other than SUBTRACT transactions.
percentagePercentage of work queue space used that serves as a threshold for overload

Options

control. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Overload Control for Voice Calls in Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

725

Junos 11.4 Services Interfaces Configuration Guide

reject-new-calls-threshold
Syntax Hierarchy Level Release Information Description
reject-new-calls-threshold percentage; [edit services pgcp gateway gateway-name overload-control]

Statement introduced in Junos OS Release 9.5. Specify the maximum percentage of the work queue that can be in use before the virtual BGF rejects all non-emergency ADD transactions.
percentagePercentage of work queue space used that serves as a threshold for overload

Options

control. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Overload Control for Voice Calls in Session Border Control Solutions Guide
Using BGF and IMSG

report-service-change
Syntax
report-service-change { service-change-type (forced-906 | forced-910); } [edit services pgcp gateway gateway-name data-inactivity-detection]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Change the service state of inactive terminations to prevent continued sending of inactivity notifications. The statement is described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

726

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

request-timestamp
Syntax Hierarchy Level Release Information Description
request-timestamp (requested | suppressed | autonomous); [edit services pgcp gateway gateway-name h248properties event-timestamp]

Statement introduced in Junos OS Release 9.3. Specify whether time stamp information is made available to the gateway controller or is suppressed.
requestedEnables gateway controller access to time stamp information for notifications. suppressedDisables gateway controller access to time stamp information for

Options

notifications.
autonomousEquivalent to suppressed.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring H.248 Notification Behavior to Prevent Excessive Media Inactivity Notifications in Session Border Control Solutions Guide Using BGF and IMSG

routing-instance
Syntax
routing-instance instance-name { service-interface interface-name.unit-number; } [edit services pgcp virtual-interface interface-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.4. service-interface option introduced in Junos OS Release 9.3. Map the virtual router interface to a VPN routing and forwarding (VRF) routing instance configured on the router.
instance-nameName of a routing instance that has been configured at the [edit routing-instance] hierarchy level.

Description

Options

The remainder of the statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

727

Junos 11.4 Services Interfaces Configuration Guide

rtcp
Syntax Hierarchy Level Release Information Description
rtcp; [edit services pgcp gateway gateway-name monitor media]

Statement introduced in Junos OS Release 9.0. Enable Real-Time Control Protocol (RTCP) application-level gateway (ALG) on media flows created when the gateway controller installs media gates on the virtual BGF. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

rtp
Syntax Hierarchy Level Release Information Description
rtp; [edit services pgcp gateway gateway-name monitor media]

Statement introduced in Junos OS Release 9.0. Enable Real-Time Transport Protocol (RTP) application-level gateway (ALG) on media flows created when the gateway controller installs media gates on the virtual BGF. interface-levelTo view this statement in the configuration. interface-levelTo add this statement to the configuration.

Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

728

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

rule
Syntax
rule rule-name { gateway gateway-name; nat-pool [ pool-names ]; } [edit services pgcp], [edit services service-set service-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 8.4. Specify the rule that the router uses when it applies the NAT pool.
rule-nameIdentifier for the rule. pool-namesNames of one or more NAT pools to be used by the rule.

Syntax: To specify a list of NAT pools, enclose the NAT pool names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

rule-set
Syntax
rule-set rule-set-name { [rule rule-name] } [edit services pgcp], [edit services service-set service-set-name]

Hierarchy Level

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 8.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that make up this rule set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

729

Junos 11.4 Services Interfaces Configuration Guide

sbc-utils
Syntax
sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } [edit services pgcp gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.5. Configure trace options for the Signaling Border Controller (SBC) utilities component of the virtual BGF.
warning minimum trace-levelMinimum trace level for all sbc-util messages. common trace-levelTrace level for the common component of SBC utilities. configuration trace-levelTrace level for the configuration component of SBC utilities. device-monitor trace-levelTrace level for the device monitor component of SBC utilities. ipc trace-levelTrace level for the IPC component of SBC utilities. memory-management trace-levelTrace level for the memory management component

Default Options

of SBC utilities.
message trace-levelTrace level for the message component of SBC utilities. user-interface trace-levelTrace level for the user interface component of SBC utilities. trace-levelTrace level options are related to the severity of the event being traced. When

you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

730

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

segmentation
Syntax
segmentation { mg-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mgc-segmentation-timer { default milliseconds; maximum milliseconds; minimum milliseconds; } mg-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } mgc-maximum-pdu-size { default bytes; maximum bytes; minimum bytes; } } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.5. Configure default values for properties in the segmentation package defined in Annex E of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

731

Junos 11.4 Services Interfaces Configuration Guide

send-notification-on-delay
Syntax Hierarchy Level Release Information Description
send-notification-on-delay; [edit services pgcp gateway gateway-name data-inactivity-detection]

Statement introduced in Junos OS Release 9.3. Send an inactivity notification immediately when no media packets are detected during a delay period that precedes checking for media inactivity. By default, notifications are sent after both the delay period and an additional period of inactivity have elapsed without any media packets being detected. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

inactivity-delay on page 693 latch-deadlock-delay on page 697

Session Border Control Solutions Guide Using BGF and IMSG

732

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

service-change
Syntax
service-change { control-association-indications { disconnect { controller-failure (failover-909 | restart-902); reconnect (disconnected-900 | restart-902); } down { administrative (forced-905 | forced-908 | none); failure (forced-904 | forced-908 | none); graceful (graceful-905 | none); } up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } virtual-interface-up { cancel-graceful (none | restart-918); warm (none | restart-900); } } context-indications { state-loss (forced-910 | forced-915 | none); } } [edit services pgcp gateway gateway-name h248-options]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in ServiceChange commands that it sends to the gateway controller when the state of a control association, virtual interface, or context changes. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

733

Junos 11.4 Services Interfaces Configuration Guide

service-change-type
Syntax Hierarchy Level Release Information Description
service-change-type (forced-906 | forced-910) [edit services pgcp gateway gateway-name data-inactivity-detection report-service-change]

Statement introduced in Junos OS Release 9.3. Specify the method and reason used in changing the service state of the termination to active in order to curtail sending of inactivity messages.
forced-906Service is terminated using a forced termination method with reason code

Options

906 (loss of lower layer connectivity).

forced-910Service is terminated using a forced termination with reason code 910 (media

capability failure). Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

service-interface
Syntax Hierarchy Level Release Information Description
service-interface interface-name.unit-number; [edit services pgcp virtual-interface virtual-interface-name routing-instance]

Statement introduced in Junos OS Release 9.3. Configure the logical service interface. The NAT routes point to this service interface. This service interface must match the service interface configured in the routing instance.
interface-name.unit-numberName and logical interface number of the service interface.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Service Set for Redundant Services PICS in Session Border Control
Solutions Guide Using BGF and IMSG

734

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

service-state
See the following sections:

service-state (Virtual BGF) on page 735 service-state (Virtual Interface) on page 736

service-state (Virtual BGF)

Syntax Hierarchy Level Release Information Description Options
service-state (in-service | out-of-service-forced | out-of-service-graceful); [edit services pgcp gateway gateway-name]

Statement introduced in Junos OS Release 8.5. Set the service state of the virtual BGF.
in-serviceThe virtual BGF is operational and available for traffic. When the virtual BGF

is in service, it attempts to connect to the gateway controller and accepts all PGCP commands from the gateway controller.
out-of-service-forcedForce the virtual BGF out of service. When the virtual BGF is forced

out of service, it immediately removes all gates and disconnects from the gateway controller. The virtual BGF does not attempt to establish a new connection.
out-of-service-gracefulCause the virtual BGF to go out of service by entering a draining

mode and waiting for all terminations to be subtracted before going out of service. During the draining, the BGF accepts only subtract commands from the gateway controller. Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

735

Junos 11.4 Services Interfaces Configuration Guide

service-state (Virtual Interface)

Syntax Hierarchy Level Release Information Description Options
service-state (in-service | out-of-service-forced | out-of-service-graceful); [edit services pgcp virtual-interface]

Statement introduced in Junos OS Release 9.0. Set the service state of the virtual interface.
in-serviceVirtual interface is operational and available for traffic. When the virtual

interface is in service, it is connected to the physical interface and accepts all Voice calls. This is the default.
out-of-service-forcedForce the virtual interface out of service. When the virtual interface

is forced out of service, it immediately removes all calls and disconnects from the physical interface. The virtual interface does not attempt to establish a new connection.
out-of-service-gracefulCause the virtual interface goes out of service by entering a

draining mode and waiting for all terminations to be subtracted before going out of service. During the draining, the virtual interface accepts only subtract commands from the gateway controller. Required Privilege Level interface-levelTo view this statement in the configuration. interface-levelTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
services pgcp { ... } [edit]

Statement introduced in Junos OS Release 8.4. Define service rules to be applied to traffic.
pgcpIdentifier for the PGCP set of rules statements.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

BGF VoIP Solution Overview and IMSG Session Border Control Solution Overview in
Session Border Control Solutions Guide Using BGF and IMSG

736

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

session-mirroring
Syntax
session-mirroring { delivery-function delivery-function-name { destination-address destination-address; destination-port destination-port; network-operator-id network-operator-id; source-address source-address; source-port source-port; } disable-session-mirroring; } [edit services pgcp]; [edit services pgcp gateway gateway-name]

Hierarchy Level

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.2. Configure the session mirroring feature. The statements are explained separately. pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Session Mirroring Overview and Configuring Session Mirroring in Session Border Control
Solutions Guide Using BGF and IMSG

source-address
Syntax Hierarchy Level
source-address source-address; [edit services pgcp session-mirroring delivery-function deliver-function-name], [edit services pgcp gateway gateway-name session-mirroring delivery-function deliver-function-name]

Release Information Description Options

Statement introduced in Junos OS Release 9.2. Configure the source address that is applied to mirrored packets.
source-addressAddress of the interface on which the BGF sends session-mirroring data

to the delivery function. Required Privilege Level Related Documentation pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Session Mirroring Overview and Configuring Session Mirroring in Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

737

Junos 11.4 Services Interfaces Configuration Guide

source-port
Syntax Hierarchy Level
source-port source-port; [edit services pgcp session-mirroring delivery-function deliver-function-name], [edit services pgcp gateway gateway-name session-mirroring delivery-function deliver-function-name]

Release Information Description Options

Statement introduced in Junos OS Release 9.2. Configure the source port applied to the mirrored packets.
source-portPort on which the BGF sends session-mirroring data to the delivery function.

Range: 1 through 65,535 Required Privilege Level Related Documentation pgcp-session-mirroringTo view this statement in the configuration. pgcp-session-mirroring-controlTo add this statement to the configuration.

Session Mirroring Overview and Configuring Session Mirroring in Session Border Control
Solutions Guide Using BGF and IMSG

738

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

state-loss
Syntax Hierarchy Level
state-loss (forced-910 | forced-915 | none); [edit services pgcp gateway gateway-name h248-options service-change context-indications]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Service-Interruption ServiceChange commands that it sends to the gateway controller after a state loss on a specific context. If you do not specify an option, the virtual BGF includes FO/915 (forced-915).
forced-910State loss because of a media failure. A mismatch between the pgcpd

Default Options

process and the Multiservices PIC or DPC states was detected on one or more of the contexts gates.
forced-915State loss. A mismatch between the pgcpd process and the Multiservices

PIC or DPC states was detected on one or more of the contexts gates.
noneVirtual BGF does not send a ServiceChange command to the gateway controller.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Mirroring Overview in Session Border Control Solutions Guide Using BGF and IMSG

stop-detection-on-drop
Syntax Hierarchy Level Release Information Description
stop-detection-on-drop; [edit services pgcp gateway gateway-name data-inactivity-detection]

Statement introduced in Junos OS Release 9.3. Configure the BGF to stop inactivity detection when a gate action is set to drop. When the call is resumed, the BGF starts the delay time and resumes data inactivity detection. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

739

Junos 11.4 Services Interfaces Configuration Guide

sustained-data-rate
See the following sections:

sustained-data-rate (All Streams) on page 740 sustained-data-rate (RTCP Streams) on page 741

sustained-data-rate (All Streams)

Syntax
sustained-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp-include; } [edit services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.2. maximum and minimum options introduced in Junos OS Release 9.5. Configure the sustained data rate for streams of any protocol, including RTP. The BGF uses the default value of 10,000 bytes per second if the Policy command in H.248 messages in ON and both of the following apply:

Description Default

The sustained data rate is not set in the H.248 message. There is no CLI configuration for sustained data rate.

Options

default bytes-per-secondDefault value for sustained data rate.

Range: 125 through 4,294,967,295

maximum bytes-per-secondMaximum value for sustained data rate.

Range: 125 through 4,294,967,295

minimum bytes-per-secondMinimum value for sustained data rate.

Range: 125 through 4,294,967,295

rtcp-includeInclude rtcp bandwidth in the sustained data rate.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Rate-Limiting for VoIP Traffic Overview and Configuring Rate Limiting for the BGF in
Session Border Control Solutions Guide Using BGF and IMSG

740

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

sustained-data-rate (RTCP Streams)

Syntax
sustained-data-rate { rtcp (fixed-value bytes-per-second | percentage percentage); } [edit services pgcp gateway gateway-name h248-properties traffic-management]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.2. Configure the sustained data rate for RTP/RTCP gate streams. You can configure this rate as a fixed value or as a percentage of RTPs sustained data rate. The virtual BGF uses the default value of 5 percent of the RTP gatess rate if the Policy command in H.248 messages in ON and both of the following apply:

Default

The sustained data rate is not set in the H.248 message. There is no CLI configuration for sustained data rate.

Options

fixed-value Value entered is a fixed number of bits per second. bytes-per-secondSustained data rate.

Range: 125 through 4,294,967,295

percentage bytes-per-secondValue entered is a percentage of the RTPs gate rate. percentageValue entered is a percentage of the RTPs gate rate.

Range: 0 through 1000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Rate-Limiting for VoIP Traffic Overview and Configuring Rate Limiting for the BGF in
Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

741

Junos 11.4 Services Interfaces Configuration Guide

timerx
Syntax Hierarchy Level Release Information Description
timerx seconds; [edit services pgcp gateway gateway-name h248-properties hanging-termination-detection]

Statement introduced in Junos OS Release 9.2. Activate and configure hanging termination detection. Setting this timer to a value other than zero (0) activates hanging termination detection. If no messages are exchanged between the BGF and the gateway controller for a termination before this time expires, the BGF sends a notification to the gateway controller. The timer resets when the BGF and the gateway controller exchange a message for the termination. The timer value that you set is the default value, and can be overridden by H.248 messages sent from the gateway controller. Your configuration takes effect on new and modified terminations.

Options

secondsNumber of seconds between the last message exchanged for this termination

and when the BGF sends a notification to the gateway controller. Setting the timer to zero (0) deactivates hanging termination detection. Range: 0 through 2,147,480 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Detecting Hanging Terminations in Session Border Control Solutions Guide Using BGF and
IMSG

tmax-retransmission-delay
Syntax Hierarchy Level Release Information Description
tmax-retransmission-delay milliseconds; [edit services pgcp gateway gateway-name h248-timers]

Statement introduced in Junos OS Release 8.4. Configure the maximum time that a transaction can be kept alive. T-Max is explained in Annex D of Gateway control protocol v3, ITU-T Recommendation H.248.1, September 2005.
millisecondsDuration of the delay before the BGF considers the gateway controller to

Options

be down. Range: 0 through 65,535 Default: 25000 Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

742

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

traceoptions
Syntax
traceoptions { file <filename filename> <files number> <match regex> <size size> <world-readable | no-world-readable>; flag { bgf-core { common trace-level; default trace-level; firewall trace-level; gate-logic trace-level; pic-broker trace-level; policy trace-level; statistics trace-level; } default trace-level; h248-stack { control-association trace-level; default trace-level; messages; media-gateway trace-level; } sbc-utils { common trace-level; configuration trace-level; default trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; messaging trace-level; user-interface trace-level; } } } [edit services pgcp]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.4. Statement extensively revised in Junos OS Release 9.5. Configure PGCP tracing operations. The messages are output to /var/log/pgcpd. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Required Privilege Level Related Documentation

Tracing BGF Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

743

Junos 11.4 Services Interfaces Configuration Guide

traffic-management
Syntax
traffic-management { max-burst-size { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } peak-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } sustained-data-rate { default bytes-per-second; maximum bytes-per-second; minimum bytes-per-second; rtcp { (fixed-value bytes-per-second | percentage percentage); } } } [edit services pgcp gateway gateway-name h248-properties]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.2. Configure traffic management of the gate stream and the RTCP stream. The parameters for the RTCP stream take effect only when the gate is an RTP/RTCP gate. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Rate-Limiting for VoIP Traffic Overview and Configuring Rate Limiting for the BGF in
Session Border Control Solutions Guide Using BGF and IMSG

744

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

up
Syntax
up { cancel-graceful (none | restart-918); failover-cold (failover-920 | restart-901); failover-warm (failover-919 | restart-902); } [edit services pgcp gateway gateway-name h248-options service-change control-association-indications]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Notification Messages or Registration commands in ServiceChange commands when a control association transitions to In-Service. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Control Associations in Session Border Control Solutions Guide Using BGF and IMSG

use-lower-case
Syntax Hierarchy Level Release Information Description Default Required Privilege Level
use-lower-case; [edit services pgcp gateway gateway-name h248-options]

Statement introduced in Junos OS Release 9.5. Configure upper-case encoding for H.248 messages. By default H.248 messages are encoded in upper case. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

745

Junos 11.4 Services Interfaces Configuration Guide

use-wildcard-response
Syntax Hierarchy Level Release Information Description
use-wildcard-response; [edit services pgcp gateway gateway-name h248-options service-change]

Statement introduced in Junos OS Release 9.3. Enable the virtual BGF to issue service change commands as wildcard-response commands, which trigger a short response from the gateway controller. If you do not enable the use of wildcard responses for service change commands, the gateway controller will generate an individual response for every termination that matches the service change command. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Enabling Wildcards for ServiceChange Notifications in Session Border Control Solutions

Guide Using BGF and IMSG

746

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

virtual-interface
Syntax
virtual-interface number { nat-pool [ pool-names ]; routing-instance instance-name { service-interface interface-name.unit-number; } service-state (in-service | out-of-service-forced | out-of-service-graceful); } [edit services pgcp]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 8.4. service-state option introduced in Junos OS Release 9.0. service-interface option introduced in Junos OS Release 9.3. Configure a virtual interface for the BGF.
numberIdentifier for the interface.

Description Options

Range: 0 through 1023

pool-namesNames of one or more NAT pools to be used by the virtual interface.

Syntax: To specify a list of NAT pools, enclose the NAT pool names in brackets. The remainder of the statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Virtual Interfaces with the BGF Overview and Configuring Virtual Interfaces in Session
Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

747

Junos 11.4 Services Interfaces Configuration Guide

virtual-interface-down
Syntax
virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in ServiceChange commands that it sends to the gateway controller when the state of the virtual interface changes to Out-of-Service. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

748

Copyright 2011, Juniper Networks, Inc.

Chapter 31: Summary of PGCP Configuration Statements

virtual-interface-indications
Syntax
virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none); graceful (graceful-905 | none); } virtual-interface-up { cancel-graceful (none | restart-918); warm(none | restart-900); } } [edit services pgcp gateway gateway-name h248-options service-change]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in ServiceChange commands that it sends to the gateway controller when the state of the virtual interface changes. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

virtual-interface-up
Syntax
virtual-interface-up { cancel-graceful (none | restart-918); warm (none | restart-900); } [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the ServiceChange command that the virtual BGF sends to the gateway controller when the state of the virtual interface changes to In-Service. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

749

Junos 11.4 Services Interfaces Configuration Guide

warm
Syntax Hierarchy Level
warm (none | restart-900); [edit services pgcp gateway gateway-name h248-options service-change virtual-interface-indications virtual-interface-up]

Release Information Description

Statement introduced in Junos OS Release 9.3. Specify the method and reason that the virtual BGF includes in Service-Restoration ServiceChange commands that it sends to the gateway controller when a virtual interface transitions to In-Service. If you do not specify an option, the virtual BGF includes RS/900 (restart-900).
noneVirtual BGF does not send a ServiceChange command. restart-900Service restored. The virtual interface has become In-Service and is in the

Default Options

Forwarding state. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring the Method and Reason in ServiceChange Commands for Virtual Interfaces in Session Border Control Solutions Guide Using BGF and IMSG

750

Copyright 2011, Juniper Networks, Inc.

CHAPTER 32

Service Interface Pools Configuration Guidelines

To configure service interface pools, include the service-interface-pools statement at the [edit services] hierarchy level:
[edit services] service-interface-pools { pool pool-name { interface interface-name.unit-number; } }

This chapter discusses the following topics that provide information about configuring service interface pools:

Configuring Service Interface Pools on page 751

Configuring Service Interface Pools

To configure a service interface pool, include the following statements at the [edit services service-interface-pools] hierarchy level:
[edit services service-interface-pools] pool pool-name { interface interface-name.unit-number; }

Copyright 2011, Juniper Networks, Inc.

751

Junos 11.4 Services Interfaces Configuration Guide

752

Copyright 2011, Juniper Networks, Inc.

CHAPTER 33

Summary of Service Interface Pools Statements

The following sections explain each of the service interface pools statements. The statements are organized alphabetically.

interface
Syntax Hierarchy Level Release Information Description Options
interface interface-name.unit-number; [edit services service-interface-pools pool pool-name]

Statement introduced in Junos OS Release 9.3. Add logical service interfaces to the pool of service interfaces.
interface-name.unit-numberName and logical unit number of the service interface.

All interfaces in a pool must belong to the same service PIC or DPC. All interfaces assigned to the same service must be in the same pool. Logical interfaces cannot be in more than one pool. All interfaces must have either family inet or family inet6 configured. Logical unit 0 cannot be configured in a service interface pool. You can configure up to 1000 logical interfaces in a service interface pool.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

753

Junos 11.4 Services Interfaces Configuration Guide

pool
Syntax
pool pool-name { interface interface-name.unit-number; } [edit services service-interface-pools]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.3. Configure a service interface pool for VPN aggregation for the BGF feature.
pool-nameName of the service interface pool.

The remaining options are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

service-interface-pools
Syntax
service-interface-pools { pool pool-name { interface interface-name.unit-number; } } [edit services]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.3. Configure service interface pools used for VPN aggregation. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

754

Copyright 2011, Juniper Networks, Inc.

CHAPTER 34

Border Signaling Gateway Configuration Guidelines

To configure border signaling gateways (BSG), include the border-signaling-gateway statement at the [edit services] hierarchy level:
[edit services] border-signaling-gateway { gateway gateway-name { admission-control admission-control-profile { dialogs { maximum-concurrent number; committed-attempts-rate dialogs-per-second; committed-burst-size number-of-dialogs; } transactions { maximum-concurrent number; committed-attempts-rate transactions-per-second; committed-burst-size number-of-transactions; } } embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video); } then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (alias | do-not-change | dscp-value); reject; } } } } name-resolution-cache { accelerations { initiate-alternative-queries; initiate-next-queries; no-refresh-before-ttl-expiry; }

Copyright 2011, Juniper Networks, Inc.

755

Junos 11.4 Services Interfaces Configuration Guide

blacklist-period seconds; maximum-records-in-cache number; maximum-time-in-cache (unlimited | seconds); } service-interface name; service-point service-point-name { default-media-realm service-interface interface-name.unit-number; service-point-type service-point-type; service-policies { new-call-usage-input-policies [policy-and-policy-set-names]; new-call-usage-output-policies [policy-and-policy-set-names]; new-transaction-input-policies [policy-and-policy-set-names]; new-transaction-output-policies[policy-and-policy-set-names]; } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>; } sip { message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value; add field-value; add-missing field-value; add-overwrite field-value; remove-regular-expression regular-expression; remove-all; reject-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } no-anchoring;

756

Copyright 2011, Juniper Networks, Inc.

Chapter 34: Border Signaling Gateway Configuration Guidelines

service-class service-class-name; } trace; } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]; } new-transaction-policy policy-name { term term-name { from { contact { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response{ recursion-limit number; } } route { egress-service-point service-point-name; next-hop (request-uri | address ipv4-address | <port port-number> <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; trace; }

Copyright 2011, Juniper Networks, Inc.

757

Junos 11.4 Services Interfaces Configuration Guide

} } new-transaction-policy-set policy-set-name { policy-name [ policy-names ]; } routing-destinations { availability-check-profiles { profile-name; keepalive-interval { available-server seconds; unavailable-server seconds; } keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number); transaction-timeout seconds; } clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } default-availability-check-profile profile-name; } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } timers { inactive-callseconds; timer-c seconds; } } traceoptions { file { filename filename; files number-of-files; match regular-expression; size maximum-trace-file-size; } flag { datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } framework { action trace-level; event trace-level;

758

Copyright 2011, Juniper Networks, Inc.

Chapter 34: Border Signaling Gateway Configuration Guidelines

executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } minimum trace-level; sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } session-trace trace-level; signaling { b2b trace-level; b2b-wrapper trace-level; minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } } } } }

For information about configuring the border signaling gateway, see the Session Border Control Solutions Guide Using BGF and IMSG.

Copyright 2011, Juniper Networks, Inc.

759

Junos 11.4 Services Interfaces Configuration Guide

760

Copyright 2011, Juniper Networks, Inc.

CHAPTER 35

Summary of Border Signaling Gateway Configuration Statements

The following sections explain each of the border signaling gateway statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

761

Junos 11.4 Services Interfaces Configuration Guide

actions
Syntax
actions { sip-header header-field-name { field-value { add field-value; add-missing field-value; add-overwrite field-value; modify-regular-expression regular-expression with field-value; reject-regular-expression regular-expression; remove-all; remove-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules manipulation-rule rule-name]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the actions for your manipulation rule. You can have up to 50 actions in a manipulation rule. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Manipulation of Headers and Request URIs in SIP Messages in the Session Border Control
Solutions Guide Using BGF and IMSG

762

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

accelerations
Syntax
accelerations { initiate-alternative-queries; initiate-next-queries; no-refresh-before-ttl-expiry; } [edit services border-signaling-gateway gateway gateway-name name-resolution-cache]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.0. Configure the method, if any, that the BSG uses to accelerate the process of DNS name resolution for SIP servers.
initiate-alternative-queriesIf this flag is on, the BSG initiates a name authority pointer

Options

(NAPTR) query, both a TCP and UDP service record (SRV) query, and an address record (A) query in parallel for each new SIP URI that it receives in a new transaction. This flag saves time if the NAPTR query fails. Default: off
initiate-next-queriesIf this flag is on, the BSG sends A record queries to all SIP servers

returned in the SRV response instead of querying the first A record in the SRV response. Default: off
no-refresh-before-ttl-expiryif this flag is on, the BSG removes the SIP server from the

cache when the TTL expires. If this flag is off, the BSG re-queries the A record and if the query is resolved, the BSG refreshes the TTL. As a result, the entry is not removed from the cache. Default: off Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring DNS Resolution for Locating SIP Servers in the Multiplay Solutions Guide

Copyright 2011, Juniper Networks, Inc.

763

Junos 11.4 Services Interfaces Configuration Guide

admission-control
See the following sections:

admission-control (Border Signaling Gateway) on page 764 admission-control (New Transaction Policy) on page 765

admission-control (Border Signaling Gateway)

Syntax
admission-control admission-control-profile { dialogs { maximum-concurrent number; committed-attempts-rate dialogs-per-second; committed-burst-size number-of-dialogs; } transactions { maximum-concurrent number; committed-attempts-rate transactions-per-second; committed-burst-size number-of-transactions; } [edit services border-signaling-gateway gateway gateway-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure an admission control profle for a BSG.
admission-control-profileName of the admission control profile.

NOTE: You can define a maximum of 100 admission control profiles for a BSG.

Other options are described separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Call Admission Control in the Session Border Control Solutions Guide Using
BGF and IMSG

764

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

admission-control (New Transaction Policy)

Syntax Hierarchy Level
admission-control admission-control-profile; [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name then]

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Specifies the CAC admission controller used for this policy.
admission-control-profileName of the admission control profile used for this policy.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Call Admission Control in the Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

765

Junos 11.4 Services Interfaces Configuration Guide

availability-check-profiles
Syntax
availability-check-profiles { profile-name; keepalive-interval { available-server seconds; unavailable-server seconds; } keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always <failures-before-unavailable number> <successes-before-available number> | send-when-unavailable <successes-before-available number>); transaction-timeout seconds; } [edit services border-signaling-gateway gateway gateway-name sip routing-destinations]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Configure options used to determine that a server is available and able to receive SIP messages. The options are explained separately. Default: 600
available-server secondsNumber of seconds between pinging requests to an available

Options

server. Range: 10 to 86,400 Default: 32

unavailable-server secondsNumber of seconds between pinging requests to an

unavailable server. Range: 10 to 86,400 Default: 32

keepalive-strategySpecify the strategy for checking server availability.

Default: send-when-unavailable
send-alwaysAlways check the availability of this server. failures before unavailable numNumber of failures before the server is considered

unavailable and placed in the server blacklist. Range: 1 to 10 Default: 1

successes-before-available numberNumber of successes before the server is considered

available and removed from the server blacklist. Range: 1 to 10 Default: 1

766

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

send-when-unavailableCheck server availability only if it is in the server blacklist. successes-before-available numberNumber of successes before the server is considered

available and removed from the server blacklist.

do-not-sendDo not perform availability checking. blackout-periodsecondsDefine the period, in seconds, during which the server is

considered unavailable. Range: 0 (no blacklisting) to 86,400 (24 hours)

transaction-timeout secondsThe number of seconds from the initiation of a ping request

after which, if no reply, the ping is considered to have failed. Range: 10 to 32 Default: 32 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Creating Availability Profiles for Servers in Session Border Control Solutions Guide Using
BGF and IMSG

blacklist-period
Syntax Hierarchy Level Release Information Description
blacklist-period seconds; [edit services border-signaling-gateway gateway gateway-name name-resolution-cache]

Statement introduced in Junos OS Release 10.0. Configure the amount of time that a SIP server remains in the black list. If the BSG finds that a server for a transaction is down, it marks the server as unavailable. The BSG does not forward SIP messages to a server on the black list until the blacklist period ends.
secondsOnce the BSG marks a server as unavailable, this is the amount of time that

Options

the server remains on the blacklist. Range: 0 through 86,400 Default: 600 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring DNS Resolution for Locating SIP Servers in the Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

767

Junos 11.4 Services Interfaces Configuration Guide

clusters
Syntax
clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } [edit services border-signaling-gateway gateway gateway-name sip routing-destinations]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Configure clusters of servers to use as routing destinations.
server-nameName of the server to include in the cluster. priority-levelRelative priority, or redundancy order, as a choice for routing destination.

0 is the highest priority. Range: 0 to 65,535 Default: 1

weight Relative proportion of transactions within the specified priority level to route to

this server. Range: 0 to 65,535 Default: 1

profileName of the admission control profile assigned to this server.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

SIP Routing with Server Clusters Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Configuring Server Clusters in Session Border Control Solutions Guide Using BGF and IMSG

768

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

committed-burst-size
Syntax Hierarchy Level
committed-burst-size bytes; [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name term term-name then]

Release Information Description

Statement introduced in Junos OS Release 9.4. Configure the maximum number of bytes allowed for incoming packets to burst above the committed information rate.

NOTE: When you configure committed-burst-size you must also configure committed-information-rate.

Options

bytesNumber of bytes.

Range: 20 through 4,294967,295 Default: 10,000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Admission Control Profiles in the Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

769

Junos 11.4 Services Interfaces Configuration Guide

committed-information-rate
Syntax Hierarchy Level
committed-information-rate bytes-per-second; [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name term term-name then]

Release Information Description

Statement introduced in Junos OS Release 9.4. Configure the maximum bandwidth that can be allocated to a packet that is flowing under normal line conditions.

NOTE: When you configure committed-information-rate you must also configure committed-burst-size.

Options

bytes-per-secondNumber of bytes per second.

Range: 125 through 4,294,967,295 Default: 2000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring QoS and Rate Limiting in the Session Border Control Solutions Guide Using
BGF and IMSG

data-inactivity-detection
Syntax
data-inactivity-detection { inactivity-duration seconds; } [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name then media-policy]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure data inactivity detection to detect latch deadlocks or other media inactivity on a gate. The statement is described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring Latch Deadlock and Media Inactivity Detection in Session Border Control
Solutions Guide Using BGF and IMSG

770

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

datastore
Syntax
datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.4. Configure trace-level options for the datastore component of the BSG.
data trace-levelTrace level for the data subcomponent. db trace-levelTrace level for the wrapper layer around the database. handle trace-levelTrace level for the access API for the database. minimum trace-levelMinimum trace level for all datastore messages. trace-levelTrace-level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

771

Junos 11.4 Services Interfaces Configuration Guide

default-media-realm
Syntax Hierarchy Level
default-media-realm realm-number; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name]

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure a default value for the media-realm for each new call. The BGF uses media-realm to locate a virtual interface with the same value to determine the NAT pool for the call.
realm-numberThe realm number used to match to a virtual interface.

Options

Range: 0 through 1023 Default: 0 Required Privilege Level Related Documentation view-levelTo view this statement in the configuration. control-levelTo add this statement to the configuration.

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

772

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

dialogs
Syntax
dialogs { maximum-concurrent number; committed-attempts-ratedialogs-per-second; committedburst-size number-of-dialogs } [edit services border-signaling-gateway gateway gateway-name admission-control]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure admission control settings for dialogs.
maximum-concurrent numberMaximum number of concurrent dialogs.

Values: 0 through 100,000 0 causes all calls to be rejected. Default: 100000

committed-attempts-rate dialogs-per-secondMaximum number of attempts per second

to initiate dialogs. Values: 0 though 500 Default: 500

committed-burst-size number-of-dialogsMaximum number of dialogs allowed to burst

above the committed-rate and still be accepted. Values: 0 through 1000 Default: 1000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Admission Control Profiles in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

773

Junos 11.4 Services Interfaces Configuration Guide

dscp
Syntax Hierarchy Level
dscp (dscp-value | alias | do-not-change); [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name term term-name then]

Release Information Description

Statement introduced in Junos OS Release 9.4. Configure values for DSCP marking that the BSG uses for traffic that matches the service class term. If you do not specify a DSCP value, the default value is do-not-change.
dscp-valueString of six bits. aliasStandard DSCP name. Use the ? in the CLI to see a list of aliases. do-not-changeDo not override the DSCP value in the packet.

Default Options

Default: be Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Quality of Service for VoIP Traffic Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Configuring QoS for the BGF in Session Border Control Solutions Guide Using BGF and
IMSG

774

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

egress-service-point
Syntax Hierarchy Level
egress-service-point service-point-name; [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then route]

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Configure the exit point of SIP requests from the BSG.
service-point-nameName of the service point that you want to use as the egress service

point. This is a service point that you configure with the service-point statement. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Configuring Routing of VPN CallsSession Border Control Solutions Guide Using BGF and
IMSG

Copyright 2011, Juniper Networks, Inc.

775

Junos 11.4 Services Interfaces Configuration Guide

embedded-spdf
Syntax
embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video); } then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (dscp-value | alias | do-not-change); reject; } } } } [edit services border-signaling-gateway gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure an SPDF (session policy decision function). Each BSG instance consists of a single embedded SPDF that includes one or more service classes. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

IMSG Session Border Control Solution Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

776

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

file
Syntax
file <filename> <files files> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; [edit services border-signaling-gateway gateway gateway-name traceoptions]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.4. Configure the trace file for tracing BSG components.
filename filenameName of the file to which the tracing messages are written.

Default: bsg_trace
files number-of-filesNumber of trace files. The tracing mechanism can rotate between

any given number of files, allowing for trace message inspection without interfering with the normal work of the application. Default: 3
match regular expressionRegular expression to match with incoming messages. Messages

that do not match the regular expression are not written to the trace file.
size maximum-trace-file-sizeSize parameter (in bytes) to trigger rotation of files. The

trace mechanism rotates files based on the current file size. When the size is bigger than the maximum configured size, the files are rotated. Default: 1048576
world-readable | no-world-readableAllow all users to use the log file or disallow all users

from using the log file. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

777

Junos 11.4 Services Interfaces Configuration Guide

flag
Syntax
flag { datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } framework { action trace-level; event trace-level; executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } minimum trace-level; sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } session-trace trace-level; signaling { b2b trace-level; b2b-wrapper trace-level; minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } } [edit services border-signaling-gateway gateway gateway-name traceoptions]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure trace options for components of the BSG.

778

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

Options Required Privilege Level Related Documentation

The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations Session Border Control Solutions Guide Using BGF and IMSG

forward-manipulation
Syntax
forward-manipulation { manipulation-rule-name; } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then message-manipulation]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the forward message manipulation rules that you want to add to your new transaction policy. Forward manipulation rules are applied to any message going from the user agent client (UAC), or the caller, to the user agent server (UAS), or the callee. They are applied to the original transaction request. If the transaction creates a dialog, the rules are also applied to other transaction requests or responses within the dialog.
manipulation-rule-nameName of the message manipulation rule that you want to add.

Options

You can add up to five forward manipulation rules to a policy. These rules must have been configured at the [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules manipulation-rule rule-name actions] hierarchy level. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Manipulate SIP Headers or to Reject SIP Messages in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

779

Junos 11.4 Services Interfaces Configuration Guide

framework
Syntax
framework { action trace-level; event trace-level; executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure trace options for the BSG component that provides an infrastructure that enables incremental functionality implementation.
action trace-levelTrace level for the framework subcomponent that creates, initiates,

Options

and manipulates event actions.

event trace-levelTrace level for the framework subcomponent that creates, modifies,

and terminates event members.

executor trace-levelTrace level for the framework subcomponent that executes

configured actions for an event, handles any error states, delays processing, and so on.
freezer trace-levelTrace level for the framework subcomponent that delays the execution

of an event until certain conditions are met.

minimum trace-levelMinimum trace level for all framework messages. memory-pool trace-levelTrace level for the framework subcomponent that creates,

deletes, and manipulates memory pools and pool managers, and controls the check-in and check-out of memory objects to and from memory pools.
trace-levelTrace-level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

780

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

781

Junos 11.4 Services Interfaces Configuration Guide

from
See the following sections:

from (New Call Usage Policy) on page 783 from (New Transaction Policy) on page 784 from (Service Class) on page 786

782

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

from (New Call Usage Policy)

Syntax
from { contact { regular-expression [ regular-expression ]; } method { method-invite; } request-uri { regular-expression [ regular-expression ]; } source-address [ ip-addresses ]; } [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. regular-expression options introduced in Junos OS Release 9.5. Configure match conditions for a new call usage policy.
contactMatch the contents of the contact field. Contact field matching is based on

Description Options

regular expressions.
regular expression [ regular-expression] Regular expression used to match the contents

of the contact field. Syntax: To specify more than one regular expression, enclose the regular expressions in brackets.
method-inviteMatch the policy to SIP INVITE methods. request-uriMatch the contents of the uniform resource identifier (URI) in the SIP message

request. Request URI matching is based on regular expressions.

regular expression [ regular-expression ]Regular expression used to match the contents

of the request URI field. Syntax: To specify more than one regular expression, enclose the regular expressions in brackets.
source-addressMatch the source address of the SIP request. [ ip-addresses ]IP addresses that you want to match.

Syntax: To specify more than one IP address, enclose the IP addresses in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Call Usage Policy in Session Border Control Solutions Guide Using BGF
and IMSG

Copyright 2011, Juniper Networks, Inc.

783

Junos 11.4 Services Interfaces Configuration Guide

from (New Transaction Policy)

Syntax
from { contact { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. regular-expression options introduced in Junos OS Release 9.5. Configure match conditions for a new transaction policy.
contactMatch the contents of the contact field. Contact field matching is based on

Description Options

regular expressions.
registration-stateSelect transactions based on whether the BSG passed a SIP register

message for the transaction to a SIP registrar. Values:

registeredSelect transactions for which the BSG passed a SIP register message to a SIP registrar. not-registeredSelect transactions for which the BSG did not pass a SIP register message to a SIP registrar.

regular expression [ regular-expression ]Regular expression used to match the contents

of the contact field. Syntax: To specify more than one regular expression, enclose the regular expressions in brackets.
uri-hidingSelect transactions based on whether contact URIs are hidden.

Values:

784

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

hidden-uriSelect transactions for which the contact URI is hidden. unhidden-uriSelect transactions for which the contact URI is not hidden.

methodMatch the type of SIP method.

Syntax: To specify multiple SIP methods, use separate set statements.

request-uriMatch the contents of the uniform resource identifier (URI) in the SIP message

request. Request URI matching is based on regular expressions.

registration-stateSelect transactions based on whether the transactions are from

registered request URIs. Values:

registeredSelect transactions for which the contact URI is hidden. unhidden-uriSelect transactions for the contact URI is not hidden.

regular expression [ regular-expression ] Regular expression used to match the contents

of the request URI field. Syntax: To specify more than one regular expression, enclose the regular expressions in brackets.
source-addressMatch the source address of the SIP request. [ ip-addresses ]IP addresses that you want to match.

Syntax: To specify more than one IP address, enclose the IP addresses in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Transaction Policy in Session Border Control Solutions Guide Using
BGF and IMSG

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

Copyright 2011, Juniper Networks, Inc.

785

Junos 11.4 Services Interfaces Configuration Guide

from (Service Class)

Syntax
from { media-type (any-media | audio | video); } [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name term term-name]

Hierarchy Level

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.4. Configure match conditions for a service class. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Call Usage Policy in Session Border Control Solutions Guide Using BGF
and IMSG

Configuring QoS and Rate Limiting in Session Border Control Solutions Guide Using BGF
and IMSG

786

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

gateway
Syntax
gateway gateway-name { admission-control controller-name { dialogs { maximum-concurrent number; committed-attempts-rate dialogs-per-second; committed-burst-size number-of-dialogs; } transactions { maximum-concurrent number; committed-attempts-rate transactions-per-second; committed-burst-size number-of-transactions; } embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video); } then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (alias | do-not-change | dscp-value); reject; } } } } name-resolution-cache { accelerations { initiate-alternative-queries; initiate-next-queries; no-refresh-before-ttl-expiry; } blacklist-period seconds; maximum-records-in-cache number; maximum-time-in-cache (unlimited | seconds); } service-interface name; service-point service-point-name { default-media-realm; service-interface interface-name.unit-number; service-point-type service-point-type; service-policies { new-call-usage-input-policies [policy-and-policy-set-names]; new-call-usage-output-policies [policy-and-policy-set-names]; new-transaction-input-policies [policy-and-policy-set-names]; new-transaction-output-policies[policy-and-policy-set-names]; } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>; } sip { message-manipulation-rules {

Copyright 2011, Juniper Networks, Inc.

787

Junos 11.4 Services Interfaces Configuration Guide

manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value; add field-value; add-missing field-value; add-overwrite field-value; remove-regular-expression regular-expression; remove-all; reject-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } no-anchoring; service-class service-class-name; } trace; } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]; } new-transaction-policy policy-name { term term-name { from { contact { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message;

788

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response { recursion-limit number; } } route { egress-service-point service-point-name; next-hop (sip-based | address ipv4-address <port port-number> <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; topology-hiding { maintain-route-headers; } trace; } } } new-transaction-policy-set policy-set-name { policy-name [ policy-names ]; } routing-destinations { availability-check-profiles { profile-name; keepalive-interval { available-server seconds; unavailable-server seconds; } keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number);

Copyright 2011, Juniper Networks, Inc.

789

Junos 11.4 Services Interfaces Configuration Guide

transaction-timeout seconds; } clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } default-availability-check-profile profile-name; } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } timers { inactive-call seconds; timer-c seconds; } } traceoptions { file <filename> <files files> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag { datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } framework { action trace-level; event trace-level; executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } minimum trace-level; sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } session-trace trace-level; signaling { b2b trace-level; b2b-wrapper trace-level;

790

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } } } }

Hierarchy Level Release Information

[edit services border-signaling-gateway]

Statement introduced in Junos OS Release 9.4. data-inactivity-detection option introduced in Junos OS Release 9.6. message-manipulation option introduced in Junos OS Release 9.6. message-manipulation-rules option introduced in Junos OS Release 9.6. name-resoltuion-cache option introduced in Junos OS Release 10.0. Configure a border signaling gateway instance.
gateway-nameIdentifier for the BSG.

Description Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

IMSG Session Border Control Solution Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

791

Junos 11.4 Services Interfaces Configuration Guide

inactivity-duration
Syntax Hierarchy Level
inactivity-duration seconds; [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name then media-policy data-inactivity-detection]

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the time interval that determines inactivity. When the virtual BGF determines that the time since the last packet was received exceeds this duration, the virtual BGF generates an inactivity notification or service change request. The duration timer is the same for terminations with latch events and for terminations without latch events.
secondsTime during which no packets are received.

Options

Range: 5 through 86400 Default: 30 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

792

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

manipulation-rule
Syntax
manipulation-rule rule-name { actions { sip-header header-field-name { field-value { add field-value; add-missing field-value; add-overwrite field-value; modify-regular-expression regular-expression with field-value; reject-regular-expression regular-expression; remove-all; remove-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure a rule for manipulating the header fields or the request URI in SIP messages. You can have up to 1,000 manipulation rules for a BSG.
rule-nameName of the manipulation rule.

Options

The remaining options are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Manipulation of Headers and Request URIs in SIP Messages in Session Border Control
Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

793

Junos 11.4 Services Interfaces Configuration Guide

media-policy
Syntax
media-policy { data-inactivity-detection { inactivity-duration seconds; } media-release; no-anchoring; service-class service-class-name; } [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name then]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. media-release statement introduced in Junos OS Release 10.1. no-anchoring statement introduced in Junos OS Release 9.5. service-class statement introduced in Junos OS Release 9.5. Configure the service class to be applied to traffic that matches the new call usage policy.
media-releaseDisable or enable media release for the policy. no-anchoringDisable or enable media anchoring for the policy. service-class service-class-nameName of the service class to be applied to traffic that

Description Options

matches the new call usage policy. You must have configured the service class using the service-class statement at the [edit services border-signaling-gateway gateway gateway-name embedded-spdf] hierarchy level. The remaining options are described separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Call Usage Policy in Session Border Control Solutions Guide Using BGF
and IMSG

794

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

media-type
Syntax Hierarchy Level
media-type (any-media | audio | video); [edit services border-signaling-gateway gateway gateway-name service-class service-class-name term term-name from]

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Configure the type of media that the service class matches.
any-mediaMatch all media types. audioMatch audio traffic. videoMatch video traffic.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

Copyright 2011, Juniper Networks, Inc.

795

Junos 11.4 Services Interfaces Configuration Guide

message-manipulation
Syntax
message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the forward and reverse message manipulation rules that you want to add to your new transaction policy. When the message manipulation rules in your policy match a transaction, the transaction is affected as well as any transactions that belong to a dialog that results from the transaction. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Session Border Control Solutions Guide Using BGF and IMSG

796

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

maximum-records-in-cache
Syntax Hierarchy Level Release Information Description
maximum-records-in-cache number; [edit services border-signaling-gateway gateway gateway-name name-resolution-cache]

Statement introduced in Junos OS Release 10.0. Configures the maximum number of SIP servers that can be in the DNS name resolution cache. When this number is exceeded, servers are removed from the cache starting with the least recently used entry.
numberNumber of servers that can be stored in the name resolution cache. A setting

Options

of 0 means that there is no name resolution cache. Range: 0 through 50,000 Default: 5000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring DNS Resolution for Locating SIP Servers

maximum-time-in-cache
Syntax Hierarchy Level Release Information Description
maximum-time-in-cache (unlimited | seconds); [edit services border-signaling-gateway gateway gateway-name name-resolution-cache]

Statement introduced in Junos OS Release 10.0. Configures the maximum time that a SIP server can be held in the DNS name resolution cache. Each server entry has a time to live (TTL) value that indicates how long the server can be saved in cache without being refreshed by a new query. You can override the TTL value to a lower value by setting the number of seconds that servers are held in cache. You can override the TTL only with a lower value. If the configured value is higher than the original TTL value, the original TTL value is applied.
unlimitedTTL value in the DNS entry is applied. secondsTime that an entry can remain in cache.

Options

Range: 0 through 604,800 Default: unlimited Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring DNS Resolution for Locating SIP Servers

Copyright 2011, Juniper Networks, Inc.

797

Junos 11.4 Services Interfaces Configuration Guide

message-manipulation-rules
Syntax
message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { add field-value; add-missing field-value; add-overwrite field-value; modify-regular-expression regular-expression with field-value; reject-regular-expression regular-expression; remove-all; remove-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.6. Configure rules for manipulating the header fields or the request URI in SIP messages. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Manipulation of Headers and Request URIs in SIP Messages in Session Border Control
Solutions Guide Using BGF and IMSG

798

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

minimum
Syntax Hierarchy Level Release Information Description
minimum trace-level; [edit services border-signaling-gateway gateway gateway-name traceoptions flag flag]

Statement introduced in Junos OS Release 9.4. Configure the minimum trace level for all selected BSG trace options. This option overrides individual trace options that are set at a lower level.
warning trace-levelEnter one of the following trace levels as the trace-level:

Default Options

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG OperationsSession Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

799

Junos 11.4 Services Interfaces Configuration Guide

name-resolution-cache
Syntax
name-resolution-cache { accelerations { initiate-alternative-queries; initiate-next-queries; no-refresh-before-ttl-expiry; } blacklist-period seconds; maximum-records-in-cache number; maximum-time-in-cache (unlimited | seconds); } [edit services border-signaling-gateway gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.0. Configure parameters that specify how entries are handled in the DNS name resolution cache and the type, if any, of acceleration that the BSG uses to accelerate the process of DNS name resolution for SIP servers. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Configuring DNS Resolution for Locating SIP Servers

new-call-usage-input-policies
Syntax Hierarchy Level
new-call-usage-input-policies [policy-and-policy-set-names]; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name service-policies]

Release Information Description

Statement introduced in Junos OS Release 10.1. Assign new call usage input policies or policy sets to calls that entered through the service point. All the packets arriving at the service point are matched against these policies.
[policy-and-policy-set-names]Names of new call usage policies or policy sets.

Options

Syntax: If you specify more than one policy or policy set, you must enclose all policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Attaching Policies to a Service Point in Session Border Control Solutions Guide Using BGF
and IMSG

800

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

new-call-usage-output-policies
Syntax Hierarchy Level
new-call-usage-output-policies [policy-and-policy-set-names]; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name service-policies]

Release Information Description

Statement introduced in Junos OS Release 10.1. Assign new call usage output policies or policy sets to calls that exited through the service point. All the packets leaving from the service point are matched against these policies.
[policy-and-policy-set-names]Names of new call usage policies or policy sets.

Options

Syntax: If you specify more than one policy or policy set, you must enclose all policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Attaching Policies to a Service Point in Session Border Control Solutions Guide Using BGF
and IMSG

Copyright 2011, Juniper Networks, Inc.

801

Junos 11.4 Services Interfaces Configuration Guide

new-call-usage-policy
Syntax
new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } no-anchoring; service-class service-class-name; } trace; } } } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure a new call usage policy. A call is a usage that begins with a new INVITE. Dialogs can have many different usages.
policy-nameIdentifier for the new call usage policy.

Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Attaching Policies to a Service Point in Integrated Multi-Service Gateway (IMSG)

802

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

new-call-usage-policy-set
Syntax
new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]; } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Create a set of new call usage policies, which you can then apply to a service point. The order in which you add policies to the set determines the order in which the BSG processes the policies. The first matching policy determines which actions are taken.
policy-set-nameIdentifier for the new call usage policy set. policy-namesNames of one or more new call usage policies that you want to add to

Options

the set. Syntax: To specify a list of policies, enclose the policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring New Call Usage Policy Sets in Session Border Control Solutions Guide Using
BGF and IMSG

new-transaction-input-policies
Syntax Hierarchy Level
new-transaction-input-policies [policy-and-policy-set-names]; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name service-policies]

Release Information Description

Statement introduced in Junos OS Release 10.1. Assign new transaction policies or policy sets to the service point. All packets entering at the service point are matched against these policies.
[policy-and-policy-set-names]Names of new transaction policies or policy sets.

Options

Syntax: To specify more than one policy or policy set, enclose the policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Service Point in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

803

Junos 11.4 Services Interfaces Configuration Guide

new-transaction-output-policies
Syntax Hierarchy Level
new-transaction-output-policies [policy-and-policy-set-names]; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name service-policies]

Release Information Description

Statement introduced in Junos OS Release 10.1. Assign new transaction policies or policy sets to the service point. All packets leaving from the service point are matched against these policies.

NOTE: You cannot assign a new transaction policy as a new transaction output policy if it contains route or message-manipulation statements.

Options

[policy-and-policy-set-names]Names of new transaction policies or policy sets.

Syntax: To specify more than one policy or policy set, enclose the policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Service Point inSession Border Control Solutions Guide Using BGF and IMSG

804

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

new-transaction-policy
Syntax
new-transaction-policy policy-name { term term-name { from { contact { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response { recursion-limit number; } } route { egress-service-point service-point-name; next-hop (sip-based | address ipv4-address <port port-number> <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; topology-hiding { maintain-route-headers; } trace; } }

Copyright 2011, Juniper Networks, Inc.

805

Junos 11.4 Services Interfaces Configuration Guide

Hierarchy Level Release Information

[edit services border-signaling-gateway gateway gateway-name sip]

Statement introduced in Junos OS Release 9.4. message-manipulation option introduced in Junos OS Release 9.5. Specify new transaction policies for out-of-dialog transactions including dialog-opening transactions. Transaction policies are useful when the policy does not need to differentiate between events. For example, you can use new transaction policies to route all transactions according to the same rules. A new transaction event is raised when a new SIP request, such as an INVITE, either opens a new dialog or is not related to any dialog. If the event does not match a new transaction policy, the BSG rejects the SIP request and returns a 403 (forbidden) message.

Description

Options

policy-nameIdentifier for the new transaction policy.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Manipulate SIP Headers or to Reject SIP Messages inSession Border Control Solutions Guide Using BGF and IMSG Configuring Routing of VPN Calls inSession Border Control Solutions Guide Using BGF and
IMSG

Assigning Admission Control Profiles to New Transaction Policies inSession Border

Control Solutions Guide Using BGF and IMSG

806

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

new-transaction-policy-set
Syntax
new-transaction-policy-set policy-set-name { policy-name [policy-names]; } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Create a set of new transaction policies, which you can then apply to a service point. The order in which you add policies to the set determines the order in which the BSG processes the policies. The first matching policy determines which actions are taken.
policy-set-nameIdentifier for the new transaction policy set. [policy-names]Names of one or more new transaction policies that you want to add

Options

to the set. Syntax: To specify a list of policies, enclose the policy names in brackets. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring New Transaction Policy Sets in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

807

Junos 11.4 Services Interfaces Configuration Guide

next-hop
Syntax
next-hop (sip-based | address ipv4-address<port port-number> <transport-protocol (udp | tcp)>); [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then route]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Specify the SIP entity towards which SIP requests are sent.
sip-basedAll requests and responses on the dialog are routed according to SIP. If the

configuration includes the topology-hiding option, the information in the Route header of the incoming SIP message is used. In all other cases, the request-uri is used. The software resolves the uniform resource identifier (URI) in the SIP message request into the IP address, port, and transport protocol of the next hop to contact.
address ipv4addressDestination IPv4 address of the next hop to contact. This static

address applies to all incoming requests on the dialog.

port(Optional) Destination port of the next hop to contact.

Default: 5060
transport-protocol (udp | tcp)(Optional) Transport protocol for routing to the next hop.

Default: udp Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Service Set in Session Border Control Solutions Guide Using BGF and IMSG

808

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

on-3xx-response
Syntax
on-3xx-response { recursion-limit number; } } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 10.2. Configure the action taken after receiving a 3XX response. When the on-3xx-response statement is included, the BSG sends a new, redirected request to the responding UAS, using a request URI based on the contact information in the 3XX response. When the on-3xx-response statement is not included, the 3XX response is passed back to the serving UAC.
numberThe number of recursions allowed before sending a 408 timeout response.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Providing Redirection for Messages with 3XX Responses Overview Configuring Redirection for Messages with 3XX Responses

Copyright 2011, Juniper Networks, Inc.

809

Junos 11.4 Services Interfaces Configuration Guide

request-uri
Syntax
request-uri { field-value { modify-regular-expression regular-expression with field-value; } } [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules manipulation-rule rule-name actions]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure a rule for modifying the request uniform resource identifier (URI) in a SIP message.
modify-regular-expressionChanges the value of a regular expression.

Options

Syntax: modify-regular-expression regular-expression with field-valueEnter the regular expression that you want to modify followed by the value with which you want to replace the regular expression. In the following example, regular expression 1800 is replaced with 555:
modify-regular-expression 1800 with 555;

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Configuring a New Call Usage Policy in Session Border Control Solutions Guide Using BGF
and IMSG

Manipulation of Headers and Request URIs in SIP Messages in Session Border Control
Solutions Guide Using BGF and IMSG

810

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

reverse-manipulation
Syntax
reverse-manipulation { manipulation-rule-name; } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then message-manipulation]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the reverse message manipulation rules that you want to add to your new transaction policy. Reverse manipulation rules are applied to any message going from the user agent server (UAS), or the callee, to the user agent client (UAC), or the caller. They are applied to the original transaction request. If the transaction creates a dialog, the rules are also applied to other transaction requests or responses within the dialog.
manipulation-rule-nameName of the message manipulation rule that you want to add.

Options

You can add up to five reverse manipulation rules to a policy. These rules must have been configured at the [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules manipulation-rule rule-name actions] hierarchy level. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Manipulate SIP Headers or to Reject SIP Messages in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

811

Junos 11.4 Services Interfaces Configuration Guide

route
Syntax
route { egress-service-point service-point-name; next-hop { (request-uri | address ipv4-address <port port-number> <transport-protocol (tcp | udp)>); } server-cluster cluster-name; } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name then]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. server-cluster option introduced in Junos OS Release 10.2. Configure the next-hop destination and egress service point for a new transaction policy. Alternatively, you can specify a server cluster. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description

Options Required Privilege Level Related Documentation

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

812

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

routing-destinations
Syntax
routing-destinations { availability-check-profiles { profile-name; keepalive-interval { available-server seconds; unavailable-server seconds; } keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number); transaction-timeout seconds; } clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } default-availability-check-profile profile-name; } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Configure servers, server clusters, and availability rules for routing destinations.
default-availability-check-profile profile-nameAvailability check profile that is assigned

to a server when no profile is explicityly defined.. The remaining options are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

SIP Routing with Server Clusters Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

813

Junos 11.4 Services Interfaces Configuration Guide

sbc-utils
Syntax
sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure trace options for the Signaling Border Controller (SBC) utilities component of the BSG.
warning common trace-levelTrace level for the common component of SBC utilities. configuration trace-levelTrace level for the configuration component of SBC utilities. device-monitor trace-levelTrace level for the device monitor component of SBC utilities. ipc trace-levelTrace level for the IPC component of SBC utilities. memory-management trace-levelTrace level for the memory management component

Default Options

of SBC utilities.
message trace-levelTrace level for the message component of SBC utilities. minimum trace-levelMinimum trace level for all sbc-util messages. user-interface trace-levelTrace level for the user interface component of SBC utilities. trace-levelTrace-level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START and EXIT macros. infoSummary logs for normal operations, such as the policy decisions made for a

call.

warningFailure recovery or failure of an external entity. errorFailure with a short-term effect, such as failed processing of a single call.

814

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

servers
Syntax
servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } [edit services border-signaling-gateway gateway gateway-name sip routing-destinations]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Configure one or more servers for use as routing destinations.
ip4-addressIP address of the server. port-number Port number to use on the server.

Range: 0 to 65,535 Default: 5060

tcp|udpTransport protocol to be used on this server.

Default: udp
admission-control profile-name(Optional) Name of the admission control profile used

by the server.
availability-checkprofile profile-nameName of the availability check profile used by

the server. If no availability check profile is specified, the default values are used.
service-point service-point-nameName of the service point through which traffic is routed

to the server. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

SIP Routing with Server Clusters Overview in Session Border Control Solutions Guide
Using BGF and IMSG

Configuring Servers for Use in Server Clusters in Session Border Control Solutions Guide
Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

815

Junos 11.4 Services Interfaces Configuration Guide

service-class
Syntax
service-class service-class-name { term term-name { from { media-type (any-media | audio | video); } then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (alias | do-not-change | dscp-value); reject; } } } [edit services border-signaling-gateway gateway gateway-name embedded-spdf]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure service classes for the embedded SPDF. Service classes contain rules that pertain to the treatment of bandwidth for various media types. Each rule (or term) consists of a from statement and a then statement. The from statement matches traffic based on the media type. The then statement is a set of one or more actions that are applied if a call matches the from statement.
service-class-nameIdentifier for the service class.

Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Providing QoS for VoIP Traffic Overview Session Border Control Solutions Guide Using
BGF and IMSG

Configuring a New Call Usage Policy Session Border Control Solutions Guide Using BGF
and IMSG

Configuring QoS and Rate Limiting Session Border Control Solutions Guide Using BGF and
IMSG

816

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

service-interface
See the following sections:

service-interface (Gateway) on page 817 service-interface (Service Point) on page 817

service-interface (Gateway)
Syntax Hierarchy Level Release Information Description
service-interface interface-name.unit-number; [edit services border-signaling-gateway gateway gateway-name]

Statement introduced in Junos OS Release 9.4. Assign the BSG to a Multiservices PIC or DPC. The PIC or DPC must have been configured at the [edit interfaces] hierarchy. You can assign only one BSG to a Multiservices PIC or DPC.
interface-name.unit-numberName and logical unit number of the Multiservices PIC or

Options

DPC. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

service-interface (Service Point)

Syntax Hierarchy Level
service-interface name; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name]

Release Information Description

Statement introduced in Junos OS Release 9.4. Assign the service point to a service interface. The policies attached to the service point are matched against incoming requests received on this service interface.
nameName of the service interface. The interface must have been configured at the [edit interfaces] hierarchy.

Options

Default: 0 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

817

Junos 11.4 Services Interfaces Configuration Guide

service-point
Syntax
service-point service-point-name { default-media-realm service-interface interface-name.unit-number; service-point-type service-point-type; service-policies { new-call-usage-input-policies [policy-and-policy-set-names]; new-call-usage-output-policies [policy-and-policy-set-names]; new-registration-input-policies [policy-and-policy-set-names]; new-transaction-input-policies [policy-and-policy-set-names]; new-transaction-output-policies[policy-and-policy-set-names]; } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>; } [edit services border-signaling-gateway gateway gateway-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.4. Configure a service point. Service points identify a service interface and transport parameters for incoming requests. You attach policies to the service point, and all requests that arrive at the service point are handled by these policies. Each BSG can have five service points. You can also configure a service point to be used as an egress service point to which SIP requests are routed.

Options Required Privilege Level Related Documentation

The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

BSG Policy Overview in Session Border Control Solutions Guide Using BGF and IMSG Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

818

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

service-point-type
Syntax Hierarchy Level
service-point-type service-point-type; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name]

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Create the type of VoIP protocol for this service point.
service-point-typeVoIP protocol. Currently the only protocol type supported is SIP.

Values: sip Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Service Point in Session Border Control Solutions Guide Using BGF and IMSG

service-policies
Syntax
service-policies { new-call-usage-input-policies [policy-and-policy-set-names]; new-call-usage-output-policies [policy-and-policy-set-names]; new-transaction-input-policies [policy-and-policy-set-names]; new-transaction-output-policies [policy-and-policy-set-names]; } [edit services border-signaling-gateway gateway gateway-name service-point service-point-name]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. new-call-usage-input-policies statement added in Junos OS Release 10.1. new-call-usage-output-policies statement added in Junos OS Release 10.1. new-transaction-input-policies statement added in Junos OS Release 10.1. new-transaction-output-policies statement added in Junos OS Release 10.1. Specify the policies and policy sets that are applied to the service point. The options are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Required Privilege Level Related Documentation

Configuring a Service Point in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

819

Junos 11.4 Services Interfaces Configuration Guide

services
Syntax Hierarchy Level Description Options Required Privilege Level Related Documentation
services border-signaling-gateway { ... } [edit]

Define service rules to be applied to traffic.

border-signaling-gatewayIdentifier for the BSG set of statements.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

820

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

session-trace
Syntax Hierarchy Level Release Information Description
session-trace handle trace-level; [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Statement introduced in Junos OS Release 9.4. Configure tracing for transactions matching policies that have their trace flag turned on. The tracing level is effective for dialog-creating messages (such as INVITE ) and out-of-dialog messages. When these message types are accepted in the policy and the policy is set to trace messages, the policy marks the dialog (and the sibling dialog) for session tracing.
warning minimum trace-levelThe minimum trace level for all session-trace messages. trace-levelTrace level options are related to the severity of the event being traced. When

Default Options

you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START, EXIT macros. infoSummary logs for normal operations e.g. the policy decisions made for a call. warningFailure-recovery or failure of an external entity. errorFailure with short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

821

Junos 11.4 Services Interfaces Configuration Guide

signaling
Syntax
signaling { b2b trace-level; b2b-wrapper trace-level; minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description Default Options

Statement introduced in Junos OS Release 9.4. Configure trace options for the signaling component of the BSG.
warning b2b trace-levelTrace options for the signaling component that implements the b2b

logic (translating between dialogs, associating dialogs, creating new downstream dialogs, and so on).
b2b-wrapper trace-levelTrace options for entry and exit to the BSG signaling application. minimum trace-levelMinimum trace level for all signaling messages. policy trace-levelTrace options for the signaling component that applies policies for

call admission, routing decisions, security settings, and so on.

sip-stack-wrapper trace-levelTrace options for the glue layer that receives events from

the SIP stack and forwards them to the application and, conversely, receives events from the application and forwards them to the SIP stack.
topology-hiding trace-levelTrace options for the signaling component that hides the

network topology of a network by CONTACT replacement and removal or modification of certain headers.
ua trace-levelTrace options for the signaling subcomponent that handles RECEIVE

messages.
trace-levelTrace level options are related to the severity of the event being traced. When

you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level:

debugLogging of all code flow of control. traceLogging of program trace START, EXIT macros. infoSummary logs for normal operations e.g. the policy decisions made for a call. warningFailure-recovery or failure of an external entity.

822

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

errorFailure with short-term effect, such as failed processing of a single call.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

signaling-realms
Syntax
signaling-realms { realm realm-name; } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Define signaling realms to be assigned to registered new transactions based on new transaction policy selection criteria.
realm realm-nameName of a signaling realm.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Transaction Policy in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

823

Junos 11.4 Services Interfaces Configuration Guide

sip
Syntax
sip { message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value; add field-value; add-missing field-value; add-overwrite field-value; remove-regular-expression regular-expression; remove-all; reject-regular-expression regular-expression; } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value; } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } no-anchoring; service-class service-class-name; } trace; } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]; } new-transaction-policy policy-name { term term-name { from { contact { registration-state [ registered | not-registered ];

824

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response { recursion-limit number; } } route { egress-service-point service-point-name; next-hop (sip-based | address ipv4-address <port port-number> <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; topology-hiding { maintain-route-headers; } trace; } } } new-transaction-policy-set policy-set-name { policy-name [ policy-names ]; } routing-destinations { availability-check-profiles { profile-name; keepalive-interval { available-server seconds;

Copyright 2011, Juniper Networks, Inc.

825

Junos 11.4 Services Interfaces Configuration Guide

unavailable-server seconds; } keepalive-method sip-options; keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number); transaction-timeout seconds; } clusters [ cluster-name; server server-name { priority priority-level; weight weight-level; } } default-availability-check-profile profile-name; } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>; admission-control profile-name; availability-check-profile profile-name; service-point service-point-name; } timers { inactive-call seconds; timer-c seconds; } }

Hierarchy Level Release Information

[edit services border-signaling-gateway gateway gateway-name]

Statement introduced in Junos OS Release 9.4. data-inactivity-detection option introduced in Junos 9.6. message-manipulation-rules option introduced in Junos OS Release 9.6. Configure SIP policies and timers. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Options Required Privilege Level Related Documentation

SIP Routing Overview in Session Border Control Solutions Guide Using BGF and IMSG

826

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

sip-header
Syntax
sip-header header-field-name { field-value { add field-value; add-missing field-value; add-overwrite field-value; modify-regular-expression regular-expression with field-value; reject-regular-expression regular-expression; remove-all; remove-regular-expression regular-expression; } } [edit services border-signaling-gateway gateway gateway-name sip message-manipulation-rules manipulation-rule rule-name actions]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.6. Configure the values of the header fields that you want to manipulate in SIP messages. You can have up to five of each of the field value definitions in each SIP header configuration. For example, up to five modify-regular-expression field values or up to five add-missing field values.
header-field-nameName of the header field in SIP headers for which you want to define

Options

field values.
add field-valueAdds an instance of the header field with the field value that you define.

If the header field already exists, the software creates a new instance of the header field and inserts it before any existing instance of the header field. Having more than one field value is not allowed for some header fields.
add-missing field-valueAdds a new header field with the field value that you define if

the header field is missing from the SIP header.

add-overwrite field-valueAdds a new header field with the field value that you define

if the header field is missing from the SIP header. If the header field already exists, its field value is overwritten with the new field value. The software overwrites the field value in all instances of the header field.
modify-regular-expressionChanges the value of a regular expression.

Syntax: modify-regular-expression regular-expression with field-valueEnter the regular expression that you want to modify followed by the value with which you want to replace the regular expression. In the following example, regular expression 1800 is replaced with 555:
modify-regular-expression 1800 with 555; remove-allRemoves all instances of the header field. remove-regular-expression regular-expressionRemoves all of the header fields that have

field values that match this regular expression.

Copyright 2011, Juniper Networks, Inc.

827

Junos 11.4 Services Interfaces Configuration Guide

reject-regular-expression regular-expressionRejects SIP messages and terminates the

usage that the message is part of if the header field contains the regular expression. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Manipulation of Headers and Request URIs in SIP Messages in Session Border Control
Solutions Guide Using BGF and IMSG

Configuring Message Manipulation Rules in Session Border Control Solutions Guide Using
BGF and IMSG

828

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

sip-stack
Syntax
sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } [edit services border-signaling-gateway gateway gateway-name traceoptions flag]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.4. Set trace options for the SIP stack component of the BSG.
dev-loggingConfigure development tracing for the stack. event-tracingActivate or deactivate the stack's event tracing. ips-tracingActivate or deactivate the stack's IPS tracing. pd-log-detailSpecify the amount of detail to be sent to the log file.

fullAll available information is sent to the log file. summaryThe type of logging, the identifier and the first line of the log message are

sent to the log file.

pd-log-levelSpecifies which types of PD logs are printed to the log file. This can be set

to:

problemProblem log messages are sent to the log file. exceptionException and problem log messages are sent to the log file. auditAll log messages are sent to the log file.

This option determines the levels of log messages to be sent to the log file. Selecting a level causes messages at that level and any higher levels to be sent to the log file. For example, setting this option to exception causes both exception and problem logs to be sent to the log file. Setting it to audit causes all logs to be sent to the log file. The default value is audit.
per-tracingActivate or deactivate the stack's performance tracing. verbose-loggingConfigure verbose tracing for the stack.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

829

Junos 11.4 Services Interfaces Configuration Guide

Related Documentation

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

830

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

term
See the following sections:

term (New Call Usage Policy) on page 831 term (New Transaction Policy) on page 832 term (Service Class) on page 833

term (New Call Usage Policy)

Syntax
term term-name { from { contact [ contact-fields ]; method { method-invite; } request-uri [ uri-fields ]; source-address [ ip-addresses ]; } then { media-policy { data-inactivity-detection { inactivity-duration seconds; } media-release; no-anchoring; service-class service-class-name; } trace; } } [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Define the new call usage policy term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

831

Junos 11.4 Services Interfaces Configuration Guide

term (New Transaction Policy)

Syntax
term term-name { from { contact { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } method { method-invite; method-message; method-options; method-publish; method-refer; method-register; method-subscribe; } request-uri { registration-state [ registered | not-registered ]; regular-expression [ regular-expression ]; uri-hiding [ hidden-uri | not-hidden-uri ]; } source-address [ ip-addresses ]; } then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response{ recursion-limit number; } } route { next-hop (request-uri | address ipv4-address | <port port-number> | <transport-protocol (udp | tcp)>); egress-service-point service-point-name; server-cluster cluster-name; } signaling-realm signaling-realm; trace; } } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4.

832

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

message-manipulation introduced in Junos OS Release 9.6.

Description Options

Define the new transaction policy term properties.

term-nameIdentifier for the term.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Using New Transaction Policies to Route SIP Requests (next-hop) in Session Border
Control Solutions Guide Using BGF and IMSG

Configuring Routing of VPN Calls in Session Border Control Solutions Guide Using BGF
and IMSG

term (Service Class)

Syntax
term term-name { from { media-type (any-media | audio | video); } then { committed-information-rate bytes-per-second; committed-burst-size bytes; dscp (alias | 6-bit-pattern | decimal-value | hexadecimal-value); reject; } } [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Specify the service class term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

833

Junos 11.4 Services Interfaces Configuration Guide

then
See the following sections:

then (New Call Usage Policy) on page 834 then (New Transaction Policy) on page 835 then (Service Class) on page 836

then (New Call Usage Policy)

Syntax
then { media-policy { data-inactivity-detection { inactivity-duration seconds; } media-release; no-anchoring; service-class service-class-name; } trace; } [edit services border-signaling-gateway gateway gateway-name sip new-call-usage-policy policy-name term term-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Define the actions performed on incoming requests that match the new call usage policy.
traceTrace messages are accepted by this policy.

The remaining options are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Session Border Control Solutions Guide Using BGF and IMSG

834

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

then (New Transaction Policy)

Syntax
then { (accept | reject); admission-control admission-control-profile; message-manipulation { forward-manipulation { manipulation-rule-name; } reverse-manipulation { manipulation-rule-name; } } on-3xx-response { recursion-limit number; } } route { egress-service-point service-point-name; next-hop (request-uri | address ipv4-address | <port port-number> | <transport-protocol (udp | tcp)>); server-cluster cluster-name; } signaling-realm signaling-realm; trace; } [edit services border-signaling-gateway gateway gateway-name sip new-transaction-policy policy-name term term-name]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4. message-manipulation option introduced in Junos OS Release 9.6. on-3xx-response option introduced in Junos OS Release 10.2. signaling-realm option introduced in Junos OS Release 10.2. Define the actions performed on incoming requests that match this policy.
acceptAccept the traffic and send it to its destination. admission-control controller-nameAccept or reject the traffic based on admission control

Description Options

configured for controller-name.

signaling-realm realm-nameName of the signaling realm to be assigned to traffic that

matches the from selection criteria.

rejectDo not accept the traffic and return a rejection message. You can log or sample

rejected traffic.
traceTrace messages are accepted by this policy.

The remaining options are explained separately.

Copyright 2011, Juniper Networks, Inc.

835

Junos 11.4 Services Interfaces Configuration Guide

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a New Transaction Policy in Session Border Control Solutions Guide Using
BGF and IMSG

then (Service Class)

Syntax
then { committed-burst-size bytes; committed-information-rate bytes-per-second; dscp (dscp-value | alias | do-not-change); reject; } [edit services border-signaling-gateway gateway gateway-name embedded-spdf service-class service-class-name term term-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.4. Define the actions performed on traffic that matches the service class.
rejectDo not accept the traffic and return a rejection message. Rejected traffic can be

logged or sampled. The remaining options are described separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring QoS and Rate Limiting in Session Border Control Solutions Guide Using BGF
and IMSG

836

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

timer-c
Syntax Hierarchy Level Release Information Description
timer-c seconds; [edit services border-signaling-gateway gateway gateway-name sip timers]

Statement introduced in Junos OS Release 9.4. Configure Timer C, an INVITE transaction timeout. The timer tracks the duration of time waiting for a final response to an INVITE request, ensuring that resources are released if the timer expires. When Timer C expires, a CANCEL is sent to the caller and a 408 error message (Request timeout) is sent to the call recipient.
secondsDuration of the timeout period.

Options

Range: 180 to 300 seconds Default: 180 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

SIP Timers Overview in Session Border Control Solutions Guide Using BGF and IMSG Configuring SIP Timers in Session Border Control Solutions Guide Using BGF and IMSG

timers
Syntax
timers { inactive-call seconds; timer-c seconds; } [edit services border-signaling-gateway gateway gateway-name sip]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.4. Configure timers used to issue SIP timeouts. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

SIP Timers Overview in Session Border Control Solutions Guide Using BGF and IMSG Configuring SIP Timers in Session Border Control Solutions Guide Using BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

837

Junos 11.4 Services Interfaces Configuration Guide

traceoptions
Syntax
traceoptions { file <filename> <files files> <match regex> <size size> <world-readable | no-world-readable>; flag { datastore { data trace-level; db trace-level; handle trace-level; minimum trace-level; } framework { action trace-level; event trace-level; executor trace-level; freezer trace-level; minimum trace-level; memory-pool trace-level; } minimum trace-level; sbc-utils { common trace-level; configuration trace-level; device-monitor trace-level; ipc trace-level; memory-management trace-level; message trace-level; minimum trace-level; user-interface trace-level; } session-trace trace-level; signaling { b2b trace-level; b2b-wrapper trace-level; minimum trace-level; policy trace-level; sip-stack-wrapper trace-level; topology-hiding trace-level; ua trace-level; } sip-stack { dev-logging; event-tracing; ips-tracing; pd-log-detail (full | summary); pd-log-level (audit | exception | problem); per-tracing; verbose-logging; } } } [edit services border-signaling-gateway gateway gateway-name]

Hierarchy Level

838

Copyright 2011, Juniper Networks, Inc.

Chapter 35: Summary of Border Signaling Gateway Configuration Statements

Release Information Description

Statement introduced in Junos OS Release 9.4. Configure border signaling gateway tracing operations. The messages are output to /var/log/. Options are described separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Required Privilege Level Related Documentation

Tracing BSG Operations in Session Border Control Solutions Guide Using BGF and IMSG

transactions
Syntax
transactions { maximum-concurrent number; committed-attempts-ratetransactions-per-second; committed-burst-size number-of-transactions; } [edit services border-signaling-gateway gateway gateway-name admission-control]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure admission control settings for out-of-dialog-transactions.
maximum-concurrent numberMaximum number of concurrent transactions. 0 causes

all calls to be rejected. Values: 0 through 100,000 Default: 100000

committed-attempts-rate transactions-per-secondMaximum number of attempts per

second to initiate an out-of-dialog transaction. Values: 0 though 100 Default: 100

committed-burst-size number-of-transactionsMaximum number of transactions allowed

to burst above the committed-rate and still be accepted. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Admission Control Profiles in Session Border Control Solutions Guide Using
BGF and IMSG

Copyright 2011, Juniper Networks, Inc.

839

Junos 11.4 Services Interfaces Configuration Guide

transport-details
Syntax Hierarchy Level
transport-details port port-number ip-address ip-address [tdp |udp]; [edit services border-signaling-gateway gateway gateway-name service-point service-point-name]

Release Information Description

Statement introduced in Junos OS Release 9.5. Configure the transport parameters for a service point. The transport parameters consist of a combination of port number, IP address, and transport protocol. Policies are applied only to incoming requests that match the transport parameters. You can configure only one set of transport parameters for each service point.
port-numberPort number on which you want to match incoming traffic.

Options

Range: 0 through 65,535 Default: 5060

ip-addressIP address on which you want to match incoming messages. If you do not

define an IP address, the software uses the IP address of the service interface assigned to this service point. Values: upd or tcp Default: udp Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring a Service Point in Session Border Control Solutions Guide Using BGF and IMSG

840

Copyright 2011, Juniper Networks, Inc.

CHAPTER 36

PTSP Configuration Guidelines

To configure the static policies for the packet-triggered subscribers and policy control (PTSP) feature, include the ptsp statement at the [edit services] hierarchy level:
[edit services] ptsp { rule rule-name { count-type (application | rule); demux (destination-address | source-address); forward-rule forward-rule-name; match-direction (input | input-output | output); term precedence { from { application-group-any; application-groups [ application-group-name ]; applications [ application-name ]; local-port-range low low-value high high-value; local-ports [ value-list ]; protocol protocol-number; remote-address address <except>; remote-address-range low low-value high high-value <except>; remote-port-range low low-value high high-value; remote-ports [ value-list ]; remote-prefix-list prefix-list-name <except>; } then { (accept | discard); count (application | application-group | application-group-any | rule | none); forwarding-class forwarding-class; police policer-name; } } } rule-set rule-set-name { rule rule-name; } forward-rule rule-name { term precedence { from { application-groups [ application-group-name ]; applications [ application-name ]; local-address address <except>; local-address-range low low-value high high-value <except >;

Copyright 2011, Juniper Networks, Inc.

841

Junos 11.4 Services Interfaces Configuration Guide

local-prefix-list prefix-list-name <except >; } then { forwarding-instance forwarding-instance unit-number unit-number; } } } }

For information about using the PTSP statements to configure the PTSP feature, see the Junos OS Subscriber Access Configuration Guide.

842

Copyright 2011, Juniper Networks, Inc.

CHAPTER 37

Summary of PTSP Configuration Statements

application-group-any
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
application-group-any; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify that any application group defined in the database is considered a match. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

application-groups
Syntax Hierarchy Level
application-group [ application-group-name ]; [edit services ptsp forward-rule forward-rule-name term precedence from] [edit services ptsp rule rule-name term precedence from]

Release Information Description

Statement introduced in Junos OS Release 10.2. Identify one or more application groups defined in the application identification configuration for inclusion as a match condition.
application-group-nameIdentifier of the application group.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

843

Junos 11.4 Services Interfaces Configuration Guide

applications
Syntax Hierarchy Level
applications [ application-name ]; [edit services ptsp forward-rule forward-rule-name term precedence from] [edit services ptsp rule rule-name term precedence from]

Release Information Description

Statement introduced in Junos OS Release 10.2. Identify one or more applications defined in the application identification configuration for inclusion as a match condition.
application-nameIdentifier of the application.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

count-type
Syntax Hierarchy Level Release Information Description
count-type (application | rule); [edit services ptsp rule rule-name]

Statement introduced in Junos OS Release 10.2. Specify the statistics aggregation, collection, and reporting style for this rule. Terms and rules cannot mix and match different styles. All service rules attached to a given service set must have the same style.
applicationReport statistics in a flat file and aggregate them by application for one of

Options

the following:

An application, where the count action application is specified in the term. An application group, where the count action application-group is specified in the term. All application groups, where the count action application-group-any is specified in the term.

ruleAggregate statistics for the service rule. The statistics are reported by Diameter.

All count actions in all terms for the rule must specify rule. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

844

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

demux
Syntax Hierarchy Level Release Information Description
demux (destination-address | source-address); [edit services ptsp rule rule-name]

Statement introduced in Junos OS Release 10.2. Specify the IP address used to establish the subscriber context. Subscriber instantiation is always triggered for ingress packets, so this value indicates which IP address in the ingress packets for the flow is used. If the IP address does not correspond to a known subscriber, then a new subscriber context is created. All service rules attached to a given service set must have the same setting.
destination-addressUse the destination IP address field of the ingress packet header

Options

for the flow.

source-addressUse the source IP address field of the ingress packet header for the flow.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

845

Junos 11.4 Services Interfaces Configuration Guide

forward-rule (Configuring)
Syntax
forward-rule forward-rule-name { term precedence { from { application-groups [ application-group-name ]; applications [ application-name ]; local-address address <except>; local-address-range low low-value high high-value <except >; local-prefix-list prefix-list-name <except >; } then { forwarding-instance forwarding-instance; unit-number unit-number; } } } [edit services ptsp]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Specify the forwarding instance for a specific subscriber or set of subscribers based on the IP address, network, or prefix list. The rule match is applied on the input side.
forward-rule-nameIdentifier for the collection of terms that constitute this rule.

Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

846

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

forward-rule (Including in Rule)

Syntax Hierarchy Level Release Information Description Options
forward-rule forward-rule-name; [edit services ptsp rule rule-name]

Statement introduced in Junos OS Release 10.2. Identify the forwarding instance for inclusion in a rule.
forward-rule-nameIdentifier for the forward rule that specifies the forwarding instance.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

from (Forward Rule)

Syntax
from { application-groups [ application-group-name ]; applications [ application-name ]; local-address address <except >; local-address-range low low-value high high-value <except >; local-prefix-list prefix-list-name <except >; } [edit services ptsp forward-rule forward-rule-name term precedence]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Specify match conditions for the PTSP term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

847

Junos 11.4 Services Interfaces Configuration Guide

from (Rule)
Syntax
from { application-group-any; application-groups [ application-group-name ]; applications [ application-name ]; local-port-range low low-value high high-value; local-ports [ value-list ]; protocol protocol-number; remote-address address <except >; remote-address-range low low-value high high-value <except >; remote-port-range low low-value high high-value; remote-ports [ value-list ]; remote-prefix-list prefix-list-name <except >; } [edit services ptsp rule rule-name term precedence]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Specify match conditions for the PTSP term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

848

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

local-address
Syntax Hierarchy Level Release Information Description
local-address (address | any-unicast) <except>; [edit services ptsp forward-rule forward-rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the address for rule matching. Local address values are matched against a source or destination IP address for the flow depending on the configured value for the demux statement. If you do not specify an address, then any local address matches this term. If you do not specify a prefix value, then a host mask is the default.
addressIPv4 address or prefix value. any-unicastMatch all unicast addresses. except(Optional) Exclude the specified address, prefix, or unicast packets from rule

Options

matching. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide demux on page 845

Copyright 2011, Juniper Networks, Inc.

849

Junos 11.4 Services Interfaces Configuration Guide

local-address-range
Syntax Hierarchy Level Release Information Description
local-address-range low low-value high high-value <except>; [edit services ptsp forward-rule forward-rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the address range for rule matching. Local address values are matched against a source or destination IP address for the flow depending on the configured value for the demux statement. If you do not specify an address, then any local address matches this term.
low-valueLower boundary for the IPv4 address range. high-valueUpper boundary for the IPv4 address range. except(Optional) Exclude the specified address range from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide demux on page 845

local-port-range
Syntax Hierarchy Level Release Information Description Options
local-port-range low low-value high high-value; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the port range for rule matching.
low-valueLower boundary for the port range. high-valueUpper boundary for the port range.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

850

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

local-ports
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
local-ports [ port-numbers ]; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Identify one or more ports for inclusion as a match condition.
port-numbersPort number.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

local-prefix-list
Syntax Hierarchy Level Release Information Description
local-prefix-list prefix-list-name <except>; [edit services ptsp forward-rule forward-rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
prefix-list-namePrefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

851

Junos 11.4 Services Interfaces Configuration Guide

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | input-output | output); [edit services ptsp rule rule-name]

Statement introduced in Junos OS Release 10.2. Specify the direction in which the rule match is applied.
inputApply the rule match on the input side of the interface. input-outputApply the rule match bidirectionally. outputApply the rule match on the output side of the interface.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

protocol
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
protocol protocol-number; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Identify the protocol for inclusion as a match condition.
protocol-numberProtocol number.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

852

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

remote-address
Syntax Hierarchy Level Release Information Description
remote-address (address | any-unicast) <except>; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the address for rule matching. Remote address values are matched against a destination or source IP address for the flow depending on the configured value for the demux statement. If you do not specify an address, then any remote address matches this term. If you do not specify a prefix value, then a host mask is the default.
addressIPv4 address or prefix value. any-unicastMatch all unicast addresses. except(Optional) Exclude the specified address, prefix, or unicast packets from rule

Options

matching. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide demux on page 845

Copyright 2011, Juniper Networks, Inc.

853

Junos 11.4 Services Interfaces Configuration Guide

remote-address-range
Syntax Hierarchy Level Release Information Description
remote-address-range low low-value high high-value <except>; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the address range for rule matching. Remote address values are matched against a destination or source IP address for the flow depending on the configured value for the demux statement. If you do not specify an address, then any remote address matches this term.
low-valueLower boundary for the IPv4 address range. high-valueUpper boundary for the IPv4 address range. except(Optional) Exclude the specified address range from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide demux on page 845

remote-port-range
Syntax Hierarchy Level Release Information Description Options
remote-port-range low low-value high high-value; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the port range for rule matching.
low-valueLower boundary for the port range. high-valueUpper boundary for the port range.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

854

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

remote-ports
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
remote-ports [ port-numbers ]; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Identify one or more ports for inclusion as a match condition.
port-numbersPort number.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

remote-prefix-list
Syntax Hierarchy Level Release Information Description
remote-prefix-list prefix-list-name <except>; [edit services ptsp rule rule-name term precedence from]

Statement introduced in Junos OS Release 10.2. Specify the prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
prefix-list-namePrefix list. except(Optional) Exclude the specified prefix list from rule matching.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

855

Junos 11.4 Services Interfaces Configuration Guide

rule (Configuring)
Syntax
rule rule-name { count-type (application | rule); demux (destination-address | source-address); forward-rule forward-rule-name; match-direction (input | input-output | output); term precedence { from { application-group-any; application-groups [ application-group-name ]; applications [ application-name ]; local-port-range low low-value high high-value; local-ports [ value-list ]; protocol protocol-number; remote-address address <except>; remote-address-range low low-value high high-value <except>; remote-ports [ value-list ]; remote-port-range low low-value high high-value; remote-prefix-list prefix-list-name <except>; } then { (accept | discard); count (application | application-group | application-group-any | rule | none); forwarding-class forwarding-class; police policer-name; } } } [edit services ptsp]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

856

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

rule (Including in Rule Set)

Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
rule rule-name; [edit services ptsp rule-set rule-set-name]

Statement introduced in Junos OS Release 10.2. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

rule-set
Syntax
rule-set rule-set-name { [rule rule-names ]; } [edit services ptsp]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

857

Junos 11.4 Services Interfaces Configuration Guide

services
Syntax Hierarchy Level Release Information Description Options
services ptsp { ... } [edit]

Statement introduced in Junos OS Release 10.2. Define the services to be applied to traffic.
ptspIdentify the values configured for PTSP matching rules.

The statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

858

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

term (Forward Rule)

Syntax
term precedence { from { application-groups [ application-group-name ]; applications [ application-name ]; local-address address <except>; local-address-range low low-value high high-value <except>; local-prefix-list prefix-list-name <except>; } then { forwarding-instance forwarding-instance; unit-number unit-number; } } [edit services ptsp forward-rule forward-rule-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Define the term properties for the forward rule.
precedencePrecedence value for this term in relation to other terms. Term with lowest

precedence is evaluated first. The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

859

Junos 11.4 Services Interfaces Configuration Guide

term (Rule)
Syntax
term precedence { from { application-group-any; application-groups [ application-group-name ]; applications [ application-name ]; local-port-range low low-value high high-value; local-ports [ value-list ]; protocol protocol-number; remote-address address <except>; remote-address-range low low-value high high-value <except>; remote-port-range low low-value high high-value; remote-ports [ value-list ]; remote-prefix-list prefix-list-name <except>; } then { (accept | discard); count (application | application-group | application-group-any | rule); forwarding-class forwarding-class; police policer-name; } } [edit services ptsp rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Define the term properties for the PTSP rule.
precedencePrecedence value for this term in relation to other terms. Term with lowest

precedence is evaluated first. The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

860

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

then (Forward Rule)

Syntax
then { forwarding-instance forwarding-instance; unit-number unit-number; } [edit services ptsp forward-rule forward-rule-name term precedence]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.2. Define the term actions for the forward rule.
forwarding-instanceIdentifier for the forwarding instance for packet flows accepted

under this policy.

unit-numberUnit number associated with the forwarding instance.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

861

Junos 11.4 Services Interfaces Configuration Guide

then (Rule)
Syntax
then { (accept | discard); count (application | application-group | application-group-any | rule); forwarding-class forwarding-class; police policer-name; } [edit services ptsp rule rule-name term precedence]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Define the term actions. You can configure the router to accept or discard the targeted traffic. The action modifiers (count and forwarding-class) are optional. You can configure one of the following actions:

Options

acceptAccept the packets and all subsequent packets in flows that match the rules. discardDiscard the packet and all subsequent packets in flows that match the rules.

When you select accept as the action, you can optionally configure one or both of the following action modifiers. No action modifiers are allowed with the discard action.

count (application | application-group | application-group-any | rule | none)For all

accepted packets that match the rules, record a packet count using PTSP statistics practices. You can specify one of the following options; there is no default setting:

applicationCount the application that matched in the from clause. application-groupCount the application group that matched in the from clause. application-group-anyCount all application groups that match from application-group-any under the any group name.

ruleCount the rule that matched in the from clause. noneSame as not specifying count as an action.

forwarding-class forwarding-classSpecify the forwarding class name for outgoing

packets. When you include a policer, the only allowed action is discard. For more information on policers, see the Junos OS Routing Policy Configuration Guide.

police policer-nameApply rate-limiting properties to the traffic as configured at the [edit firewall policer policer-name] hierarchy level. This configuration allows bit-rate

and burst-size attributes to be applied to the traffic that are not supported by PTSP rules. Required Privilege Level interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

862

Copyright 2011, Juniper Networks, Inc.

Chapter 37: Summary of PTSP Configuration Statements

Related Documentation

Configuring Static PTSP Rules in Junos OS Subscriber Access Configuration Guide

Copyright 2011, Juniper Networks, Inc.

863

Junos 11.4 Services Interfaces Configuration Guide

864

Copyright 2011, Juniper Networks, Inc.

CHAPTER 38

Softwire Configuration Guidelines

To configure softwire services, include the softwire statement at the [edit services] hierarchy level:
[edit services] softwire { ipv6-multicast-interfaces; rule rule-name { match-direction (input | output); term term-name { then { (ds-lite ds-lite-softwire--concentrator| v6rd v6rd-softwire-concentator); } } } rule-set rule-set-name { [ rule rule-name ], } softwire-concentrator { ds-lite ds-lite-softwire-concentrator { auto-update-mtu; copy-dscp; flow-limit flow-limit; mtu-v6 mtu-v6; softwire-address address; } v6rd v6rd-softwire-concentator{ ipv4-prefix ipv4-prefix; v6rd-prefix ipv6-prefix; mtu-v4 mtu-v4; } } }

Configuring a DS-Lite Softwire Concentrator on page 866 Configuring a 6rd Softwire Concentrator on page 866 Configuring Softwire Rules on page 867 Configuring Stateful Firewall Rules for 6rd Softwire on page 867 Configuring IPv6 Multicast Interfaces on page 868

Copyright 2011, Juniper Networks, Inc.

865

Junos 11.4 Services Interfaces Configuration Guide

Configuring Service Sets for Softwire on page 868 Examples: Softwire Configuration on page 869

Configuring a DS-Lite Softwire Concentrator

To configure a DS-Lite softwire concentrator:
1.

Assign a name to the DS-Lite softwire concentrator.

[edit services softwire softwire-concentrator] user@host# edit ds-lite ds-lite-softwire-concentrator

2. Specify the address of the softwire tunnel.

[edit services softwire softwire-concentrator ds-lite ds-lite-softwire-concentrator] user@host# set softwire-address address
3. Specify the MTU for the softwire tunnel.

[edit services softwire softwire-concentrator ds-lite ds-lite-softwire-concentrator] user@host# set mtu-v6 mtu-v6

NOTE: This option sets the maximum transmission unit when encapsulating IPv4 packets into IPv6. If the final length is greater than the MTU, the IPv6 packet will be fragmented. This option is mandatory since it depends on other network parameters under administrator control.

4. To copy DSCP information from the IPv6 header into the decapsulated IPv4 header,

include the copy-dscp statement.

[edit services softwire softwire-concentrator ds-lite ds-lite-softwire-concentrator] user@host# set copy-dscp
5. Specify the maximum number of flows for the softwire:

[edit services softwire softwire-concentrator ds-lite ds-lite-softwire-concentrator] user@host# set flow-limit 1000

Configuring a 6rd Softwire Concentrator

To configure a 6rd softwire concentrator:
1.

Assign a name to the 6rd softwire concentrator.

[edit services softwire softwire-concentrator] user@host# edit v6rd v6rd-softwire-concentator

2. Specify the address of the softwire tunnel.

[edit services softwire softwire-concentrator v6rd v6rd-softwire-concentator] user@host# set softwire-address address
3. Specify the MTU for the softwire tunnel.

[edit services softwire softwire-concentrator v6rd v6rd-softwire-concentator] user@host# set mtu-v4 mtu-v4

866

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

TIP: In this release there is no support for fragmentation and reassembly, therefore the MTUs on the IPv6 and IPV4 network must be properly configured by the administrator.

Configuring Softwire Rules

You configure softwire rules to instruct the router how to direct traffic to the addresses specified for 6rd or DS-Lite softwire concentrators. Softwire rules do not perform any filtration of the traffic. They do not include a from statement, and the only option in the then statement is to specify the address of the 6rd or DS-Lite softwire concentrator. You can create a softwire rule consisting of one or more terms and associate a particular 6rd or DS-Lite softwire concentrator with each term. You can include the softwire rule in service sets along with other services rules. To configure a softwire rule:
1.

Assign a name to the rule.

[edit services softwire ] user@host# edit rule rule-name

2. Specify the match direction.

[edit services softwire rule rule-name] user@host# set match-direction (input | output)
3. Assign a name for the first term.

[edit services softwire rule rule-name] user@host# edit term term-name

4. Associate a 6rd or DS-Lite softwire concentrator with this term.

[edit services softwire rule rule-name term term-name] user@host# set then ds-lite name

or
user@host# set then v6rd v6rd-softwire-concentator
5. Repeat Steps 3 and 4 for as many additional terms as needed.

Configuring Stateful Firewall Rules for 6rd Softwire

You must configure a stateful firewall rule for use with 6rd softwires. The stateful firewall service is used only to direct packets to the softwire, not for firewalling purposes. The 6rd softwire service itself must be stateless. To support stateless processing, you must include an allow term in both directions of the stateful firewall policy. To include a stateful firewall rule for 6rd softwire processing:
1.

Assign a name to the rule.

Copyright 2011, Juniper Networks, Inc.

867

Junos 11.4 Services Interfaces Configuration Guide

[edit services stateful-firewall] user@host# edit rule rule-name

2. Specify the match direction.

[edit services stateful-firewall rule-name] user@host# set match-direction input-output

3. Assign a name for the term.

[edit services stateful-firewall rule-name] user@host# edit term term-name

4. Specify that all traffic in both directions should be accepted for softwire process.

[edit services stateful-firewall rule-name term term-name] user@host# set then accept

Configuring IPv6 Multicast Interfaces

Configure multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery. This enables the router to process softwire-initiated flows in both directions. To configure IPv6 multicast interfaces:
1.

Access the softwire hierarchy.

user@host# edit services softwire

2. Include the ipv6-multicast-interfaces statement for an individual interface.

[edit services softwire] user@host# set ipv6-multicast-interfaces interface-name

Or configure all softwire interfaces as IPv6 multicast.

[edit services softwire] user@host# set ipv6-multicast-interfaces all

Configuring Service Sets for Softwire

You must include softwire rules or a softwire rule set in a service set to enable softwire processing. You must include a stateful firewall rule for DS-Lite. To configure service sets for softwire:
1.

Include a softwire rule or rule set in the service set.

[edit services service-set service-set-name] user@host# set softwire-rules rule softwire-rule-name

2. When using a 6rd softwire, include a stateful-firewall rule.

[edit services service-set service-set-name] user@host# set stateful-firewall-rulessoftwire-rule-name

3. You can include a NAT rule for flows originated by DS-Lite softwires.

868

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

NOTE: Currently a NAT rule configuration is required with a DS-Lite softwire configuration when you use interface service set configurations; NAT is not required when using next-hop service set configurations. NAT processing from IPv4 to IPv6 address pools and vice versa is not currently supported. FTP, HTTP and RSTP are supported.

For further information, see Configuring Service Rules on page 572.

Examples: Softwire Configuration

Example: Basic DS-Lite Configuration on page 869 Example: Basic 6rd Configuration on page 874 Example: Configuring DS-Lite and 6rd in the Same Service Set on page 877

Example: Basic DS-Lite Configuration

Requirements on page 869 Configuration Overview and Topology on page 869 Configuration on page 870

Requirements
The following hardware components can perform DS-Lite:

M Series Multiservice Edge routers with Multiservices PICs T Series Core routers with Multiservices PICs MX Series 3D Universal Edge routers with Multiservices DPCs

Configuration Overview and Topology

This example describes how configure an MX Series router with an MS-DPC as an AFTR to facilitate the flow shown in figure Figure 10 on page 870.

Copyright 2011, Juniper Networks, Inc.

869

Junos 11.4 Services Interfaces Configuration Guide

Figure 10: DS-Lite Topology

Host IPv4 Host

Home router

10.0.0.1

10.0.0.2 B4 2001:0:0:1::1 IPv4-in-IPv6 softwire 2001:0:0:2::1 AFTR Concentrator

g040626

129.0.0.1

128.0.0.1

ISP IPv6 Cloud Network

NAT

Internet

In this example, the DS-Lite softwire concentrator, or AFTR, is an MX Series router with two Gigabit interfaces and a Services DPC. The interface facing the B4 element is ge-3/1/5 and the one facing the Internet is ge-3/1/0.

Configuration

Chassis Configuration on page 870 Interfaces Configuration on page 870 Network Address and Port Translation Configuration on page 872 Softwire Configuration on page 873 Service Set Configuration on page 873

Chassis Configuration Step-by-Step Procedure To configure the service PIC (FPC 0 Slot 0) with the Layer 3 service package:
1.

Enter the chassis edit hierarchy.

user@host# edit chassis

2.

Configure the Layer 3 service package.

[edit chassis] user@host# set fpc 0 pic 0 adaptive-services service-package layer-3

Interfaces Configuration Step-by-Step Procedure To configure the AFTR interfaces facing the B4 (softwire initiator) and facing the Internet:
1.

Go the [edit interfaces] edit hierachy level for ge-3/1/0, which faces the Internet.
host# edit interfaces ge-3/1/0

2.

Define the interface.

870

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

[edit interfaces ge-3/1/0] user@host# set description AFTR-Internet user@host# set unit 0 family inet address 128.0.0.2/24
3.

Go to the [edit interfaces] hierachy level for ge-3/1/5, which faces the B4.
user@host# up 1 [edit] user@host# edit interfaces ge-3/1/5

4.

Define the interface.

[edit interfaces ge-3/1/5] user@host# set description AFTR-B4 user@host# set unit 0 family inet user@host# edit unit 0 family inet6 [edit unit 0 family inet6] user@host# set service input service-set sset user@host# set service output service-set sset user@host# set address 2001:0:0:2::1/48

5.

Go to the [edit interfaces] hierarchy level for sp-0/0/0, used to host the DS-Lite AFTR.
[edit] user@host# edit interfaces sp-0/0/0

6.

Define the interface.

[edit interfaces sp-0/0/0] user@host# set description AFTR-B4 user@host# set unit 0 family inet user@host# edit unit 0 family inet6

Results

user@host# show interfaces ge-3/1/0 description AFTR-Internet; unit 0 { family inet { address 128.0.0.2/24; } } user@host# show interfaces ge-3/1/5 description AFTR-B4; unit 0 { family inet; family inet6 { service { input { service-set sset; } output { service-set sset; } } address 2001:0:0:2::1/48; } } user@host# show interfaces sp-o/o/o

Copyright 2011, Juniper Networks, Inc.

871

Junos 11.4 Services Interfaces Configuration Guide

unit 0 { family inet; family inet6; }

Network Address and Port Translation Configuration Step-by-Step Procedure To configure NAPT:
1.

Go to the [edit services nat] hierarchy level.

user@host# edit services nat [edit services nat]

2.

Define a NAT pool p1.

user@host# set pool p1 address 129.0.0.1/32 port automatic

3.

Define a NAT rule, beginning with the match direction.

[edit services nat] user@host# set rule r1 match-direction input

4.

Define a term for the rule, beginning with a from clause.

[edit services nat] user@host# set rule r1 term t1 from source-address 10.0.0.0/16

5.

Define the desired translation in a then clause . In this case, use dynamic source translation.
[edit services nat] user@host# set rule r1 term t1 then translated source-pool p1 translation-type napt-44

6.

(Optional) Configure logging of translation information for the rule.

[edit services nat] user@host# set rule r1 term t1 then syslog

Results

user@host# show services nat pool p1 { address 129.0.0.1/32; port { automatic; } } rule r1 { match-direction input; term t1 { from { source-address { 10.0.0.0/16; } } then { translated { source-pool p1; translation-type { napt-44; } }

872

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

syslog; } }

Softwire Configuration Step-by-Step Procedure To configure the DS-Lite softwire concentrator and associated rules:
1.

Go to the [edit services softwire] edit hierarchy.

user@host# edit services softwire

2.

Define the DS-Lite softwire concentrator.

[edit services softwire] user@host# set softwire-concentrator ds-lite ds-1 softwire-address 1001::1 mtu-v6 1460

3.

Define the softwire rule.

[edit services softwire] user@host# set rule r1 match-direction input term t1 then ds-lite ds1.

Results

user@host# show services softwire softwire-concentrator { ds-lite ds1 { softwire-address 1001::1; mtu-v6 1460; } } rule r1 { match-direction input; term t1 { then { ds-lite ds1; } } }

Service Set Configuration Step-by-Step Procedure Configure a service set that includes softwire and NAT rules and specifies either interface-service or next-hop service. This example uses a next-hop service.
1.

Go to the [edit services service-set] hierarchy level, naming the service set.
user@host# edit services service-set sset

2.

Define the NAT rule to be used for IPv4-to-IPv4 translation.

[edit services service-set sset] user@host# set nat-rules r1

3.

Define the softwire rule to define the softwire tunnel.

[edit services service-set sset] user@host# set softwire-rules r1

4.

Define the interface service,

[edit services service-set sset] user@host# set interface-service service-interface sp-0/0/0.0

Copyright 2011, Juniper Networks, Inc.

873

Junos 11.4 Services Interfaces Configuration Guide

TIP: In order to avoid or minimize IPv6 fragmentation, you can configure a TCP maximum segment size (MSS) for your service set.

5.

(Optional) Define a TCP MSS.

[edit services service-set sset] user@host# set tcp-mss 1024

Results

user@host# show services service-set syslog { host local { services any; } } softwire-rules r1; nat-rules r1; interface-service { service-interface sp-0/0/0; } }

Example: Basic 6rd Configuration

Requirements on page 874 Overview on page 874 Configuration on page 874

Requirements
This example describes how a 6rd concentrator can be configured for a 6rd domain, D1, to provide IPv6 Internet connectivity. The following hardware components can perform 6rd:

M Series Multiservice Edge routers with Multiservices PICs T Series Core routers with Multiservices PICs MX Series 3D Universal Edge routers with Multiservices DPCs

Overview
This configuration example describes how to configure a basic 6rd tunneling solution.

Configuration
Chassis Configuration Step-by-Step Procedure To configure the chassis:
1.

Define the ingress interface.

user@host# edit interfaces ge-1/2/0

874

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

2.

Configure the ingress interface logical unit and input/output service options.
[edit interfaces ge-1/2/0] user@ host# set unit 0 family inet service input service-set v6rd-dom1-service-set user@ host# set unit 0 family inet6 service output service-set v6rd-dom1-service-set

3.

Configure the address of the ingress interface.

[edit interfaces ge-1/2/0] user@ host# set unit 0 family inet address 10.10.10.1/24

4.

Define the egress interface.

user@host# up 1 [edit interfaces] user@host# edit ge-1/2/2

5.

Define the logical unit and address for the egress interface.
[edit interfaces ge-1/2/2] user@host# set unit 0 family inet6 address 3ABC::1/16

6.

Define the service PIC.

[edit interfaces ge-1/2/2] user@host# up 1 [edit interfaces] user@host# edit sp-0/2/0

7.

Configure the logical unit for the service PIC.

[edit interfaces sp-0/2/0] user@host# up 1 [edit interfaces] user@host# set unit 0 family inet user@host# set unit 0 family inet6

Softwire Concentrator, Softwire Rule, and Stateful Firewall Rule Configuration Step-by-Step Procedure To configure the softwire concentrator, softwire rule, and stateful firewall rule:
1.

Define the 6rd softwire concentrator.

user@host# top user@host# edit services softwire softwire-concentrator v6rd v6rd-dom1

2.

Configure the softwire concentrator properties. Here, softwire address 30.30.30.1 is the softwire concentrator IPv4 address, 10.10.10.0/24 is the IPv4 prefix of the CE WAN side, and 3040::0/16 is the IPv6 prefix of the 6rd domain D1.
[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# set softwire-address 30.30.30.1 user@host# set ipv4-prefix 10.10.10.0/24 user@host# set v6rd-prefix 3040::0/16 user@host# set mtu-v4 9192

3.

Define the softwire rule.

[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# up [edit services softwire]

Copyright 2011, Juniper Networks, Inc.

875

Junos 11.4 Services Interfaces Configuration Guide

user@host# edit rule v6rd-dom1-r1 [edit services softwire rule v6rd-dom1-r1] user@host# set term t1 then v6rd v6rd-dom1
4.

Define a stateful firewall rule and properties. You must configure a stateful firewall rule that accepts all traffic in both the input and output direction in order for 6rd to work; however, this is not enforced through the CLI. This is because in IPv6, gratuitous IPv6 packets are expected (due to Anycast) and should not be dropped. The service PIC can handle reverse traffic without seeing all forward traffic. This can also happen with service PIC switchover in the middle of a session. By default, the stateful firewall on the service PIC will drop all traffic unless a rule is configured explicitly to allow it.
[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# up 2 [edit services softwire] user@host# edit rule r1 [edit services softwire rule v6rd-dom1-r1] user@host# set match-direction input-output user@host# set term t1 then accept

Results

[edit services softwire] user@router# show softwire-concentrator { v6rd v6rd-dom1 { softwire-address 30.30.30.1; ipv4-prefix 10.10.10.0/24; v6rd-prefix 3040::0/16; mtu-v4 9192; } } rule v6rd-dom1-r1 { match-direction input; term t1 { then { v6rd v6rd-dom1; } } }

Service Set Configuration Step-by-Step Procedure To configure the service set:

1.

Define the service set for 6rd processing.

user@host# top user@host# edit services service-set v6rd-dom1-service-set

2.

Define the softwire and stateful firewall rules for the service set.
[edit services service-set v6rd-dom1-service-set] user@host# set softwire-rules v6rd-dom1-r1 user@host# set stateful-firewall-rules r1

3.

Define the interface-service for the service-set.

[edit services service-set v6rd-dom1-service-set] user@host# set interface-service service-interface sp-3/0/0

876

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

Results

[edit service-set v6rd-dom1-service-set] user@host# show softwire-rules v6rd-dom1-r1 interface-service { service-interface sp-3/0/0; }

Example: Configuring DS-Lite and 6rd in the Same Service Set

Requirements on page 877 Overview on page 877 Configuration on page 877

Requirements
The following hardware components can perform DS-Lite:

M Series Multiservice Edge routers with Multiservices PICs T Series Core routers with Multiservices PICs MX Series 3D Universal Edge routers with Multiservices DPCs

Overview
This example describes a softwire solution that includes DS-Lite and 6rd in the same service set.

Configuration
Chassis Configuration Step-by-Step Procedure To configure the chassis:
1.

Configure the ingress interface.

user@host# edit interfaces ge-1/2/0 [edit interfaces ge-1/2/0] user@host# set unit 0 family inet service input service-set v6rd-dslite-service-set user@host# set unit 0 family inet service output service-set v6rd-dslite-service-set user@host# set unit 0 family inet address address 10.10.10.1/24 user@host# set unit 0 family inet6 service input service-set v6rd-dslite-service-set user@host# set unit 0 family inet6 service output service-set v6rd-dslite-service-set user@host# set unit 0 family inet6 address address address 2001::1/16

Here the service set is applied on the inet (IPv4) and inet6 (IPv6) families of subunit 0. Both DS-Lite IPv6 traffic and 6rd IPv4 traffic hits the service filter and is sent to the services PIC.
2.

Configure the egress interface (IPv6 Internet). The IPv4 server that the DS-Lite clients are trying to reach is at 200.200.200.2/24, and the IPv6 server is at 3ABC::2/16.
user@host# edit interfaces ge-1/2/2 [edit interfaces ge-1/2/2] user@host# set unit 0 family inet address 200.200.200.1/24 user@host# set unit 0 family inet6 address 3ABC::1/16

Copyright 2011, Juniper Networks, Inc.

877

Junos 11.4 Services Interfaces Configuration Guide

3.

Configure the services PIC.

user@host# edit interfaces sp-3/0/0 [edit interfaces sp-3/0/0] user@host# set unit 0 family inet user@host# set unit 0 family inet6

Results

[edit interfaces] user@host# show ge-1/2/0 { unit 0 { family inet { service { input { service-set v6rd-dslite-service-set; } output { service-set v6rd-dslite-service-set; } } address 10.10.10.1/24; } family inet6 { service { input { service-set v6rd-dslite-service-set; } output { service-set v6rd-dslite-service-set; } } address 2001::1/16; } } } ge-1/2/2 { unit 0 { family inet { address 200.200.200.1/24; } family inet6 { address 3ABC::1/16; } } } sp-3/0/0 { unit 0 { family inet; family inet6; } }

Softwire Concentrator, Softwire Rule, Stateful Firewall Rule Configuration Step-by-Step Procedure To configure the softwire concentrator, softwire rule, and stateful firewall rule:
1.

Configure the DS-Lite and 6rd softwire concentrators.

user@host# edit services softwire softwire-concentrator ds-lite ds1 [edit services softwire softwire-concentrator ds-lite ds1]

878

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

user@host# set softwire-address 1001::1 user@host# mtu-v6 9192 usert@host# up 1 usert@host# edit v6rd v6rd-dom1 [edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# set softwire-address 30.30.30.1 user@host# set ipv4-prefix 10.10.10.0/24 user@host# set v6rd-prefix 3040::0/16 user@host# set mtu-v4 9192
2.

Configure the softwire rules.

user@host# edit services softwire rule v6rd-r1] [edit services softwire rule v6rd-r1] user@host# set match-direction input user@host# set term t1 then v6rd v6rd-dom1 user@host# up 1 user@host# edit services softwire] [edit services softwire] user@host# edit rule dslite-r1 [edit services softwire rule dslite-r1] user@host# set term dslite-t1 then ds-lite ds1

The following routes are added by the services PIC daemon on the Routing Engine:
user@router# run show route 30.30.30.1 inet.0: 43 destinations, 46 routes (42 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 30.30.30.1/32 *[Static/786432] 00:24:11 Service to v6rd-dslite-service-set

[edit] user@router# run show route 3040::0/16 inet6.0: 23 destinations, 33 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 3040::/16 *[Static/786432] 00:24:39 Service to v6rd-dslite-service-set

user@router# run show route 1001::1 inet6.0: 33 destinations, 43 routes (33 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1001::1/128 *[Static/1] 1w2d 22:05:41 Service to v6rd-dslite-service-set

3.

Configure a stateful firewall rule.

user@host# edit services stateful-firewall rule r1 [edit services stateful-firewall rule r1] user@host# set match-direction input-output user@host# set term t1 then accept [edit services stateful-firewall] rule r1 { match-direction input-output;

Copyright 2011, Juniper Networks, Inc.

879

Junos 11.4 Services Interfaces Configuration Guide

term t1 { then { accept; } } }

Results

[edit services softwire] user@host# show softwire-concentrator { ds-lite ds1 { softwire-address 1001::1; mtu-v6 9192; } v6rd v6rd-dom1 { softwire-address 30.30.30.1; ipv4-prefix 10.10.10.0/24; v6rd-prefix 3040::0/16; mtu-v4 9192; } } rule v6rd-r1 { match-direction input; term t1 { then { v6rd v6rd-dom1; } } } rule dslite-r1 { match-direction input; term dslite-t1 { then { ds-lite ds1; } } } [edit services stateful-firewall] user@host# show rule r1 { match-direction input-output; term t1 { then { accept; } } }

NAT Configuration for DS-Lite Step-by-Step Procedure To configure NAT for DS-Lite:
1.

Configure a NAT pool for DS-Lite.

user@host# edit services nat pool dslite-pool [edit services nat pool dslite-pool] user@host# set address-range low 33.33.33.1 high 33.33.33.32 user@host# set port automatic

880

Copyright 2011, Juniper Networks, Inc.

Chapter 38: Softwire Configuration Guidelines

2.

Configure a NAT rule.

user@host# up 1 [edit services nat rule dslite-nat-r1] user@host# set match-direction input user@host# set term dslite-nat-t1 from source-address 20.20.0.0/16 then translated translation-type napt-44

Results

[edit services nat] user@host# show pool dslite-pool { address-range low 33.33.33.1 high 33.33.33.32; port { automatic; } } rule dslite-nat-r1 { match-direction input; term dslite-nat-t1 { from { source-address { 20.20.0.0/16; } } then { translated { source-pool dslite-pool; translation-type { source dynamic; } } } } }

Because of this NAT rule, the following NAT routes are installed for the reverse DS-Lite traffic:
user@router# run show route 33.33.33.0/24 inet.0: 48 destinations, 52 routes (47 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 33.33.33.1/32 33.33.33.2/31 33.33.33.4/30 33.33.33.8/29 33.33.33.16/28 33.33.33.32/32 *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set *[Static/1] 1w2d 23:08:38 Service to v6rd-dslite-service-set

The NAT rule triggers address translation for the traffic coming from 20.20.0.0/16 to public address range 33.33.33.1 to 33.33.33.32.

Copyright 2011, Juniper Networks, Inc.

881

Junos 11.4 Services Interfaces Configuration Guide

Service Set Configuration Step-by-Step Procedure This service set has a stateful firewall rule and 6rd rule for 6rd service. The service set also includes a softwire rule for DS-Lite and a NAT rule to perform address translation for all DS-Lite traffic. The NAT rule performs NAPT translation in the forward direction on the source address and port of the DS-Lite traffic. To configure the service set:
1.

Define the service set.

user@host# edit services service-set v6rd-dslite-service-set

2.

Configure the service set rules.

[edit services service-set v6rd-dslite-service-set] user@host# set softwire-rules dslite-r1 user@host# set stateful-firewall-rules r1 user@host# set nat-rules dslite-nat-r1

3.

Configure the service set interface-service.

[edit services service-set v6rd-dslite-service-set] user@host# set interface-service service-interface sp-3/0/0

Results

[edit services service-set] user@host# show v6rd-dslite-service-set { softwire-rules v6rd-r1; softwire-rules dslite-r1; stateful-firewall-rules r1; nat-rules dslite-nat-r1; interface-service { service-interface sp-3/0/0; }

882

Copyright 2011, Juniper Networks, Inc.

CHAPTER 39

Summary of Softwire Configuration Statements

The following sections explain each of the softwire statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

883

Junos 11.4 Services Interfaces Configuration Guide

ds-lite
Syntax
ds-lite ds-lite-softwire-concentrator{ auto-update-mtu; copy-dscp; flow-limit flow-limit; mtu-v6 mtu-v6; softwire-address softwire-address; } }

Hierarchy Level Release Information

[edit services softwire softwire-concentrator]

Statement introduced in Junos OS Release 10.4. auto-update-mtu option introduced in Junos OS Release 10.4. copy-dscp option introduced in Junos OS Release 11.2. mtu-v6 option introduced in Junos OS Release 10.4. softwire-address option introduced in Junos OS Release 10.4. Configure settings for a DS-Lite concentrator used to process IPv4 packets encapsulated in IPv6.
ds-lite-softwire-concentratorName applied to a DS-Lite softwire concentrator. auto-update-mtuThis option is not currently supported. copy-dscpCopy DSCP information to IPv4 headers during decapsultation. flow-limitMaximum number of IPv4 flows per softwire (0 through 16384). mtu-v6Maximum transmission unit (MTU), in bytes (0 through 9192), for encapsulating

Description

Options

IPv4 packets into IPv6. If the final length is greater than the configured value, the IPv6 packet is fragmented.
softwire-addressAddress of the DS-Lite softwire concentrator.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Softwire Configuration Guidelines

884

Copyright 2011, Juniper Networks, Inc.

Chapter 39: Summary of Softwire Configuration Statements

rule (Softwire)
Syntax
rule rule-name { match-direction (input | output); term term-name { then { (ds-lite ds-lite-softwire-concentrator | v6rd v6rd-softwire-concentrator); } } } [edit services softwire], [edit services softwire rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 10.4. Configure a rule to apply a softwire concentrator for a flow.
rule-nameIdentifier for the collection of terms that constitute this rule. inputApply the rule match on the input side of the interface. outputApply the rule match on the output side of the interface.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Softwire Rules on page 867

rule-set (Softwire)
Syntax
rule-set rule-set-name { rule rule-name; } [edit services softwire]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.4. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Softwire Rules on page 867

Copyright 2011, Juniper Networks, Inc.

885

Junos 11.4 Services Interfaces Configuration Guide

softwire-concentrator
Syntax
softtwire-concentrator { ds-lite ds-lite-softwire-concentrator { auto-update-mtu; flow-limit flow-limit; mtu-v6 mtu-v6; softwire-address address; } v6rd v6rd-softwire-concentator { ipv4-prefix ipv4-prefix; v6rd-prefix ipv6-prefix; mtu-v4 mtu-v4; } } [edit services softwire]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.4. Configure settings for a softwire concentrator. The statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Softwire Configuration Guidelines

softwire-rules
Syntax Hierarchy Level Release Information Description
(softwire-rule rule-name | softwire-rule-sets rule-set-name); [edit services service-set service-set-name]

Statement introduced in Junos OS Release 10.4. Specify the DS-Lite or 6rd rules or rule set included in this service set. You can configure multiple rules; however, you can only configure one rule set for each service set.
rule-nameIdentifier for the collection of terms that constitute this rule. rule-set-nameIdentifier for the set of rules to be included.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Service Rules on page 572

886

Copyright 2011, Juniper Networks, Inc.

Chapter 39: Summary of Softwire Configuration Statements

term (Softwire Rule)

Syntax
term term-name { then { [ ds-lite ds-lite-softwire-concentrator|v6rd v6rd-softwire-concentator; } } [edit services softwire rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 10.4 Define the softwire term properties.
term-nameIdentifier for the term. ds-lite-softwire--concentratorName of the DS-Lite softwire concentrator used for this

rule.
v6rd-softwire-concentatorName of the 6rd softwire concentrator used for this rule.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Softwire Rules on page 867

Copyright 2011, Juniper Networks, Inc.

887

Junos 11.4 Services Interfaces Configuration Guide

v6rd
Syntax
v6rd v6rd-softwire-concentator { ipv4-prefix ipv4-prefix; v6rd-prefix ipv6-prefix; mtu-v4 mtu-v4; softwire-address ipv4-address; } [edit services softwire softwire-concentrator]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.4. Configure settings for a 6rd concentrator used to process IPv6 packets encapsulated in IPv4 packets.
ipv4-prefixIPv4 prefix of the customer edge (CE) network ipv6-prefixIPv6 prefix of the 6rd domain. mtu-v4 Maximum transmission unit (MTU), in bytes (576 through 9192), for IPv6 packets

Options

enacapsulated into IPv4. If the final length is greater than the configured value, the IPv4 packet will be dropped.
addressIPv4 address of a softwire concentrator. This is an IPv4 address independent

of any interface and on a different prefix. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Softwire Configuration Guidelines

888

Copyright 2011, Juniper Networks, Inc.

Chapter 39: Summary of Softwire Configuration Statements

ipv6-multicast-interfaces (Softwire)
Syntax Hierarchy Level Release Information Description
ipv6-multicast-interfaces (all | interface-name) [edit services softwire]

Statement introduced in Junos OS Release 10.4. Configure multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery. This enables the router to process softwire-initiated flows in both directions.
allEnable filters on all interfaces. interface-nameEnable filters on a specific interface only.

Options

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statment to the configuration.

Softwire Configuration Guidelines

Copyright 2011, Juniper Networks, Inc.

889

Junos 11.4 Services Interfaces Configuration Guide

890

Copyright 2011, Juniper Networks, Inc.

PART 3

Dynamic Application Awareness for Junos OS

Dynamic Application Awareness for Junos OS Overview on page 893 Application Identification Configuration Guidelines on page 901 Summary of Application Identification Configuration Statements on page 919 Application-Aware Access List Configuration Guidelines on page 955 Summary of AACL Configuration Statements on page 963 Local Policy Decision Function Configuration Guidelines on page 975 Summary of L-PDF Configuration Statements on page 981

Copyright 2011, Juniper Networks, Inc.

891

Junos 11.4 Services Interfaces Configuration Guide

892

Copyright 2011, Juniper Networks, Inc.

CHAPTER 40

Dynamic Application Awareness for Junos OS Overview

This chapter describes several related features that support application-level filtering and per-subscriber, per-application group bandwidth control as an extension of Intrusion Detection and Prevention (IDP). In addition to IDP, the main components are application identification (APPID), application-aware access list (AACL) services, and local policy decision functionality for application-related services (L-PDF).

NOTE: Because the Services SDK framework lacks aggressive constraint checks, you should not set the policy-db-size statement at the [edit chassis
fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level to a high value. For dynamic application

awareness configurations, the recommended values for the Services SDK options at this hierarchy level are as follows:

control-cores = 1 data-cores = 7 object-cache-size = 1280 (for Multiservices 400 PIC and Multiservices DPC) policy-db-size = 200

Include these package values: jservices-idp, jservices-appid, jservices-llpdf,

jservices-aacl

For more information about this configuration, see the following topics in the SDK Applications Configuration Guide and Command Reference:

Configuring Control and Data Cores Configuring Memory Settings Configuring Packages on the PIC

This chapter includes the following:

IDP Overview on page 894 APPID Overview on page 895

Copyright 2011, Juniper Networks, Inc.

893

Junos 11.4 Services Interfaces Configuration Guide

AACL Overview on page 896 L-PDF Overview on page 896 Configuring Multiple IDP Detectors on page 897 Best-Effort Application Identification of DPI-Serviced Flows on page 897

IDP Overview
The Dynamic Application Awareness for the Junos OS set of services adds support for the intrusion detection and prevention (IDP) functionality using Deep Packet Inspection (DPI) technology to Juniper Networks MX Series 3D Universal Edge Routers equipped with Multiservices Dense Port Concentrators (MS-DPCs) and M120 or M320 Multiservice Edge Routers equipped with Multiservices 400 PICs. The IDP functionality is already supported on Juniper Networks J Series Services Routers and SRX Series Services Gateways running the Junos OS and is described in the Junos OS Security Configuration Guide. Starting with Junos OS Release 11.3, support for the IDP functionality is extended to T320, T640, and T1600 routers. In addition, multiple IDP detectors are now supported on the M120, M320, and MX Series routers with Enhanced III Flexible PIC Concentrators (FPCs). The same CLI statements and commands are used on all platforms with the following caveats:

Service setsIDP is incorporated as a component of service sets only on the specified Juniper Networks T Series, M Series and MX Series routers. IDP depends on application identification services (APPID) for definition and detection of some Layer 7 applications. Before configuring an IDP policy, you must download the APPID application package. Only one service set can be applied to a single interface when the APPID functionality is used. Multiple IDP detectorsExcept for the maximum number of decoder binary instances (4) that are loaded into the process space, multiple IDP detectors on the M120, M320, and MX Series routers function in a similar way to the existing IDP detector support on J Series and SRX Series devices. To view the current policy and the corresponding detector version, use the show security idp status detail command.

To configure IDP properties, include statements at the [edit security idp] hierarchy level. In general, you configure IDP processes by including the idp-policy statement at the [edit system processes] hierarchy level. For use in T Series, M Series and MX Series applications, you then reference this configuration by including the idp-profile statement at the [edit services service-set] hierarchy level. To configure SNMP IDP objects, include the idp statement at the [edit snmp health-monitor] hierarchy level. The operational commands for monitoring and regulating IDP activity are the clear security idp, request security idp, and show security idp commands. To configure the source IP address for downloading security packages, use the command set security idp security-package source-address ip-address because it is not possible to download security packages if the router uses private addressing on its outgoing interface. The source address should be a valid IP address on the node.

894

Copyright 2011, Juniper Networks, Inc.

Chapter 40: Dynamic Application Awareness for Junos OS Overview

NOTE: On T Series, M Series and MX Series routers, the IDP ip-action statement is supported on TCP, UDP, and ICMP flows. When the ip-action target is service, the ip-action flow is applied if the traffic matches the values specified for the source port, destination port, source address, and destination address. However, for ICMP flows, the destination port is 0, so that any ICMP flow matching the source port, source address, and destination address would be blocked. For more information about the ip-action statement, see the Junos OS CLI Reference.

When the Multiservices PIC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level. When this statement is configured, the affected packets are forwarded in the event of a Multiservices PIC failure or offlining, as though interface-style services were not configured.

NOTE: Data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server but the corresponding data application junos:system:ftp-data is not in any group.

Related Documentation

Configuring Multiple IDP Detectors on page 897

APPID Overview
The APPID feature identifies applications as constituents of application groups in TCP/UDP/ICMP traffic. It is supported on MX Series routers equipped with Multiservices DPCs and on M120 or M320 routers equipped with Multiservices 400 PICs. To configure APPID, include statements at the [edit services application-identification] hierarchy level to specify parameter values for defining applications, enable or disable application rules, and gather the applications and rules into groups. The following are related operational commands:

show/clear application-identification application-system-cache show/clear application-identification counters

For more information on the CLI configuration, see the Application Identification. For more information on the operational commands, see the Junos OS System Basics and Services Command Reference.

Copyright 2011, Juniper Networks, Inc.

895

Junos 11.4 Services Interfaces Configuration Guide

AACL Overview
The application-aware access list (AACL) service adds support for a new service that uses application names and groups as matching criteria for filtering traffic. AACL is a stateless, rules-based service that must be combined with application identification to enable policies to be applied to flows based on application and application group membership in addition to traditional packet matching rules. It is supported on MX Series routers equipped with Multiservices DPCs and on M120 or M320 routers equipped with Multiservices 400 PICs. Starting with Junos OS Release 11.3, AACL is supported on T320, T640, and T1600 routers also. AACL is configured in a similar way to other rules-based services such as Network Address Translation (NAT), class of service (CoS), and stateful firewall. To configure AACL, include rule specifications for match criteria and actions at the [edit services aacl] hierarchy level. You can chain AACL rules along with other service rules by including them in a service-set definition at the [edit services service-set] hierarchy level, as previously documented. There is one pair of related operational commands, show/clear application-aware-access-list statistics. For more information on the CLI configuration, see the Application-Aware Access List. For more information on the operational command, see the Junos OS System Basics and Services Command Reference.

L-PDF Overview
Local policy decision functionality for application-related services adds support for a new process that regulates collection of statistics related to applications and application groups and tracking of information about dynamic subscribers and static interfaces. This functionality is collectively named the local policy decision function (L-PDF). It is supported on MX Series routers equipped with Multiservices DPCs and on M120 or M320 routers equipped with Multiservices 400 PICs. Starting with Junos OS Release 11.3, local L-PDF that resides on the services PIC is supported on T320, T640, and T1600 routers. The application identification (APPID) service defines the applications and how they are grouped. The application-aware access list (AACL) service defines the applications and application groups for which statistics are collected for a specific user or interface. The L-PDF configuration defines the way in which the statistics are output. To configure properties for statistics output, include the policy-decision-statistics-profile statement at the [edit accounting-options] hierarchy level. A new traceoptions configuration is available at the [edit system services local-policy-decision-function] hierarchy level. To configure a dynamic profile to attach a specified service set to an interface, include the service statement at the [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number family inet] hierarchy level. To attach a service set to a static interface, include the service-set service-set-name statement at the [edit interfaces interface-name unit logical-unit-number family inet service (input | output)] hierarchy level. For more information on service sets, see Service Set Properties. The following related operational commands are supported:

896

Copyright 2011, Juniper Networks, Inc.

Chapter 40: Dynamic Application Awareness for Junos OS Overview

show services local-policy-decision-function flows show/clear services local-policy-decision-function statistics show/clear services application-aware-access-list statistics

For more information on the CLI configuration, see the Local Policy Decision Function. For more information on the operational commands, see the Junos OS System Basics and Services Command Reference.

Configuring Multiple IDP Detectors

To configure multiple IDP detectors:
1.

In configuration mode, go to the [edit security] hierarchy level:

user@host# edit security

2. Go to the [edit security idp sensor-configuration flow] hierarchy level:

[edit security] user@host# edit idp sensor-configuration flow

3. Configure the no-reset-on-policy statement:

[edit security idp sensor-configuration flow] user@host# set no-reset-on-policy

Verify the configuration: 4.

[edit security] user@host# show security idp { sensor-configuration { flow { no-reset-on-policy; } } }

Related Documentation

IDP Overview on page 894

Best-Effort Application Identification of DPI-Serviced Flows

This topic describes the following information:

Features that Support Application-Level Filtering on page 897 Best-Effort Application Determination on page 898 APPID, AACL, and L-PDF Processing in Preconvergence Scenarios on page 898

Features that Support Application-Level Filtering

On MX Series routers equipped with Multiservices DPCs and M120 or M320 routers equipped with Multiservices 400 PICs, Intrusion Detection and Prevention (IDP) is accomplished by Deep Packet Inspection (DPI) of TCP, UDP, and ICMP flows. The

Copyright 2011, Juniper Networks, Inc.

897

Junos 11.4 Services Interfaces Configuration Guide

application identification (APPID) feature defines applications as members of application groups in TCP/UDP/ICMP traffic. IDP depends on APPID for identification and detection of some Layer 7 applications. The application-aware access list (AACL) service uses application names and groups as matching criteria for filtering traffic. The service defines the applications and application groups for which statistics are collected for a specific user or interface. The local policy decision function (L-PDF) enables you to configure properties for statistics output. L-PDF supports a process that regulates collection of statistics related to applications and application groups and tracking of information about dynamic subscribers and static interfaces.

Best-Effort Application Determination

Typically, APPID conclusively determines the Layer 7 application associated with a given DPI-serviced flow. In these cases, the application identification is final. Occasionally, APPID is only able to make an initial, inconclusive determination of the Layer 7 application associated with a given flow. This is referred to as a "best-effort" application identification. In such cases, the APPID process continues processing packets on that flow and might subsequently make a conclusive determination of the application associated with that flow. In some cases of best-effort application identification, the flow ends before a final application determination can be made.

APPID, AACL, and L-PDF Processing in Preconvergence Scenarios

The following sections describe APPID, AACL, and L-PDF processing in various stages of application identification for a DPI-serviced flow of TCP/UDP/ICMP traffic.

Prior to a Final or Best-Effort Application Identification on page 898 Upon Best-Effort Application Identification on page 899 While Application Identification Is on a Best-Effort Basis on page 899 If a Flow Ends Before an Application Identification Is Made on page 899 If a Flow Ends While Application Identification on a Best-Effort Basis on page 899

Prior to a Final or Best-Effort Application Identification

During the time that APPID has not yet made either a final or best-effort determination of the application associated with a given flow, the flow does not contribute to any per-subscriber or per-application statistics collection. The output of the following operational mode commands includes flows for which APPID has not yet made either a final or best-effort determination of the associated application:

show services local-policy-decision-function flows (interface interface-name | subscriber subscriber-name)

show services application-aware-access-list flows (interface interface-name | subscriber subscriber-name)

898

Copyright 2011, Juniper Networks, Inc.

Chapter 40: Dynamic Application Awareness for Junos OS Overview

In the command output, the Action field displays "accept" and the Application or Application group field displays unknown for a flow for which APPID has not yet made either a final or best-effort determination of the associated application.

Upon Best-Effort Application Identification

When a best-effort application determination is made, AACL does not apply any AACL term actions configured for that flow. There are a number of reasons for this, one being that the action itself (such as "discard") could make a final application determination impossible. Instead, AACL or L-PDF tracks the flow and accepts all packets for that flow until a final determination is made, at which time the normal AACL or L-PDFL actions are fully applied to the flow.

While Application Identification Is on a Best-Effort Basis

During the time that APPID identification of the application associated with a given flow is on a best-effort basis, the flow does not contribute to any per-subscriber or per-application statistics collection. The output of the following operational mode commands includes flows for which APPID has only made a best-effort determination of the associated application:

show services local-policy-decision-function flows (interface interface-name | subscriber subscriber-name)

show services application-aware-access-list flows (interface interface-name | subscriber subscriber-name)

In the command output, the Action field displays "accept" and the Application or Application group field displays unknown for a flow for which APPID has only made a best-effort determination of the associated application.

If a Flow Ends Before an Application Identification Is Made

If a flow ends before APPID has made either a final or a best-effort application identification, AACL or L-PDF uses the "unknown" application ID as a final determination and performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for the "application-group-any" application, then the statistics for that flow will be collected and aggregated against the count bucket type, and reported as such.

If a Flow Ends While Application Identification on a Best-Effort Basis

If a flow ends while the application identification is on a best-effort basis, AACL or L-PDF uses that best-effort determination as a final determination. AACL or L-PDF performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for that Layer 7 application, then the statistics for the flow will be collected and aggregated against the AACL or L-PDF statistics. However, in the case of nested applications, AACL and L-PDF will not consider the best-effort determination as final and the nested application will be reported as an unknown application.

Copyright 2011, Juniper Networks, Inc.

899

Junos 11.4 Services Interfaces Configuration Guide

Related Documentation

Configuring AACL Rules on page 956 Configuring Statistics Profiles on page 975 aacl-fields on page 982 aacl-statistics-profile on page 983 rule on page 968 services on page 969 term on page 972 then on page 973

900

Copyright 2011, Juniper Networks, Inc.

CHAPTER 41

Application Identification Configuration Guidelines

To configure application identification services (APPID), include the application-identification statement at the [edit services] hierarchy level:
[edit services] application-identification { application application-name { disable; idle-timeout seconds; index number; session-timeout seconds; type type; type-of-service service-type; port-mapping { port-range { tcp (port | range); udp (port | range); } disable; } } application-group group-name { application-groups { name [application-group-name]; } applications { name [application-name]; } index number; disable; } application-system-cache-timeout seconds; enable-heuristics max-checked-bytes bytes; min-checked-bytes bytes; nested-application nested-application-settings no-application-identification; no-application-system-cache; no-clear-application-system-cache;

Copyright 2011, Juniper Networks, Inc.

901

Junos 11.4 Services Interfaces Configuration Guide

no-protocol-method; no-signature-based; profile profile-name { [ rule-set rule-set-name ]; } rule rule-name { disable; address address-name { destination { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } source { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } order number; } application application-name; } rule-set rule-set-name { rule application-rule-name; } traceoptions { file filename <files number> <match regex> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } }

This chapter contains the following sections:

Defining an Application Identification on page 903 Configuring APPID Rules on page 904 Using Stateful Firewall Rules to Identify Data Sessions on page 906 Configuring Application Profiles on page 908 Configuring Application Groups on page 908 Application Identification for Nested Applications on page 909 Disabling Application Identification for Nested Applications on page 910 Configuring Global APPID Properties on page 911 Configuring Automatic Download of Application Package Updates on page 912 Configuring APPID Support for Heuristics on page 912 Configuring APPID Support for Unidirectional Traffic on page 913

902

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

Tracing APPID Operations on page 913 Examples: Configuring Application Identification Properties on page 915

Defining an Application Identification

To configure a specific IP address or port-based application identification, include the application application-name statement at the [edit services application-identification] hierarchy level:
application application-name { disable; idle-timeout seconds; index number; session-timeout seconds; type type; type-of-service service-type; port-mapping { port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } disable; } }

You can include the following general properties in the configuration:

applicationApplication name, a required statement; maximum 31 characters.

Predefined applications have the prefix junos- to avoid conflict with user-defined ones.

idle-timeoutAmount of time that a session remains idle before it is deleted. indexApplication index number in the range from 1 through 65,534, with integers 1

through 1024 reserved for predefined applications.

session-timeoutLifetime of a session. typeWell known applications, such as HTTP or FTP. type-of-serviceType of service, defined by service objective. There is no default value;

options are maximize-reliability, maximize-throughput, minimize-delay, and minimize-monetary-cost.

disableDisable this application definition in the APPID service.

Copyright 2011, Juniper Networks, Inc.

903

Junos 11.4 Services Interfaces Configuration Guide

NOTE: You can also specify session and idle timeout values globally for a Multiservices interface by including the following statements at the [edit interfaces interface-name services-options] hierarchy level:

inactivity-non-tcp-timeoutInactivity timeout period for non-TCP

established sessions.

inactivity-tcp-timeoutInactivity timeout period for TCP established

sessions.

session-timeoutLifetime of a session. disable-global-timeout-overrideDisallow overriding a global inactivity or

session timeout.

You can include the following port-mapping properties at the [edit services application-identification port-mapping] hierarchy level:

port-rangeTCP or UDP port number or numeric range, entered as [minimum-value maximum-value]. For port-mapping configurations, this entry is required if the parent

node exists.

disableDisable port-mapping properties for this application.

NOTE: For applications with signatures for both client-to-server and server-to-client directions, the APPID for Dynamic Application Awareness must accept the data packets in both directions on the same session to complete the identification process.

For a configuration example, see Examples: Configuring Application Identification Properties on page 915.

Configuring APPID Rules

This configuration specifies the properties for identifying an application for which a source or destination IP address and port is used for a known application, without the requirement of an application signature. For example, the Session Initiation Protocol (SIP) server initiates a session from its identified port, 5060. You can therefore specify the SIP server IP address and port 5060 in the port mapping configuration for the SIP application. The advantage of using this method is to provide efficiency and accuracy of application identification for your network. To configure application rule properties, include the rule statement at the [edit services application-identification] hierarchy level:
rule rule-name { address address-name { destination { ip address</prefix-length>;

904

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } source { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } order number; } application application-name; disable; }

You can include the following application rule properties:

addressAddress properties for APPID rule processing. This statement is mandatory;

you must specify either destination or source properties.

destinationDestination address and port information. The ip statement defines the

IP address and netmask (IPv4 only), and the port-range statement defines the TCP or UDP port number or numeric range, entered as [minimum-value maximum-value].

sourceSource address and port information. The ip statement defines the IP address

and netmask (IPv4 only), and the port-range statement defines the TCP or UDP port number or numeric range, entered as [minimum-value maximum-value].

orderApplication matching priority. For address configurations, the order number

resolves the conflict when multiple address entries are matched for a specific session; the lower the number, the higher the priority. This statement is mandatory and must contain a unique value.

applicationName of the application to be included in the rule. disableDisable processing for this application rule.

The rule-set statement defines a collection of APPID rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services application-identification] hierarchy level with a rule statement for each rule:
rule-set rule-set-name { rule application-rule-name; }

For a configuration example, see Examples: Configuring Application Identification Properties on page 915.

Copyright 2011, Juniper Networks, Inc.

905

Junos 11.4 Services Interfaces Configuration Guide

Using Stateful Firewall Rules to Identify Data Sessions

The APPID configuration properties enable the Junos OS to detect applications based on signatures, ports, and addresses. For signature-based detection, most of the protocol control sessions are identified, but data sessions are not identified. For example, APPID identifies FTP connections to port 21 (FTP control sessions); however, FTP can open child/data sessions to transfer files and data. These sessions are not identified by signature-based APPID because they do not have well-defined signatures. Application-level gateways (ALGs) configured using stateful firewall rules can assist APPID in identifying these data sessions. These sessions include file and video transfers that are heavy consumers of bandwidth, so a mechanism for policing and classifying this traffic effectively is a useful tool. In addition to FTP, this mechanism applies to TFTP and RTSP traffic. To incorporate the stateful firewall rules into Dynamic Application Awareness for Junos OS sessions, include the following configurations:
1.

Include the stateful firewall package at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level:
package jservices-sfw;

2. Define two stateful firewall rules as shown in the following example, one to identify

the appropriate ALGs for FTP, TFTP, or RTSP traffic and the other to allow all traffic:

NOTE: Session Initiation Protocol (SIP) is already covered by APPID and the SIP ALG is not supported by stateful firewall, hence a SIP configuration is not needed.

[edit services] stateful-firewall { rule rule1 { match-direction input-output; term term1 { from { applications [ junos-ftp junos-tftp junos-rtsp ]; } then { accept; } } } rule rule2 { match-direction input-output; term term1 { then { accept; } } }

906

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

rule-set rs1 { rule rule1; rule rule2; } }

NOTE: The existing AACL and L-PDF operational mode commands should report the new applications when they are identified.

3. Attach the stateful firewall rule set to a service set, as shown in the following example:

service-set test-chaining { application-identification-profile add-based; stateful-firewall-rule-sets rs1; idp-profile idp1; aacl-rules rule1; interface-service { service-interface ms-2/0/0.0; } }
4. Include no-drop settings for stateful firewall and TCP, as needed.

Stateful firewall processing drops packets in a number of scenarios:

TCP sessions do not start with a SYN flag. (This prevents sessions from resuming; otherwise, when the PIC starts for the first time, all existing TCP sessions in flight will be dropped). If the TCP tracker detects SYN but no SYN/ACK or only an ACK, then the ACK is dropped. There are a number of similar checks to verify the TCP connection, window checks, and so forth. TCP checks for stateful firewall are aggressive when ALGs are run. It is not possible to ignore TCP errors when an ALG is run on a session. If an ALG detects malformed packets (for example, if the FTP PORT command is not RFC-compliant), it drops packets. If an ALG is not able to allocate resources, it drops packets.

You can include the settings shown in the following example to assist in controlling these packet drops:
[edit interfaces] ms-1/2/0 { services-options { ignore-errors { tcp; alg; } } }

Copyright 2011, Juniper Networks, Inc.

907

Junos 11.4 Services Interfaces Configuration Guide

The tcp statement mediates the first two issues listed, with reference to TCP SYN detection. The alg statement handles the fourth issue. ALGs require strict TCP processing, which cannot be relaxed.

Configuring Application Profiles

You can define an application profile for use in a service set. The profile consists of one or more rule sets, but only one profile can be included per service set. To specify the application profile constituents, include the profile statement at the [edit services application-identification] hierarchy level:
profile profile-name { [ rule-set rule-set-name ]; }

You assign a profile name and include one or more predefined rule sets. For more information on rule sets, see Configuring APPID Rules on page 904. You can then include the profile in a service-set definition:
[edit services] service-set service-set-name { profile profile-name; }

The definitions specific to Dynamic Application Awareness include the APPID and IDP profiles and the AACL rule set. For more information on service sets, see Service Set Properties.

Configuring Application Groups

You can define an application group to process a number of applications or subgroups at the same time. To configure application group properties, include the application-group statement at the [edit services application-identification] hierarchy level:
application-group group-name { application-groups { application-group-name; } applications { application-name; } index number; disable; }

You can include the following application group properties:

applicationsList of applications to include in this application group. The name

statement is mandatory and must include at least one entry.

application-groupsList of application groups to include in a larger application group.

The name statement is mandatory and must include at least one entry.

908

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

indexApplication group index number in the range from 1 through 65,534. This

mandatory value must be unique.

disableDisable processing for this application group.

For a configuration example, see Examples: Configuring Application Identification Properties on page 915.

Application Identification for Nested Applications

The application identification feature is used by intrusion detection and prevention (IDP) to allow or deny traffic based on applications running on standard or nonstandard ports. Nested applications are protocols running over the parent application. For example, both Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications. To do this, the application layer is split into two layers: Layer 7 applications and Layer 7 protocols. The predefined application signatures included with Junos OS have been created to detect the Layer 7 nested applications. Predefined application signatures can be used in attack objects. To configure nested application properties, include the nested-application statement at the [edit services application-identification] hierarchy level:
nested-application name { index number; protocol protocol; signature name { chain-order ; maximum-transactions number; member name { context (http-header-content-type | http-header-host | http-url-parsed | http-url-parsed-param-parsed); direction (any | client-to-server | server-to-client); pattern dfa-pattern; } order number; } type type; }

You can include the following application rule properties:

chain-orderSignatures can contain multiple members. If the chain order feature is

on, those members are read in order. The default for this option is no chain order. If a signature contains only one member, this option is ignored.

contextDefine a service specific context. The options are http-header-content-type , http-header-host , http-url-parsed, http-url-parsed-param-parsed. This statement is

mandatory.

directionThe connection direction of the packets to apply pattern matching. The

options are client-to-server, server-to-client, or any. This statement is mandatory.

Copyright 2011, Juniper Networks, Inc.

909

Junos 11.4 Services Interfaces Configuration Guide

indexA number that is a one-to-one mapping to the application name that is used

to ensure that each signature definition is unique. The index range for predefined applications is 1 through 32767. The index range for custom applications and custom nested applications is 32768 through 65534.

maximum transactionsThe maximum number of transactions that should occur

before a match is made. This statement is mandatory.

memberDefine a member name for a custom nested application signature definition.

Custom definitions can contain multiple members that define attributes for an application.

orderDefine application matching priority. For address configurations, the order

number resolves the conflict when multiple address entries are matched for a specific session. The lower number has higher priority. This statement is mandatory.

patternDefine an attack pattern to be detected. This statement is mandatory. protocolThe protocol that will be monitored to identify nested applications. The

value http is supported. This statement is mandatory.

signatureName of the custom nested application signature definition. Must be a

unique name with a maximum length of 32 characters. This statement is mandatory.

typeWell- known application name for this application definition, such as Facebook

or Kazza. This application name must be unique with a maximum length of 32 characters. This statement is mandatory.

Disabling Application Identification for Nested Applications

Sometimes there is a need to identify multiple different applications running on the same Layer 7 protocols. For example, both Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications. To do this, the application layer is split into two layers: Layer 7 applications and Layer 7 protocols. Application identification for nested applications is turned on by default. You can manually turn it off by using the CLI. To disable nested application identification:

Set the no-nested-application statement.

[edit services application-identification nested-application-settings] user@host# no-nested-application

To verify the configuration, issue the show services application-identification nested-application-settings command. To reenable nested application identification:

Delete the no-nested-application statement.

[edit services application-identification nested-application-settings] user@host# delete services application-identification nested-application-settings no-nested-application

910

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

If you are finished configuring the device, commit the configuration. Related Documentation

Application Identification for Nested Applications on page 909

Configuring Global APPID Properties

You can define additional properties that apply on a global basis to APPID processing and are not part of a specific application, group, rule, or profile definition. To configure these global APPID properties, include the following statements at the [edit services application-identification] hierarchy level:
[edit services] application-identification { application-system-cache-timeout seconds; max-checked-bytes bytes; min-checked-bytes bytes; nested-applicationname nested-application-settings no-application-identification no-application-system-cache; no-clear-application-system-cache; no-protocol-method; no-signature-based; }

The global application properties have the following effect:

application-system-cache-timeoutLifetime for system cache entries, in seconds. max-checked-bytesThe maximum number of bytes to be inspected in APPID

processing, in the range from 0 through 100,000 bytes.

min-checked-bytesThe minimum number of bytes to be inspected in APPID processing,

in the range from 0 through 2000 bytes.

nested-applicationConfigure a custom nested application definition for the desired

application name that will be used by the system to identify the nested application as it passes through the device. For more information see nested-application.

nested-application-settingsConfigure nested application options for application

identification services. For more information seenested-application-settings.

no-application-identificationDisable all application identification methods. no-application-system-cacheDisable storing application identification results in the

application system cache.

no-clear-application-system-cacheDisable clearing the application system cache. no-protocol-methodDisable the protocol-based application identification method,

which is enabled by default.

no-signature-basedDisable the signature-based application identification method.

Copyright 2011, Juniper Networks, Inc.

911

Junos 11.4 Services Interfaces Configuration Guide

Configuring Automatic Download of Application Package Updates

You can set up automatic downloading of application package updates. To configure downloads, include the download statement at the [edit services application-identification] hierarchy level:
download { automatic { interval hour; start-time time; } url url; }

You can include the following download statements:

downloadDefine download properties. automaticSet start-time value and interval in hours for automatic downloads. The

default start-time is 0:00 and the range is from 0:00 through 24:00. The default interval is 24 and the range is from 1 through 168.

urlSpecify the download URL.

Configuring APPID Support for Heuristics

Heuristics methodology provides a mechanism for identifying encrypted data packets in point-to-point applications. These packets are not normally detected by the existing application signatures. To enable APPID to employ heuristics in traffic identification:
1.

Include the enable-heuristics statement:

[edit services application-identification] user@host# enable-heuristics

The show services application-identification counter operational command includes additional output fields that report the number of encrypted sessions.

NOTE: When you enable heuristics, performance and scaling values might be negatively affected. This mechanism assists the APPID module in identifying encrypted traffic, but only if the identifications are supported by the current signature package.

912

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

Configuring APPID Support for Unidirectional Traffic

With asymmetrical routing, a networking device sees only one side of the network sessions, either from client to server or from server to client. Additional functionality is required to support application identification with unidirectional traffic. This addition enables a session for a specified service set to support an asymmetrical routing environment, and allows complete application matches using existing application signatures for traffic in the client-to-server direction only. To enable APPID to support application matching on unidirectional traffic:
1.

Include the support-uni-directional-traffic statement:

[edit services service-set service-set-name service-set-options] user@host# support-uni-directional-traffic

This enables the session belonging to the specified service set to support the asymmetrical routing environment. The APPID module then reports complete matches for the unidirectional traffic.
2. Include the enable-asymmetric-traffic-processing statement:

[edit services service-set service-set-name service-set-options] user@host# enable-asymmetic-traffic-processing

This enables the framework and plug-in to handle unidirectional traffic at a service-set level. When you enable these settings, APPID treats unidirectional TCP traffic like a UDP connection. UDP traffic itself does not receive any special treatment because the service PIC cannot determine whether UDP traffic is unidirectional or bidirectional. The settings do not affect processing of sessions created with bidirectional traffic. If the traffic includes both unidirectional and bidirectional sessions, the APPID module uses heuristics to decide whether to change the reporting logic.

NOTE: This feature does not change the processing for any services except APPID. However, other services, including stateful firewall, AACL, and IDP, can process unidirectional traffic in a limited manner.

Tracing APPID Operations

Tracing operations track all adaptive services operations and record them in a log file. The logged error descriptions provide detailed information to help you solve problems faster. By default, no events are traced. If you include the traceoptions statement at the [edit services application-identification] hierarchy level, the default tracing behavior is as follows:

Copyright 2011, Juniper Networks, Inc.

913

Junos 11.4 Services Interfaces Configuration Guide

Important events are logged in a file called serviced located in the /var/log directory. When the file serviced reaches 128 kilobytes (KB), it is renamed serviced.0, then serviced.1, and so on, until there are three trace files. Then the oldest trace file (serviced.2) is overwritten. (For more information about how log files are created, see the Junos OS System Log Messages Reference.) Only the user who configures the tracing operation can access the log files. To display the end of the log, issue the show log serviced | last operational mode command:
[edit] user@host# run show log serviced | last

You cannot change the directory (/var/log) in which trace files are located. However, you can customize the other trace file settings by including the following statements:
file filename <files number> <match regex> <size size> <(world-readable | no-world-readable>; flag { all; }

You configure these statements at the [edit services application-identification traceoptions] hierarchy level. These statements are described in the following sections:

Configuring the APPID Log Filename on page 914 Configuring the Number and Size of APPID Log Files on page 914 Configuring Access to the Log File on page 915 Configuring a Regular Expression for Lines to Be Logged on page 915 Configuring the Tracing Flags on page 915

Configuring the APPID Log Filename

By default, the name of the file that records trace output is serviced. You can specify a different name by including the file statement at the [edit services application-identification traceoptions] hierarchy level:
file filename;

Configuring the Number and Size of APPID Log Files

By default, when the trace file reaches 128 kilobytes (KB) in size, it is renamed filename.0, then filename.1, and so on, until there are three trace files. Then the oldest trace file (filename.2) is overwritten. You can configure the limits on the number and size of trace files by including the following statements at the [edit services application-identification traceoptions] hierarchy level:
file files number size size;

914

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

For example, set the maximum file size to 2 MB, and the maximum number of files to 20. When the file that receives the output of the tracing operation (filename) reaches 2 MB, filename is renamed filename.0, and a new file called filename is created. When the new filename reaches 2 MB, filename.0 is renamed filename.1 and filename is renamed filename.0. This process repeats until there are 20 trace files. Then the oldest file (filename.19) is overwritten by the newest file (filename.0). The number of files can be from 2 through 1000 files. The file size of each file can be from 10 KB through 1 gigabyte (GB).

Configuring Access to the Log File

By default, only the user who configures the tracing operation can access log files. To specify that any user can read all log files, include the file world-readable statement at the [edit services application-identification traceoptions] hierarchy level:
file world-readable;

To explicitly set the default behavior, include the file no-world-readable statement at the [edit services application-identification traceoptions] hierarchy level:
file no-world-readable;

Configuring a Regular Expression for Lines to Be Logged

By default, the trace operation output includes all lines relevant to the logged events. You can refine the output by including the match statement at the [edit services application-identification traceoptions file filename] hierarchy level and specifying a regular expression (regex) to be matched:
file filename match regex;

Configuring the Tracing Flags

By default, if the traceoptions configuration is present, only important events are logged. You can configure the trace operations to be logged by including the following statements at the [edit services application-identification traceoptions] hierarchy level:
flag { all; }

Currently, the only supported flag is all, which instructs the router to trace all operations.

Examples: Configuring Application Identification Properties

The following examples show an address-based application identification configuration:
[edit services application-identification] rule rule1 { application-name test2; address 1 { source {

Copyright 2011, Juniper Networks, Inc.

915

Junos 11.4 Services Interfaces Configuration Guide

ip 10.110.1.1/16; port-range { tcp 1110-1150; } } destination { ip 10.11.1.1/16; port-range { tcp 111-1100; } } order 1; } } } [edit services application-identification] rule-set rs1 { rule rule1; } profile pf1 { rule-set rs1; } [edit services] service-set sset1 { application-identification-profile pf1; }

The following examples show application group configuration:

[edit services application-identification] application-group junos:peer-to-peer { index 5; application-groups { junos:chat; junos:file-sharing; junos:voip; } } [edit services application-identification] application-group junos:voip { index 14; applications { junos:h225ras; junos:h225sgn; junos:mgcp; junos:sip; } }

The following examples show application identification for nested application configuration:
nested-application nested1 { type nested1; index 65345;

916

Copyright 2011, Juniper Networks, Inc.

Chapter 41: Application Identification Configuration Guidelines

protocol HTTP; signature nestedcust001 { member m01 { context http-url-parsed; pattern .*nested.*; direction any; } maximum-transactions 2; order 3825;

Copyright 2011, Juniper Networks, Inc.

917

Junos 11.4 Services Interfaces Configuration Guide

918

Copyright 2011, Juniper Networks, Inc.

CHAPTER 42

Summary of Application Identification Configuration Statements

The following sections explain each of the application identification configuration statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

919

Junos 11.4 Services Interfaces Configuration Guide

address
Syntax
address address-name { destination { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } source { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } order number; } [edit services application-identification rule rule-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.5. Define address properties for application-identification rule processing. This statement is mandatory; you must specify either the destination or source properties.
address-nameIdentifier for address information.

Options

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

920

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

application
See the following sections:

application (Defining) on page 921 application (Including in Rule) on page 922

application (Defining)
Syntax
application application-name { disable; idle-timeout seconds; index number; port-mapping { disable; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } session-timeout seconds; type type; type-of-service service-type; } [edit services application-identification]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.5. Define the application and its properties. The remaining statements are explained separately.

Options

application-nameIdentifier for the application. This is a mandatory value and has a

maximum length of 32 characters. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

Copyright 2011, Juniper Networks, Inc.

921

Junos 11.4 Services Interfaces Configuration Guide

application (Including in Rule)

Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
application application-name; [edit services application-identification rule rule-name]

Statement introduced in Junos OS Release 9.5. Identify the application for inclusion in a rule.
application-nameIdentifier for the application.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

application-group
Syntax
application-group group-name { disable; application-groups { application-group-name; } applications { application-name; } index number; } [edit services application-identification]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define the properties and contents of the application group.
group-nameUnique identifier for the group.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Groups on page 908

922

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

application-groups
Syntax
application-groups { application-group-name; } [edit services application-identification application-group group-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.5. Identify the list of application groups for inclusion in a larger application group. An application-group-name statement is mandatory.
application-group-nameIdentifier for the application group. Maximum length is 32

Options

characters. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Groups on page 908

application-system-cache-timeout
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
application-system-cache-timeout seconds; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Configure the lifetime for entries in the application system cache.
seconds Lifetime for system cache entries, in seconds.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

Copyright 2011, Juniper Networks, Inc.

923

Junos 11.4 Services Interfaces Configuration Guide

applications
Syntax
applications { application-name; } [edit services application-identification application-group group-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Identify the list of applications for inclusion in the application group.
application-nameIdentifier for the application. Maximum length is 32 characters.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Groups on page 908

automatic
Syntax
automatic { interval hour; start-time time; } [edit services application-identification download]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define automatic download properties.

interval hourDownload interval in hours. The default is 24 and the range is from 1 through

168.
start-time timeStart-time value. The default is 0:00 and the range is from 0:00 through

24:00. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Automatic Download of Application Package Updates on page 912

924

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

chain-order
Syntax Hierarchy Level Release Information Description
chain-order; [edit services application-identification nested-application name signature name]

Statement introduced in Junos OS Release 10.2. Signatures can contain multiple members. If the chain order feature is on, those members are read in order. By default, chain ordering is turned off. If a signature contains only one member, this option is ignored. systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Application Identification for Nested Applications on page 909

context
Syntax
context (http-header-content-type | http-header-host | http-url-parsed | http-url-parsed-param-parsed); [edit services application-identification nested-application name signature name member name]

Hierarchy Level

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Define a service-specific context, such as http-url.
valueService-specific context.

systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

Copyright 2011, Juniper Networks, Inc.

925

Junos 11.4 Services Interfaces Configuration Guide

destination
Syntax
destination { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } [edit services application-identification rule rule-name address address-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Define destination properties for application-identification rule processing. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

direction
Syntax Hierarchy Level
direction (any | client-to-server | server-to-client) ; [edit services application-identification nested-application name signature name member name]

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Specify the connection direction of the packets to apply pattern matching.
directionThe directions of packets are client-to-server, server-to-client, or any.

systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909.

926

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

disable
See the following sections:

disable (APPID Application) on page 927 disable (APPID Application Group) on page 927 disable (APPID Port Mapping) on page 928

disable (APPID Application)

Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
disable; [edit services application-identification application application-name]

Statement introduced in Junos OS Release 9.5. Disable this application definition. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

disable (APPID Application Group)

Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
disable; [edit services application-identification application-group group-name]

Statement introduced in Junos OS Release 9.5. Disable application group properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Groups on page 908

Copyright 2011, Juniper Networks, Inc.

927

Junos 11.4 Services Interfaces Configuration Guide

disable (APPID Port Mapping)

Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
disable; [edit services application-identification application application-name port-mapping]

Statement introduced in Junos OS Release 9.5. Disable port-mapping properties for application identification. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

disable-global-timeout-override
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
disable-global-timeout-override; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 10.0. Disallow overriding a global inactivity or session timeout. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

928

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

download
Syntax
download { automatic { interval hour; start-time time; } url url; } [edit services application-identification]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Define application download properties. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Automatic Download of Application Package Updates on page 912

enable-heuristics
Syntax Hierarchy Level Release Information Description
enable-heuristics; [edit services application-identification]

Statement introduced in Junos OS Release 11.2. Enables APPID to identify encrypted data packets in point-to-point applications by using heuristics methodology. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring APPID Support for Heuristics on page 912

Copyright 2011, Juniper Networks, Inc.

929

Junos 11.4 Services Interfaces Configuration Guide

enable-asymmetic-traffic-processing
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
enable-asymmetic-traffic-processing; [edit services service-set service-set-name service-set-options]

Statement introduced in Junos OS Release 11.2. Enables APPID to perform application matching on unidirectional traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Support for Unidirectional Traffic on page 913

enable-heuristics
Syntax Hierarchy Level Release Information Description
enable-heuristics; [edit services application-identification]

Statement introduced in Junos OS Release 11.2. Enables APPID to identify encrypted data packets in point-to-point applications by using heuristics methodology. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring APPID Support for Heuristics on page 912

930

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

idle-timeout
Syntax Hierarchy Level Release Information Description
idle-timeout seconds; [edit services application-identification application application-name]

Statement introduced in Junos OS Release 9.5. Define idle timeout for an application in seconds. When the timeout period expires, the session ends if no packets have been received.
secondsIdle timeout period.

Options

Default: 30 Range: 1 through 604,800 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

ignore-errors
Syntax Hierarchy Level Release Information Description Options
ignore-errors <alg> <tcp>; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 10.1. Define settings for minimizing TCP packet drops during stateful firewall processing.
algMediate ALG behavior that results in dropping malformed packets or random packets

when the software is unable to allocate resources.

tcpPrevent software from dropping packets that fail TCP SYN checks.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

Copyright 2011, Juniper Networks, Inc.

931

Junos 11.4 Services Interfaces Configuration Guide

inactivity-non-tcp-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-non-tcp-timeout seconds; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 10.0. Define the inactivity timeout period for non-TCP established sessions in seconds.
secondsTimeout period.

Range: 4 through 86,400 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

inactivity-tcp-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-tcp-timeout seconds; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 10.0. Define the inactivity timeout period for TCP established sessions in seconds.
secondsTimeout period.

Range: 4 through 86,400 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

932

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

index (Nested Applications)

Syntax Hierarchy Level Release Information Description
index number; [edit services application-identification nested-application name]

Statement introduced in Junos OS Release 10.2. Set a number that is a one-to-one mapping to the application name. The application name is used to ensure that each signature definition is unique.
numberNumeric value associated with an application name. The index range for

Options

predefined applications is from 1 through 32767. The index range for custom applications and custom nested applications is from 32768 through 65534. Required Privilege Level Related Documentation systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909.

index
Syntax Hierarchy Level
index number; [edit services application-identification application application-name], [edit services application-identification application-group group-name]

Release Information Description Options

Statement introduced in Junos OS Release 9.5. Assign an application or application-group index number. This is a mandatory value.
numberIndex number; must be a unique, unsigned value.

Range: 0 through 65535 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903 Configuring Application Groups on page 908

Copyright 2011, Juniper Networks, Inc.

933

Junos 11.4 Services Interfaces Configuration Guide

ip
Syntax Hierarchy Level
ip address</prefix-length>; [edit services application-identification rule rule-name address destination], [edit services application-identification rule rule-name address source]

Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Define an IP address and netmask for identifying the traffic destination or source.
address</prefix-length>IP address and netmask.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

max-checked-bytes
Syntax Hierarchy Level Release Information Description Options
max-checked-bytes bytes; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Specify the maximum number of bytes to be inspected.
bytesMaximum number of bytes.

Range: 0 through 100,000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

934

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

maximum-transactions
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
maximum-transactions number; [edit services application-identification nested-application name signature name]

Statement introduced in Junos OS Release 10.2. Set the maximum number of transactions required before a match is made.
numberMaximum number of transactions.

systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

member
Syntax Hierarchy Level Release Information Description
member name; [edit services application-identification nested-application name signature name]

Statement introduced in Junos OS Release 10.2. Define a member name for a custom nested application signature definition. Custom definitions can contain multiple members that define attributes for an application.
nameName of member for a custom nested application signature definition.

Options Required Privilege Level Related Documentation

systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

Copyright 2011, Juniper Networks, Inc.

935

Junos 11.4 Services Interfaces Configuration Guide

min-checked-bytes
Syntax Hierarchy Level Release Information Description Options
min-checked-bytes bytes; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Specify the minimum number of bytes to be inspected.
bytesMinimum number of bytes.

Range: 0 through 2000 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

936

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

nested-application
Syntax
nested-application name { index number; protocol protocol ; signature name { chain-order ; maximum-transactions number; member name { context (http-header-content-type | http-header-host | http-url-parsed | http-url-parsed-param-parsed); direction (any | client-to-server | server-to-client); pattern dfa-pattern; } order number; } type type; } [edit services application-identification]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Configure a custom nested application definition for the desired application name that will be used by the system to identify the nested application as it passes through the device. Custom nested application definitions can be used for nested applications that are not part of the Juniper Networks predefined nested application database.
nameName of nested application.

Options

The remaining statements are explained separately. Required Privilege Level Related Documentation systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

Copyright 2011, Juniper Networks, Inc.

937

Junos 11.4 Services Interfaces Configuration Guide

nested-application-settings
Syntax
nested-application-settings { no-application-system-cache; no-nested-application; } [edit services application-identification]

Hierarchy Level Release Information Description Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Configure nested application options for application identification services. systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909.

no-application-identification
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
no-application-identification; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Disable all application identification methods. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

938

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

no-application-system-cache
Syntax Hierarchy Level
no-application-system-cache; [edit services application-identification], [edit services application-identification nested-application-settings]

Release Information Description

Statement introduced in Junos OS Release 9.5. Disable storing application identification results in the application system cache. Nested application identification information is saved in the application system cache to improve performance. This cache is updated when a different application is identified. This caching is turned on by default. Use the no-application-system-cache statement to turn it off. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Configuring Global APPID Properties on page 911 Application Identification for Nested Applications on page 909.

no-clear-application-system-cache
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
no-clear-application-system-cache; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Disable clearing the application system cache. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

Copyright 2011, Juniper Networks, Inc.

939

Junos 11.4 Services Interfaces Configuration Guide

no-nested-application
Syntax Hierarchy Level Release Information Description
no-nested-application; [edit services application-identification nested-application-settings]

Statement introduced in Junos OS Release 10.2. Sometimes there is a need to identify multiple different applications running on the same Layer 7 protocols. For example, both Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications. To do this, the application layer is split into two layers: Layer 7 applications and Layer 7 protocols. This function is turned on by default. Use the no-nested-application statement to turn it off. systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Application Identification for Nested Applications on page 909

no-protocol-method
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
no-protocol-method; [edit services application-identification]

Statement introduced in Junos OS Release 10.1. Disable the protocol-based application identification method. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

940

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

no-signature-based
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
no-signature-based; [edit services application-identification]

Statement introduced in Junos OS Release 9.5. Disable the signature-based application identification method. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Global APPID Properties on page 911

order
Syntax Hierarchy Level
order number; [edit services application-identification nested-application name signature name member name] [edit services application-identification rule rule-name address]

Release Information Description

Statement introduced in Junos OS Release 9.5. Define application matching priority. For address configurations, the order number resolves the conflict when multiple address entries are matched for a specific session. The lower number has higher priority.
numberOrder number. This value is mandatory and must be unique.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904 Application Identification for Nested Applications on page 909

Copyright 2011, Juniper Networks, Inc.

941

Junos 11.4 Services Interfaces Configuration Guide

pattern
Syntax Hierarchy Level
pattern dfa-pattern; [edit services application-identification nested-application name signature name member name]

Release Information Description Options

Statement introduced in Junos OS Release 10.2. Define an attack pattern to be detected.

dfa-patternPattern of attack to match. Deterministic Finite Automata (DFA) is a powerful

pattern matching engine. Required Privilege Level Related Documentation systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

port-mapping
Syntax
port-mapping { disable; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } [edit services application-identification application application-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Define port-mapping properties for application identification. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

942

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

port-range
Syntax
port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } [edit services application-identification application application-name port-mapping], [edit services application-identification rule rule-name address destination], [edit services application-identification rule rule-name address source]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.5. Define TCP and UDP port numbers or numeric ranges. For port-mapping configurations, this entry is required if the parent node exists.
ports-and-port-rangesIndividual port numbers, numeric port ranges, or both. Separate

Options

the values with spaces. The format for numeric port ranges is minimum-valuemaximum-value. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903 Configuring APPID Rules on page 904

profile
Syntax
profile profile-name { rule-set rule-set-name; } [edit services application-identification]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define members of application profile, which consists of one or more rule sets.
profile-nameIdentifier for application profile.

The remaining statement is explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Application Profiles on page 908

Copyright 2011, Juniper Networks, Inc.

943

Junos 11.4 Services Interfaces Configuration Guide

protocol
Syntax Hierarchy Level Release Information Description
protocol protocol; [edit services application-identification nested-application name]

Statement introduced in Junos OS Release 10.2. Identify the protocol that will be monitored to identify nested applications. HTTP is supported.
protocolAn agreed-upon or standardized method for transmitting data and establishing

Options

communications between different devices. The value http is supported. Required Privilege Level Related Documentation systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

944

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

rule
See the following sections:

rule (Configuring) on page 945 rule (Including in Rule Set) on page 946

rule (Configuring)
Syntax
rule rule-name { address { destination { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } source { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } order number; } application application-name; } [edit services application-identification]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define properties for application-identification rule processing.
rule-nameUnique identifier for the rule.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

Copyright 2011, Juniper Networks, Inc.

945

Junos 11.4 Services Interfaces Configuration Guide

rule (Including in Rule Set)

Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
rule rule-name; [edit services application-identification rule-set rule-set-name]

Statement introduced in Junos OS Release 9.5. Identify rules for inclusion in application rule set.
rule-nameUnique identifier for the rule.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

rule-set
Syntax
rule-set rule-set-name { rule application-rule-name; } [edit services application-identification], [edit services application-identification profile profile-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define members of rule set.

rule-set-nameUnique identifier for the rule set.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

946

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

services
Syntax Hierarchy Level Release Information
services application-identification { ... } [edit] services statement introduced before Junos OS Release 7.4. application-identification statement introduced in Junos OS Release 9.5.

Description Options

Define the services to be applied to traffic.

application-identificationThe values configured for application-identification properties.

The statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Application Identification

Copyright 2011, Juniper Networks, Inc.

947

Junos 11.4 Services Interfaces Configuration Guide

session-timeout
See the following sections:

session-timeout (Interfaces) on page 948 session-timeout (Application Identification) on page 948

session-timeout (Interfaces)
Syntax Hierarchy Level Release Information Description Options
session-timeout seconds; [edit interfaces interface-name services-options]

Statement introduced in Junos OS Release 10.0. Define session lifetime globally for the Multiservices interface in seconds.
secondsDuration of session.

Range: 4 through 86,400 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

session-timeout (Application Identification)

Syntax Hierarchy Level Release Information Description Options
session-timeout seconds; [edit services application-identification application application-name]

Statement introduced in Junos OS Release 9.5. Define session lifetime for the specified application in seconds.
secondsDuration of session.

Default: 3600 Range: 1 through 604,800 Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

948

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

signature
Syntax
signature name { chain-order; maximum-transactions number; member name { context value; direction (any | client-to-server | server-to-client); pattern dfa-pattern; } order number; } [edit services application-identification nested-application name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Identify the name of the custom nested application signature definition. The name must be unique with a maximum length of 32 characters.
nameName of the signature definition.

Options

The remaining statements are described separately. Required Privilege Level Related Documentation systemTo view this statement in the configuration. system controlTo add this statement to the configuration.

Application Identification for Nested Applications on page 909

Copyright 2011, Juniper Networks, Inc.

949

Junos 11.4 Services Interfaces Configuration Guide

source
Syntax
source { ip address</prefix-length>; port-range { tcp [ ports-and-port-ranges ]; udp [ ports-and-port-ranges ]; } } [edit services application-identification rule rule-name address address-name]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Define source properties for application-identification rule processing. The remaining statements are explained separately. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Rules on page 904

support-uni-directional-traffic
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
support-uni-directional-traffic; [edit services service-set service-set-name service-set-options]

Statement introduced in Junos OS Release 11.2. Enables APPID to perform application matching on unidirectional traffic. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring APPID Support for Unidirectional Traffic on page 913

950

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

traceoptions
Syntax
traceoptions { file filename <files number> <match regex> <size size> <world-readable | no-world-readable>; flag flag; no-remote-trace; } [edit services application-identification]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.5. Configure application identification tracing options. To specify more than one tracing operation, include multiple flag statements.

Options

file filenameName of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Range: 2 through 1000 files Default: 2 files If you specify a maximum number of files, you also must specify a maximum file size with the size option.
flagTracing operation to perform. all is the only valid completion.

allTrace all events.

match regex(Optional) Regular expression for lines to be logged. no-world-readable(Optional) Disallow any user to read the log file. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10240 through 1073741824 or the maximum file size supported on your system If you specify a maximum file size, you also must specify a maximum number of trace files with the files option.
world-readable(Optional) Allow any user to read the log file.

Copyright 2011, Juniper Networks, Inc.

951

Junos 11.4 Services Interfaces Configuration Guide

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing APPID Operations on page 913

type
Syntax Hierarchy Level
type type; [edit services application-identification application application-name] [edit services application-identification nested-application name]

Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define type of application, such as HTTP or FTP.
typeApplication type. This is a mandatory value and has a maximum length of 32

characters. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903 Application Identification for Nested Applications on page 909

type-of-service
Syntax Hierarchy Level Release Information Description Options
type-of-service service-type; [edit services application-identification application application-name]

Statement introduced in Junos OS Release 9.5. Define the type of service by service objective. There is no default value. The following service-type options are available:

maximize-reliabilityService designed for maximum reliability in packet transmission. maximize-throughputService designed for maximum throughput. minimize-delayService designed for minimum delay in packet transmission. minimize-monetary-costService designed for minimum monetary cost.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Defining an Application Identification on page 903

952

Copyright 2011, Juniper Networks, Inc.

Chapter 42: Summary of Application Identification Configuration Statements

url
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
url url; [edit services application-identification download]

Statement introduced in Junos OS Release 9.5. Define the URL for application package downloads.
urlDownload URL.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Automatic Download of Application Package Updates on page 912

Copyright 2011, Juniper Networks, Inc.

953

Junos 11.4 Services Interfaces Configuration Guide

954

Copyright 2011, Juniper Networks, Inc.

CHAPTER 43

Application-Aware Access List Configuration Guidelines

To configure application-aware access list (AACL) services, include the aacl statements at the [edit services] hierarchy level:
[edit services] aacl { rule rule-name { match-direction (input | output | input-output); term term-name { from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } then { (accept | discard); count (application | application-group | application-group-any | none); forwarding-class class-name; policer policer-name; } } } rule-set rule-set-name { [ rule rule-names ]; } }

This chapter contains the following sections:

Configuring AACL Rules on page 956 Configuring AACL Rule Sets on page 959 Configuring Logging of AACL Flows on page 960 Example: Configuring AACL Rules on page 960

Copyright 2011, Juniper Networks, Inc.

955

Junos 11.4 Services Interfaces Configuration Guide

Configuring AACL Rules

To configure an AACL rule, include the rule rule-name statement at the [edit services aacl] hierarchy level:
rule rule-name { match-direction (input | output | input-output); term term-name { from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; nested-applications [ nested-application-names ]; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } then { (accept | discard); count (application | application-group | application-group-any | nested-application | none); forwarding-class class-name; policer policer-name; } } }

Each AACL rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:

from statementSpecifies the match conditions and applications that are included

and excluded.

then statementSpecifies the actions and action modifiers to be performed by the

router software. The following sections explain how to configure the components of AACL rules:

Configuring Match Direction for AACL Rules on page 956 Configuring Match Conditions in AACL Rules on page 957 Configuring Actions in AACL Rules on page 958

Configuring Match Direction for AACL Rules

Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services aacl rule rule-name] hierarchy level:
match-direction (input | output | input-output);

If you configure match-direction input-output, bidirectional rule creation is allowed.

956

Copyright 2011, Juniper Networks, Inc.

Chapter 43: Application-Aware Access List Configuration Guidelines

The match direction is used with respect to the traffic flow through the services PIC or DPC. When a packet is sent to the PIC or DPC, direction information is carried along with it. With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. With a next-hop service set, packet direction is determined by the interface used to route the packet to the services PIC or DPC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC or DPC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces on page 568. On the PIC or DPC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

Configuring Match Conditions in AACL Rules

To configure AACL match conditions, include the from statement at the [edit services aacl rule rule-name term term-name] hierarchy level:
from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; nested-applications [ nested-application-names ]; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; }

Only IPv4 source and destination addresses are supported. You can use either the source address or the destination address as a match condition, in the same way that you configure a firewall filter; for more information, see the Junos OS Routing Policy Configuration Guide. Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the AACL rule. For an example, see Example: Configuring AACL Rules on page 960. If you omit the from term, the AACL rule accepts all traffic and the default protocol handlers take effect:

User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow. IP creates a unidirectional flow.

Copyright 2011, Juniper Networks, Inc.

957

Junos 11.4 Services Interfaces Configuration Guide

You can also include application and application group definitions you have configured at the [edit services application-identification] hierarchy level; for more information, see the topics in Application Identification.

To apply one or more specific application protocol definitions, include the applications statement at the [edit services aacl rule rule-name term term-name from] hierarchy level. To apply one or more sets of application group definitions you have defined, include the application-groups statement at the [edit services aacl rule rule-name term term-name from] hierarchy level.

NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit services application-identification] hierarchy level; you cannot specify these properties as match conditions.

To consider any application group defined in the database as a match, include the application-group-any statement at the [edit services aacl rule rule-name term term-name from] hierarchy level. To consider any nested application defined in the database a match, include the nested-applications statement at the [edit services aacl rule rule-name term term-name from] hierarchy level. Nested applications are protocols that run on a parent application. For example, if the Facebook application runs on the parent application junos:http, the nested application will be junos:http:facebook.

Configuring Actions in AACL Rules

To configure AACL actions, include the then statement at the [edit services aacl rule rule-name term term-name] hierarchy level:
then { (accept | discard); (count (application | application-group | application-group-any | nested-application | none) | forwarding-class class-name); }

You must include one of the following actions:

acceptThe packet is accepted and sent on to its destination. discardThe packet is not accepted and is not processed further.

When you select accept as the action, you can optionally configure one or both of the following action modifiers. No action modifiers are allowed with the discard action.

count (application | application-group | application-group-any | nested-application | none)For all accepted packets that match the rules, record a packet count using

AACL statistics practices. You can specify one of the following options; there is no default setting:

958

Copyright 2011, Juniper Networks, Inc.

Chapter 43: Application-Aware Access List Configuration Guidelines

applicationCount the application that matched in the from clause. application-groupCount the application group that matched in the from clause. application-group-anyCount all application groups that match from application-group-any under the any group name.

nested-applicationCount all nested applications that matched in the from clause. noneSame as not specifying count as an action.

NOTE: When a session closes before APPID has identified nested applications, the session is treated as a best-effort session and AACL does not get the nested application information. In such cases, nested applications will be reported as unknown applications.

During the time that the application identification (APPID) feature has not yet made a final determination of the application associated with a given flow, the flow does not contribute to any per-subscriber or per-application statistics collection. For more information, see Best-Effort Application Identification of DPI-Serviced Flows on page 897.

forwarding-class class-nameSpecify the packets forwarding-class name.

You can optionally include a policer that has been specified at the [edit firewall] hierarchy level. Only the bit-rate and burst-size properties specified for the policer are applied in the AACL rule set. The only action application when a policer is configured is discard. For more information on policer definitions, see the Junos OS Routing Policy Configuration Guide.

Configuring AACL Rule Sets

The rule-set statement defines a collection of AACL rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services aacl] hierarchy level with a rule statement for each rule:
rule-set rule-set-name { rule rule-name; }

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

Copyright 2011, Juniper Networks, Inc.

959

Junos 11.4 Services Interfaces Configuration Guide

Configuring Logging of AACL Flows

You can configure logging of AACL flows for a given application or for all unknown applications using AACL rules. You must set match-direction to input or input-output for logging to occur.
1.

Create a rule and term.

user@host# edit services aacl rule rule-name term term-name

2. Specify selection of an application.

[edit services aacl rule rule-name term term-name] user@host# set from applications application-name]

OR Specify selection of all unknown applications.

[edit services aacl rule <variable>rule-name</variable > term <variable>term-name</variable>] set from application-unknown
3. In the then statement, specify logging of input flow.

[edit services aacl rule rule-name term term-name] user@host# set then log input-flows]

ExampleConfiguration of Logging of Input Flows for Unknown Applications

[edit services aacl rule aacl_rule5] match-direction input-output; term t0 { from { application-unknown; } then { count application; log input-flow; accept; } }

ExampleSetup of a Specific Log File

The following example shows how to direct the aacl flow log to a file other than the default syslog file on the Routing Engine file system.
[edit system syslog] file aacl_log { external any; match aacl-flow-log; }

Example: Configuring AACL Rules

The following example shows an AACL configuration containing a rule with three terms using a variety of match conditions and actions:

960

Copyright 2011, Juniper Networks, Inc.

Chapter 43: Application-Aware Access List Configuration Guidelines

[edit services aacl] rule aacl-test { match-direction input; term term1 { from { source-address 10.0.1.1 application test1; } then { accept; } } term term2 { from { source-address { any-unicast; } application test1; } then { discard; } } term term3 { from { source-address { any-unicast; } application test1 test2; } then { accept; count application; } } }

Copyright 2011, Juniper Networks, Inc.

961

Junos 11.4 Services Interfaces Configuration Guide

962

Copyright 2011, Juniper Networks, Inc.

CHAPTER 44

Summary of AACL Configuration Statements

The following sections explain each of the application-aware access list (AACL) services statements. The statements are organized alphabetically.

applications
Syntax Hierarchy Level Release Information Description
applications [ application-names ]; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Identify one or more applications defined in the application identification configuration for inclusion as a match condition.
application-namesIdentifiers of the applications.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

Copyright 2011, Juniper Networks, Inc.

963

Junos 11.4 Services Interfaces Configuration Guide

application-groups
Syntax Hierarchy Level Release Information Description
application-groups [ application-group-names ]; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Identify one or more application groups defined in the application identification configuration for inclusion as a match condition.
application-group-namesIdentifiers of the application groups.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

application-group-any
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
application-group-any; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Indicates that any application group defined in the database is considered a match. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

964

Copyright 2011, Juniper Networks, Inc.

Chapter 44: Summary of AACL Configuration Statements

destination-address
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
destination-address address; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the destination address for rule matching.
addressDestination IPv4 address or prefix value.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

destination-address-range
Syntax Hierarchy Level Release Information Description Options
destination-address-range low minimum-value high maximum-value; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the destination address range for rule matching.
minimum-valueLower boundary for the IPv4 address range. maximum-valueUpper boundary for the IPv4 address range.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

Copyright 2011, Juniper Networks, Inc.

965

Junos 11.4 Services Interfaces Configuration Guide

destination-prefix-list
Syntax Hierarchy Level Release Information Description
destination-prefix-list list-name; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the destination prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameDestination prefix list.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

from
Syntax
from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } [edit services aacl rule rule-name term term-name]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 9.5. Specify match conditions for the AACL term. For information on match conditions, see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. The remaining statements are explained separately.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring AACL Rules on page 956

966

Copyright 2011, Juniper Networks, Inc.

Chapter 44: Summary of AACL Configuration Statements

match-direction
Syntax Hierarchy Level Release Information Description Options
match-direction (input | output | input-output); [edit services aacl rule rule-name]

Statement introduced in Junos OS Release 9.5. Specify the direction in which the rule match is applied.
inputApply the rule match on the input side of the interface. outputApply the rule match on the output side of the interface. input-outputApply the rule match bidirectionally.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Direction for AACL Rules on page 956

Copyright 2011, Juniper Networks, Inc.

967

Junos 11.4 Services Interfaces Configuration Guide

rule
Syntax
rule rule-name { match-direction (input | output | input-output); term term-name { from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } then { (accept | discard); count (application | application-group | application-group-any | none); forwarding-class class-name; policer policer-name; } } } [edit services aacl], [edit services aacl rule-set rule-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.5. Specify the rule the router uses when applying this service.
rule-nameIdentifier for the collection of terms that constitute this rule.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring AACL Rules on page 956

968

Copyright 2011, Juniper Networks, Inc.

Chapter 44: Summary of AACL Configuration Statements

rule-set
Syntax
rule-set rule-set-name { [rule rule-names ]; } [edit services aacl]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 9.5. Specify the rule set the router uses when applying this service.
rule-set-nameIdentifier for the collection of rules that constitute this rule set.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring AACL Rule Sets on page 959

services
Syntax Hierarchy Level Release Information Description Options
services aacl { ... } [edit] aacl statement introduced in Junos OS Release 9.5.

Define the services to be applied to traffic.

aaclThe values configured for application-aware-access-list matching rules.

The statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Application-Aware Access List

Copyright 2011, Juniper Networks, Inc.

969

Junos 11.4 Services Interfaces Configuration Guide

source-address
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
source-address address; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the source address for rule matching.
addressSource IPv4 address or prefix value.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

source-address-range
Syntax Hierarchy Level Release Information Description Options
source-address-range low minimum-value high maximum-value; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the source address range for rule matching.
minimum-valueLower boundary for the IPv4 address range. maximum-valueUpper boundary for the IPv4 address range.

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

970

Copyright 2011, Juniper Networks, Inc.

Chapter 44: Summary of AACL Configuration Statements

source-prefix-list
Syntax Hierarchy Level Release Information Description
source-prefix-list list-name; [edit services aacl rule rule-name term term-name from]

Statement introduced in Junos OS Release 9.5. Specify the source prefix list for rule matching. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.
list-nameSource prefix list.

Options Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Match Conditions in AACL Rules on page 957

Copyright 2011, Juniper Networks, Inc.

971

Junos 11.4 Services Interfaces Configuration Guide

term
Syntax
term term-name { from { application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; destination-address address <any-unicast>; destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; source-address address <any-unicast>; source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } then { (accept | discard); count (application | application-group | application-group-any | none); forwarding-class class-name; policer policer-name; } } [edit services aacl rule rule-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define the AACL term properties.
term-nameIdentifier for the term.

The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring AACL Rules on page 956

972

Copyright 2011, Juniper Networks, Inc.

Chapter 44: Summary of AACL Configuration Statements

then
Syntax
then { (accept | discard); count (application | application-group | application-group-any | nested-application | none); forwarding-class class-name; log event-type; policer policer-name; } [edit services aacl rule rule-name term term-name]

Hierarchy Level Release Information

Statement introduced in Junos OS Release 9.5. policer statement added in Junos OS Release 9.6. The nested-application option for the count statement introduced in Junos OS Release 11.1. Define the AACL term actions. You can configure the router to accept or discard the targeted traffic. The action modifiers (count and forwarding-class) are optional. You can configure one of the following actions:

Description

Options

acceptAccept the packets and all subsequent packets in flows that match the rules. discardDiscard the packet and all subsequent packets in flows that match the rules.

When you select accept as the action, you can optionally configure one or both of the following action modifiers. No action modifiers are allowed with the discard action.

count (application | application-group | application-group-any | nested-application | none)For all accepted packets that match the rules, record a packet count using

AACL statistics practices. You can specify one of the following options; there is no default setting:

applicationCount the application that matched in the from clause. application-groupCount the application group that matched in the from clause. application-group-anyCount all application groups that match from application-group-any under the any group name.

nested-applicationCount all nested applications that matched in the from clause. noneSame as not specifying count as an action.

forwarding-class class-nameSpecify the packets forwarding-class name.

policer policer-nameApply rate-limiting properties to the traffic as configured at the [edit firewall policer policer-name] hierarchy level. This configuration allows bit-rate

and burst-size attributes to be applied to the traffic that are not supported by AACL rules. When you include a policer, the only allowed action is discard. For more information on policers, see the Junos OS Routing Policy Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

973

Junos 11.4 Services Interfaces Configuration Guide

Required Privilege Level Related Documentation

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring AACL Rules on page 956

Junos OS Routing Policy Configuration Guide

974

Copyright 2011, Juniper Networks, Inc.

CHAPTER 45

Local Policy Decision Function Configuration Guidelines

This chapter includes the following sections:

Configuring Statistics Profiles on page 975 Applying L-PDF Profiles to Service Sets on page 978 Tracing L-PDF Operations on page 979

Configuring Statistics Profiles

The local policy decision function (L-PDF) enables you to configure properties for statistics output. To do this, you create a statistics profile, which configures the files to which statistics records are exported and the format that is exported. There are two configurations you can use to specify the profile, as described in the following subsections:

Configuring an L-PDF Statistics Profile on page 976 Configuring an AACL Statistics Profile on page 977

NOTE: You must use the same configuration stanza for specifying the profile and the file selection. If configurations are committed in both hierarchies, the one at the [edit system services local-policy-decision-function] hierarchy level takes precedence.

NOTE:

When a session closes before APPID has identified nested applications, the session is treated as a best-effort session and L-PDF does not get the nested application information. In such cases, nested applications will be reported as unknown applications. During the time that the application identification (APPID) feature has not yet made a final determination of the application associated with a given flow, the flow does not contribute to any per-subscriber or per-application statistics collection. For more information, see Best-Effort Application Identification of DPI-Serviced Flows on page 897.

Copyright 2011, Juniper Networks, Inc.

975

Junos 11.4 Services Interfaces Configuration Guide

Configuring an L-PDF Statistics Profile

You can specify an L-PDF statistics profile by including the following configuration at the [edit accounting-options] hierarchy level:
[edit accounting-options] policy-decision-statistics-profile profile-name { application-aware-access-list-fields [ field-name ]; file filename; files number; size bytes; }

NOTE: This configuration method is not the preferred method for configuring Dynamic Application Awareness statistics. It is only maintained for backwards compatibility and may be deprecated in a future software release. The new, preferred configuration is found at the [edit system services local-policy-decision-function] hierarchy level, as described in Configuring an AACL Statistics Profile on page 977.We encourage you to migrate to the new configuration method.

You specify a profile name to identify the profile and other properties as needed by including the policy-decision-statistics-profile statement. The aacl-fields statement specifies which statistics to collect in an accounting-data log file. This log file is located on the /var/log directory on the router. You specify the log file by including the file filename statement. The filename is prefixed by the aacl_statistics_ prefix; for example, if you specify the filename lpdfd, the log file will be /var/log/aacl_statistics_lpdfd. The application-aware-access-list-fields statement supports the following options:

addressIP Address applicationApplication name application-groupApplication group name input-bytesNumber of input bytes input-interfaceInput interface name input-packetsNumber of input packets maskNetmask output-bytesNumber of output bytes output-packetsNumber of output packets subscriber-nameSubscriber name timestampTimestamp vrf-nameVPN routing and forwarding (VRF) name

976

Copyright 2011, Juniper Networks, Inc.

Chapter 45: Local Policy Decision Function Configuration Guidelines

For more information on configuring profiles, see the Junos OS Network Management Configuration Guide.

Configuring an AACL Statistics Profile

You can specify an AACL statistics profile by including the following configuration at the [edit system services] hierarchy level:
local-policy-decision-function { statistics { file filename { archive-sites [ url ]; files number; size bytes; transfer-interval minutes; } aacl-statistics-profile profile-name { aacl-fields [ field-name ]; file filename; report-interval minutes; record-mode (interim-active-only | interim-full); } record-type (delta | interim); } }

To specify the file properties, include the file statement at the [edit system services local-policy-decision-function statistics hierarchy level with a unique filename:

The archive-sites statement specifies one or more URLs for archiving the files. Archiving can be done by using FTP or SCP. The files statement specifies the maximum number of files that are maintained at one time. The size statement specifies the maximum size of each file. The transfer-interval statement specifies the interval between data transfers in minutes.

You specify a profile name to identify the profile and other properties as needed by including the aacl-statistics-profile statement. The aacl-fields statement specifies which statistics to collect in an accounting-data log file. This log file is located on the /var/stats/aacl directory on the router. You specify the log file by including the file filename statement. The aacl-fields statement supports the following options:

addressIP Address all-fieldsAll available fields applicationApplication name application-groupApplication group name input-bytesNumber of input bytes input-interfaceInput interface name

Copyright 2011, Juniper Networks, Inc.

977

Junos 11.4 Services Interfaces Configuration Guide

input-packetsNumber of input packets maskNetmask output-bytesNumber of output bytes output-packetsNumber of output packets subscriber-nameSubscriber name timestampTimestamp vrf-nameVPN routing and forwarding (VRF) name

The record-type statement specifies whether a record is delta or interim; delta is the default setting. The report-interval statement specifies the reporting interval in minutes; the default setting is 15 minutes and the range is 5 through 1440 minutes. The record-mode statement specifies how the statistics are reported for each reporting interval; the default setting is interim-full and reports all available statistics. To report only statistics that have changed for the reporting interval, use the interim-active-only setting. For more information on configuring profiles, see the Junos OS Network Management Configuration Guide.

Applying L-PDF Profiles to Service Sets

You can optionally apply policy decision statistics profiles as part of a service-set definition. To do this, you include the policy-decision-statistics-profile statement at the [edit services service-set service-set-name] hierarchy level:
policy-decision-statistics-profile profile-name;

NOTE: To provide high availability for the policy decision statistics, associate the service-set definition with a redundant services PIC (rsp) interface.

You can include only one profile name in the specification for the application-aware access-list statement. The following example shows a sample configuration for attachment of an L-PDF statistics profile:
services { service-set test_aacl_sset { aacl-rules aacl_rule; policy-decision-statistics-profile { pdf_stats_prof; } interface-service { service-interface ms-0/3/0.0; } } }

978

Copyright 2011, Juniper Networks, Inc.

Chapter 45: Local Policy Decision Function Configuration Guidelines

NOTE: Only one service set can be applied to a single interface when L-PDF functionality is used.

The following example shows a sample configuration for attachment of a service set to a static interface:
interfaces { fe-0/0/0 { vlan-tagging; unit 1 { vlan-id 1; family inet { service { input { service-set test_aacl_sset; } output { service-set test_aacl_sset; } } address 10.1.1.1/24; } } } }

NOTE: The session-offload statement at the [edit chassis fpc slot-number pic number adaptive-services service-package extension-provider] hierarchy level controls session offload behavior for Multiservices DPCs on MX Series routers. It controls session offload on a per-device basis, where a device is a Multiservices interface (ms-fpc-pic-port). Currently, the session offload function is supported for at most one Multiservices interface. When offload function is enabled, it is strongly recommended that you limit Dynamic Application Awareness features to that Multiservices interface. The default is to not offload any sessions. For more information on chassis configuration, see the Junos OS System Basics Configuration Guide.

Tracing L-PDF Operations

Tracing operations track L-PDF operations and record them in a log file. The logged error descriptions provide detailed information to help you solve problems faster. By default, no events are traced. If you include the traceoptions statement at the [edit system services local-policy-decision-function] hierarchy level, you can customize the trace file settings:
traceoptions { file filename <files number> <size size>;

Copyright 2011, Juniper Networks, Inc.

979

Junos 11.4 Services Interfaces Configuration Guide

flag flag; }

The flags track the following information:

allEverything configurationConfiguration traces databaseDatabase traces generalMiscellaneous traces gresGraceful Routing Engine switchover (GRES) traces ptsp-statisticsPTSP statistics traces rtsockRouting socket traces statisticsStatistics traces subscriberSubscriber traces

980

Copyright 2011, Juniper Networks, Inc.

CHAPTER 46

Summary of L-PDF Configuration Statements

The following sections explain each of the local policy decision function (L-PDF) statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

981

Junos 11.4 Services Interfaces Configuration Guide

aacl-fields
Syntax
aacl-fields { field-name; } [edit system services local-policy-decision-function statistics aacl-statistics-profile profile-name]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 10.0. Define the statistics to collect in a data log file.
field-nameName of the field:

addressIP address all-fieldsAll available fields applicationApplication name application-groupApplication group name input-bytesNumber of input bytes input-interfaceInput interface name input-packetsNumber of input packets maskNetmask output-bytesNumber of output bytes output-packetsNumber of output packets subscriber-nameSubscriber name timestampTimestamp vrf-nameVPN routing and forwarding (VRF) name

Usage Guidelines Required Privilege Level

See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

982

Copyright 2011, Juniper Networks, Inc.

Chapter 46: Summary of L-PDF Configuration Statements

aacl-statistics-profile
Syntax
aacl-statistics-profile profile-name { aacl-fields { field-name; } file filename; record-mode (interim-active-only | interim-full); report-interval minutes; } [edit services service-set service-set-name], [edit system services local-policy-decision-function statistics]

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 10.0. record-mode option introduced in Junos OS Release 10.2. Create an AACL statistics profile, which configures the files to which statistics records are exported and the format that is exported.
file filenameName of the file to receive the statistics data output. Enclose the name

Description

Options

within quotation marks. All files are placed in the directory /var/stats/aacl.
record-modeRecord mode for the reporting interval; possible values are interim-active-only, which reports only statistics that have changed, or interim-full,

which reports all available statistics.

report-interval minutesFrequency at which statistics are recorded, in minutes.

Default: 15 minutes Range: 5 through 1440 minutes The remaining statements are explained separately. Usage Guidelines Required Privilege Level Related Documentation See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

For more information on profiles, see the Junos OS Network Management Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

983

Junos 11.4 Services Interfaces Configuration Guide

application-aware-access-list-fields
Syntax
application-aware-access-list-fields { field-name; } [edit accounting-options policy-decision-statistics-profile profile-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 9.5. Define the statistics to collect in a data log file.
field-nameName of the field:

addressIP address applicationApplication name application-groupApplication group name input-bytesNumber of input bytes input-interfaceInput interface name input-packetsNumber of input packets maskNetmask output-bytesNumber of output bytes output-packetsNumber of output packets subscriber-nameSubscriber name timestampTimestamp vrf-nameVPN routing and forwarding (VRF) name

Usage Guidelines Required Privilege Level

See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

984

Copyright 2011, Juniper Networks, Inc.

Chapter 46: Summary of L-PDF Configuration Statements

file
Syntax
file file-name { archive-sites url; files file-number; size bytes; transfer-interval minutes; } [edit system services local-policy-decision-function statistics]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.0. Specify a file to which statistics records are exported and the format that is exported.
archive-sites [url]One or more destinations for archiving data. filenameName of the file to receive the statistics data output. files number(Optional) Maximum number of accounting files.

Range: 3 through 1000 files Default: 3 files If you specify a maximum number of files, you also must specify a maximum file size with the size option.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 262144 through 1073741824 or the maximum file size supported on your system If you specify a maximum file size, you also must specify a maximum number of trace files with the files option.
transfer-interval minutesFrequency at which to transfer files to archive sites, in minutes.

Usage Guidelines Required Privilege Level

See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

985

Junos 11.4 Services Interfaces Configuration Guide

local-policy-decision-function
Syntax
local-policy-decision-function { statistics { aacl-statistics-profile profile-name { aacl-fields { field-name; } file filename; report-interval minutes; } file file-name { archive-sites url; files file-number; size bytes; transfer-interval minutes; } record-type (delta | interim); } traceoptions { file filename <files number> <size size>; flag flag; no-remote-trace; } } [edit system services]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 10.0. Specify L-PDF properties. The remaining statements are explained separately. See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

986

Copyright 2011, Juniper Networks, Inc.

Chapter 46: Summary of L-PDF Configuration Statements

policy-decision-statistics-profile
Syntax
policy-decision-statistics-profile profile-name { aacl-fields { field-name; } file filename; files file-number; size bytes; } [edit accounting-options], [edit services service-set service-set-name]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.5. Create a policy decision statistics profile, which configures the files to which statistics records are exported and the format that is exported.
file filenameName of the file to receive the accounting-data output. Enclose the name

Options

within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of accounting files.

Range: 2 through 1000 files Default: 2 files If you specify a maximum number of files, you also must specify a maximum file size with the size option.
profile-nameName of the policy decision statistics profile. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10240 through 1073741824 or the maximum file size supported on your system If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. The remaining statements are explained separately. Usage Guidelines Required Privilege Level Related Documentation See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

For more information on profiles, see the Junos OS Network Management Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

987

Junos 11.4 Services Interfaces Configuration Guide

statistics
Syntax
statistics { aacl-statistics-profile profile-name { aacl-fields { field-name; } file filename; report-interval minutes; } file file-name { archive-sites [ url ]; files file-number; size bytes; transfer-interval minutes; } record-type (delta | interim); } [edit system services local-policy-decision-function]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 10.0. Configure file and data specifications for recording AACL statistics.
record-typeRecord type; possible values are delta or interim.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Statistics Profiles on page 975. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

988

Copyright 2011, Juniper Networks, Inc.

Chapter 46: Summary of L-PDF Configuration Statements

traceoptions
Syntax
traceoptions { file filename <files number> <size size>; flag flag; no-remote-trace; } [edit services local-policy-decision-function], [edit system services local-policy-decision-function]

Hierarchy Level

Release Information Description Options

Statement introduced in Junos OS Release 9.5. Configure local policy decision function (L-PDF) tracing options.
file filenameName of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Range: 2 through 1000 files Default: 2 files If you specify a maximum number of files, you also must specify a maximum file size with the size option.
flagTracing operation to perform. To specify more than one flag, include multiple flag

statements.

allEverything configurationConfiguration traces databaseDatabase traces generalMiscellaneous traces gresGraceful Routing Engine switchover (GRES) traces ptsp-statisticsPTSP statistics traces rtsockRouting socket traces statisticsStatistics traces subscriberSubscriber traces

no-remote-traceDisable remote tracing. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed

Copyright 2011, Juniper Networks, Inc.

989

Junos 11.4 Services Interfaces Configuration Guide

trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues

until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10240 through 1073741824 or the maximum file size supported on your system If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Usage Guidelines Required Privilege Level See Tracing L-PDF Operations on page 979. routing and traceTo view this statement in the configuration. routing-control and trace-controlTo add this statement to the configuration.

990

Copyright 2011, Juniper Networks, Inc.

PART 4

Encryption Services

Encryption Overview on page 993 Encryption Interfaces Configuration Guidelines on page 995 Summary of Encryption Configuration Statements on page 1005

Copyright 2011, Juniper Networks, Inc.

991

Junos 11.4 Services Interfaces Configuration Guide

992

Copyright 2011, Juniper Networks, Inc.

CHAPTER 47

Encryption Overview
This chapter discusses the following topics:

Encryption Overview on page 993

Encryption Overview
The IP Security (IPsec) architecture provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. The suite provides functionality such as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. It also defines mechanisms for key generation and exchange, management of security associations, and support for digital certificates. IPsec defines a security association (SA) and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities. For more information, see the Junos OS System Basics Configuration Guide. The standards are defined in the following RFCs:

RFC 2401, Security Architecture for the Internet Protocol RFC 2406, IP Encapsulating Security Payload (ESP)

Copyright 2011, Juniper Networks, Inc.

993

Junos 11.4 Services Interfaces Configuration Guide

994

Copyright 2011, Juniper Networks, Inc.

CHAPTER 48

Encryption Interfaces Configuration Guidelines

To enable encryption interfaces, you can configure the following properties:

Configuring Encryption Interfaces on page 995 Configuring Filters for Traffic Transiting the ES PIC on page 997 Configuring an ES Tunnel Interface for a Layer 3 VPN on page 1002 Configuring ES PIC Redundancy on page 1002 Configuring IPsec Tunnel Redundancy on page 1003

Configuring Encryption Interfaces

When you configure the encryption interface, you associate the configured SA with a logical interface. This configuration defines the tunnel, including the logical unit, tunnel addresses, maximum transmission unit (MTU), optional interface addresses, and the name of the IPsec SA to apply to traffic. To configure an encryption interface, include the following statements at the [edit interfaces es-fpc/pic/port unit logical-unit-number] hierarchy level:
family inet { ipsec-sa ipsec-sa; # name of security association to apply to packet address address; # local interface address inside local VPN destination address; # destination address inside remote VPN } tunnel { source source-address; destination destination-address; }

The addresses configured as the tunnel source and destination are the addresses in the outer IP header of the tunnel.

Copyright 2011, Juniper Networks, Inc.

995

Junos 11.4 Services Interfaces Configuration Guide

NOTE: You must configure the tunnel source address locally on the router, and the tunnel destination address must be a valid address for the security gateway terminating the tunnel. The ES Physical Interface Card (PIC) is supported on M Series and T Series routers.

The SA must be a valid tunnel-mode SA. The interface address and destination address listed are optional. The destination address allows the user to configure a static route to encrypt traffic. If a static route uses that destination address as the next hop, traffic is forwarded through the portion of the tunnel in which encryption occurs.

Specifying the Security Association Name for Encryption Interfaces

The security association is the set of properties that defines the protocols for encrypting Internet traffic. To configure encryption interfaces, you specify the SA name associated with the interface by including the ipsec-sa statement at the [edit interfaces es-fpc/pic/port unit logical-unit-number family inet] hierarchy level:
ipsec-sa sa-name;

For information about configuring the security association, see Configuring Filters for Traffic Transiting the ES PIC on page 997.

Configuring the MTU for Encryption Interfaces

The protocol MTU value for encryption interfaces must always be less than the default interface MTU value of 3900 bytes; the configuration fails to commit if you select a greater value. To set the MTU value, include the mtu statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:
mtu bytes;

For more information, see the Junos OS Network Interfaces Configuration Guide.

Example: Configuring an Encryption Interface

Configure an IPsec tunnel as a logical interface on the ES PIC. The logical interface specifies the tunnel through which the encrypted traffic travels. The ipsec-sa statement associates the security profile with the interface.
[edit interfaces] es-0/0/0 { unit 0 { tunnel { source 10.5.5.5; # tunnel source address destination 10.6.6.6; # tunnel destination address } family inet { ipsec-sa manual-sa1; # name of security association to apply to packet mtu 3800; address 10.1.1.8/32 { # local interface address inside local VPN destination 10.2.2.254; # destination address inside remote VPN

996

Copyright 2011, Juniper Networks, Inc.

Chapter 48: Encryption Interfaces Configuration Guidelines

} } }

Configuring Filters for Traffic Transiting the ES PIC

This section contains the following topics:

Traffic Overview on page 997 Configuring the Security Association on page 998 Configuring an Outbound Traffic Filter on page 999 Applying the Outbound Traffic Filter on page 1000 Configuring an Inbound Traffic Filter on page 1000 Applying the Inbound Traffic Filter to the Encryption Interface on page 1001

Traffic Overview
Traffic configuration defines the traffic that must flow through the tunnel. You configure outbound and inbound firewall filters, which identify and direct traffic to be encrypted and confirm that decrypted traffic parameters match those defined for the given tunnel. The outbound filter is applied to the LAN or WAN interface for the incoming traffic you want to encrypt. The inbound filter is applied to the ES PIC to check the policy for traffic coming in from the remote host. Because of the complexity of configuring a router to forward packets, no automatic checking is done to ensure that the configuration is correct.

NOTE: The valid firewall filters statements for IPsec are destination-port, source-port, protocol, destination-address, and source-address.

In Figure 11 on page 997, Gateway A protects the network 10.1.1.0/24, and Gateway B protects the network 10.2.2.0/24. The gateways are connected by an IPsec tunnel. For more information about firewalls, see the Junos OS Routing Policy Configuration Guide.

Figure 11: Example: IPsec Tunnel Connecting Security Gateways

The SA and ES interface for security Gateway A are configured as follows:

[edit security ipsec] security-association manual-sa1 { manual { direction bidirectional { protocol esp; spi 2312; authentication {

Copyright 2011, Juniper Networks, Inc.

997

Junos 11.4 Services Interfaces Configuration Guide

algorithm hmac-md5-96; key ascii-text 1234123412341234; } encryption { algorithm 3des-cbc; key ascii-text 123456789009876543211234; } } } } [edit interfaces es-0/1/0] unit 0 { tunnel { source 10.5.5.5; destination 10.6.6.6; } family inet { ipsec-sa manual-sa1; address 10.1.1.8/32 { destination 10.2.2.254; } } }

Configuring the Security Association

To configure the SA, include the security-association statement at the [edit security] hierarchy level:
security-association name { mode (tunnel | transport); manual { direction (inbound | outbound | bi-directional) { auxiliary-spi auxiliary-spi-value; spi spi-value; protocol (ah | esp | bundle); authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } encryption { algorithm (des-cbc | 3des-cbc); key (ascii-text key | hexadecimal key); } } dynamic { replay-window-size (32 | 64); ipsec-policy policy-name; } } }

For more information about configuring an SA, see the Junos OS System Basics Configuration Guide. For information about applying the SA to an interface, see Specifying the Security Association Name for Encryption Interfaces on page 996.

998

Copyright 2011, Juniper Networks, Inc.

Chapter 48: Encryption Interfaces Configuration Guidelines

Configuring an Outbound Traffic Filter

To configure the outbound traffic filter, include the filter statement at the [edit firewall] hierarchy level:
filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } }

For more information, see the Junos OS Routing Policy Configuration Guide.

Example: Configuring an Outbound Traffic Filter

Firewall filters for outbound traffic direct the traffic through the desired IPsec tunnel and ensure that the tunneled traffic goes out the appropriate interface (see Figure 11 on page 997). Here, an outbound firewall filter is created on security Gateway A; it identifies the traffic to be encrypted and adds it to the input side of the interface that carries the internal virtual private network (VPN) traffic:
[edit firewall] filter ipsec-encrypt-policy-filter { term term1 { from { source-address { # local network 10.1.1.0/24; } destination-address { # remote network 10.2.2.0/24; } } then ipsec-sa manual-sa1; # apply SA name to packet term default { then accept; }

NOTE: The source address, port, and protocol on the outbound traffic filter must match the destination address, port, and protocol on the inbound traffic filter. The destination address, port, and protocol on the outbound traffic filter must match the source address, port, and protocol on the inbound traffic filter.

Copyright 2011, Juniper Networks, Inc.

999

Junos 11.4 Services Interfaces Configuration Guide

Applying the Outbound Traffic Filter

After you have configured the outbound firewall filter, you apply it by including the filter statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:
filter { input filter-name; }

Example: Applying the Outbound Traffic Filter

Apply the outbound traffic filter. The outbound filter is applied on the Fast Ethernet interface at the [edit interfaces fe-0/0/1 unit 0 family inet] hierarchy level. Any packet matching the IPsec action term (term 1) on the input filter (ipsec-encrypt-policy-filter), configured on the Fast Ethernet interface, is directed to the ES PIC interface at the [edit interfaces es-0/1/0 unit 0 family inet] hierarchy level. So, if a packet arrives from the source address 10.1.1.0/24 and goes to the destination address 10.2.2.0/24, the Packet Forwarding Engine directs the packet to the ES PIC interface, which is configured with the manual-sa1 SA. The ES PIC receives the packet, applies the manual-sa1 SA, and sends the packet through the tunnel. The router must have a route to the tunnel end point; add a static route if necessary.
[edit interfaces] fe-0/0/1 { unit 0 { family inet { filter { input ipsec-encrypt-policy-filter; } address 10.1.1.254/24; } } }

Configuring an Inbound Traffic Filter

To configure an inbound traffic filter, include the filter statement at the [edit firewall] hierarchy level:
filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } }

For more information, see the Junos OS Routing Policy Configuration Guide.

1000

Copyright 2011, Juniper Networks, Inc.

Chapter 48: Encryption Interfaces Configuration Guidelines

Example: Configuring an Inbound Traffic Filter

Configure an inbound firewall filter. This filter performs the final IPsec policy check and is created on security gateway A. The policy check ensures that only packets that match the traffic configured for this tunnel are accepted.
[edit firewall] filter ipsec-decrypt-policy-filter { term term1 { # perform policy check from { source-address { # remote network 10.2.2.0/24; } destination-address { # local network 10.1.1.0/24; } then accept;

Applying the Inbound Traffic Filter to the Encryption Interface

After you create the inbound firewall filter, you can apply it to the ES PIC. To apply the filter to the ES PIC, include the filter statement at the [edit interfaces es-fpc/pic/port unit logical-unit-number family inet filter] hierarchy level:
filter { input filter; }

The input filter is the name of the filter applied to received traffic. For a configuration example, see Example: Configuring an Inbound Traffic Filter on page 1001. For more information about firewall filters, see the Junos OS Routing Policy Configuration Guide.

Example: Applying the Inbound Traffic Filter to the Encryption Interface

Apply the inbound firewall filter (ipsec-decrypt-policy-filter) to the decrypted packet to perform the final policy check. The IPsec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and decrypts the incoming packet. The Packet Forwarding Engine directs IPsec packets to the ES PIC. It uses the packets security parameter index (SPI), protocol, and destination address to look up the SA configured on one of the ES interfaces. The IPsec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and is used to decrypt the incoming packet. When the packets are processed (decrypted, authenticated, or both), the input firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. term1 defines the decrypted (and verified) traffic and performs the required policy check. For information about term1, see Example: Configuring an Inbound Traffic Filter on page 1001.

Copyright 2011, Juniper Networks, Inc.

1001

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The inbound traffic filter is applied after the ES PIC has processed the packet, so the decrypted traffic is defined as any traffic that the remote gateway is encrypting and sending to this router. IKE uses this filter to determine the policy required for a tunnel. This policy is used during the negotiation with the remote gateway to find the matching SA configuration.

[edit interfaces] es-1/2/0 { unit 0 { tunnel { source 10.5.5.5; # tunnel source address destination 10.6.6.6; # tunnel destination address } family inet { filter { input ipsec-decrypt-policy-filter; } ipsec-sa manual-sa1; # SA name applied to packet address 10.1.1.8/32 { # local interface address inside local VPN destination 10.2.2.254; # destination address inside remote VPN } } }

Configuring an ES Tunnel Interface for a Layer 3 VPN

To configure an ES tunnel interface for a Layer 3 VPN, you need to configure an ES tunnel interface on the provider edge (PE) router and on the customer edge (CE) router. You also need to configure IPsec on the PE and CE routers. For more information about configuring an ES tunnel for a Layer 3 VPN, see the Junos OS VPNs Configuration Guide.

Configuring ES PIC Redundancy

You can configure ES PIC redundancy on M Series and T Series routers that have multiple ES PICs. With ES PIC redundancy, one ES PIC is active and another ES PIC is on standby. When the primary ES PIC has a servicing failure, the backup becomes active, inherits all the tunnels and SAs, and acts as the new next hop for IPsec traffic. Reestablishment of tunnels on the backup ES PIC does not require new Internet Key Exchange (IKE) negotiations. If the primary ES PIC comes online, it remains in standby and does not preempt the backup. To determine which PIC is currently active, use the show ipsec redundancy command.

NOTE: ES PIC redundancy is supported on M Series and T Series routers.

To configure an ES PIC as the backup, include the backup-interface statement at the [edit interfaces fpc/pic/port es-options] hierarchy level:
backup-interface es-fpc/pic/port;

1002

Copyright 2011, Juniper Networks, Inc.

Chapter 48: Encryption Interfaces Configuration Guidelines

Example: Configuring ES PIC Redundancy

After you create the inbound firewall filter, apply it to the master ES PIC. Here, the inbound firewall filter (ipsec-decrypt-policy-filter) is applied on the decrypted packet to perform the final policy check. The IPsec manual-sa1 SA is referenced at the [edit interfaces es-1/2/0 unit 0 family inet] hierarchy level and decrypts the incoming packet. This example does not show SA and filter configuration. For information about SA and filter configuration, see the Junos OS System Basics Configuration Guide, the Junos OS Routing Policy Configuration Guide, and Example: Configuring an Inbound Traffic Filter on page 1001.
[edit interfaces] es-1/2/0 { es-options { backup-interface es-1/0/0; } unit 0 { tunnel { source 10.5.5.5; destination 10.6.6.6; } family inet { ipsec-sa manual-sa1; filter { input ipsec-decrypt-policy-filter; } address 10.1.1.8/32 { destination 10.2.2.254; } } } }

Configuring IPsec Tunnel Redundancy

You can configure IPsec tunnel redundancy by specifying a backup destination address. The local router sends keepalives to determine the remote sites reachability. When the peer is no longer reachable, a new tunnel is established. For up to 60 seconds during failover, traffic is dropped without notification being sent. Figure 12 on page 1003 shows IPsec primary and backup tunnels.

Figure 12: IPsec Tunnel Redundancy

To configure IPsec tunnel redundancy, include the backup-destination statement at the [edit interfaces unit logical-unit-number tunnel] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

1003

Junos 11.4 Services Interfaces Configuration Guide

backup-destinationaddress; destination address; source address;

NOTE: Tunnel redundancy is supported on M Series and T Series routers. The primary and backup destinations must be on different routers. The tunnels must be distinct from each other and policies must match.

For more information about tunnels, see Tunnel Properties.

1004

Copyright 2011, Juniper Networks, Inc.

CHAPTER 49

Summary of Encryption Configuration Statements

The following sections explain each of the encryption services statements. The statements are organized alphabetically.

address
Syntax
address address { destination address; } [edit interfaces interface-name unit logical-unit-number family family]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure the interface address.
addressAddress of the interface.

The remaining statement is explained separately. Usage Guidelines Required Privilege Level See Configuring Encryption Interfaces on page 995. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

backup-destination
See backup-destination

Copyright 2011, Juniper Networks, Inc.

1005

Junos 11.4 Services Interfaces Configuration Guide

backup-interface
Syntax Hierarchy Level Release Information Description
backup-interface interface-name; [edit interfaces interface-name es-options]

Statement introduced before Junos OS Release 7.4. Configure a backup ES Physical Interface Card (PIC). When the primary ES PIC has a servicing failure, the backup becomes active, inherits all the tunnels and security associations (SAs), and acts as the new next hop for IPsec traffic.
interface-nameName of ES interface to serve as the backup.

Options Usage Guidelines Required Privilege Level

See Configuring ES PIC Redundancy on page 1002. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

destination
Syntax Hierarchy Level
destination destination-address; [edit interfaces interface-name unit logical-unit-number family inet address address], [edit interfaces interface-name unit logical-unit-number tunnel]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. For tunnel and encryption interfaces, specify the remote address.
destination-addressAddress of the remote side of the connection.

See Configuring Encryption Interfaces on page 995, Configuring Traffic Sampling on page 1024, and Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1006

Copyright 2011, Juniper Networks, Inc.

Chapter 49: Summary of Encryption Configuration Statements

es-options
Syntax
es-options { backup-interface interface-name; } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. On ES interfaces, configure ES interface-specific interface properties. The backup-interface statement is explained separately.

Usage Guidelines Required Privilege Level

See Configuring ES PIC Redundancy on page 1002. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1007

Junos 11.4 Services Interfaces Configuration Guide

family
Syntax
family inet { ipsec-sa sa-name; } [edit interfaces interface-name unit logical-unit-number]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure protocol family information for the logical interface.
familyProtocol family:

cccCircuit cross-connect protocol suite inetIP version 4 suite inet6IP version 6 suite isoOpen Systems Interconnection (OSI) International Organization for Standardization

(ISO) protocol suite

mlfr-end-to-endMultilink Frame Relay FRF.15 mlfr-uni-nniMultilink Frame Relay FRF.16 multilink-pppMultilink Point-to-Point Protocol mplsMPLS tccTranslational cross-connect protocol suite tnpTrivial Network Protocol vplsVirtual private LAN service

The remaining statements are explained separately. Usage Guidelines See Configuring Encryption Interfaces on page 995; for a general discussion of family statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

1008

Copyright 2011, Juniper Networks, Inc.

Chapter 49: Summary of Encryption Configuration Statements

filter
Syntax
filter { input filter-name; output filter-name; } [edit interfaces interface-name unit logical-unit-number family inet]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Define the filters to be applied on an interface.
input filter-nameIdentifier for the input filter. output filter-nameIdentifier for the output filter.

Usage Guidelines Required Privilege Level

See Configuring Filters for Traffic Transiting the ES PIC on page 997. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. See the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1009

Junos 11.4 Services Interfaces Configuration Guide

ipsec-sa
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Related Documentation
ipsec-sa sa-name; [edit interfaces es-fpc/pic/port unit logical-unit-number family inet]

Statement introduced before Junos OS Release 7.4. Specify the IP Security (IPsec) SA name associated with the interface.
sa-nameIPsec SA name.

See Configuring Encryption Interfaces on page 995. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS System Basics Configuration Guide

source
Syntax Hierarchy Level
source source-address; [edit interfaces interface-name unit logical-unit-number family inet address address], [edit interfaces interface-name unit logical-unit-number tunnel]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. For tunnel and encryption interfaces, specify the source address.
source-addressAddress of the source side of the connection.

See Configuring Encryption Interfaces on page 995, Configuring Traffic Sampling on page 1024, and Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1010

Copyright 2011, Juniper Networks, Inc.

Chapter 49: Summary of Encryption Configuration Statements

tunnel
Syntax
tunnel { backup-destination destination-address; destination destination-address; routing-instance { destination routing-instance-name; } source source-address; ttl number; } [edit interfaces interface-name unit logical-unit-number]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a tunnel. You can use the tunnel for unicast and multicast traffic or just for multicast traffic. You can also use tunnels for encrypted traffic or virtual private networks (VPNs). The statements are explained separately.

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Encryption Interfaces on page 995 and Tunnel Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS VPNs Configuration Guide

Copyright 2011, Juniper Networks, Inc.

1011

Junos 11.4 Services Interfaces Configuration Guide

unit
Syntax
unit logical-unit-number { family inet { ipsec-sa sa-name; } tunnel { backup-destination destination-address; destination destination-address; routing-instance { destination routing-instance-name; } source source-address; ttl number; } } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines See Configuring Encryption Interfaces on page 995; for a general discussion of logical interface properties, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

1012

Copyright 2011, Juniper Networks, Inc.

PART 5

Flow Monitoring and Discard Accounting Services

Flow Monitoring and Discard Accounting Overview on page 1015 Flow Monitoring and Discard Accounting Configuration Guidelines on page 1019 Summary of Flow-Monitoring Configuration Statements on page 1087 Flow Collection Configuration Guidelines on page 1159 Summary of Flow Collection Configuration Statements on page 1171 Dynamic Flow Capture Configuration Guidelines on page 1189 Flow-Tap Configuration Guidelines on page 1201 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements on page 1209

Copyright 2011, Juniper Networks, Inc.

1013

Junos 11.4 Services Interfaces Configuration Guide

1014

Copyright 2011, Juniper Networks, Inc.

CHAPTER 50

Flow Monitoring and Discard Accounting Overview

Using a Juniper Networks M Series Multiservice Edge or T Series Core Router, a selection of PICs (including the Monitoring Services PIC, Adaptive Services [AS] PIC, Multiservices PIC, or Multiservices DPC) and other networking hardware, you can monitor traffic flow and export the monitored traffic. Monitoring traffic allows you to do the following:

Gather and export detailed information about IP version 4 (IPv4) traffic flows between source and destination nodes in your network. Sample all incoming IPv4 traffic on the monitoring interface and present the data in cflowd record format. Perform discard accounting on an incoming traffic flow. Encrypt or tunnel outgoing cflowd records, intercepted IPv4 traffic, or both. Direct filtered traffic to different packet analyzers and present the data in its original format (port mirror).

NOTE: Monitoring Services PICs, AS PICs, and Multiservices PICs must be mounted on an Enhanced Flexible PIC Concentrator (FPC) in an M Series or T Series router. Multiservices DPCs installed in Juniper Networks MX Series 3D Universal Edge Routers support the same functionality, with the exception of the passive monitoring and flow-tap features.

This section provides general information on the following topics:

Passive Flow Monitoring Overview on page 1015 Active Flow Monitoring Overview on page 1016

Passive Flow Monitoring Overview

The router used for passive monitoring does not route packets from the monitored interface, nor does it run any routing protocols related to those interfaces; it only receives traffic flows, collects intercepted traffic, and exports it to cflowd servers and packet

Copyright 2011, Juniper Networks, Inc.

1015

Junos 11.4 Services Interfaces Configuration Guide

analyzers. Figure 13 on page 1016 shows a typical topology for the passive flow-monitoring application.

Figure 13: Passive Monitoring Application Topology

1

cflowd collector

S S Passive monitoring station (M40e, M160, M320, or T Series router) 2 S Optical Splitter

Pack analy et zer

Pack analy et zer

g015501

Traffic travels normally between Router 1 and Router 2. To redirect IPv4 traffic, you insert an optical splitter on the interface between these two routers. The optical splitter copies and redirects the traffic to the monitoring station, which is an M40e, M160, M320, or T Series router. The optical cable connects only the receive port on the monitoring station, never the transmit port. This configuration allows the monitoring station to receive traffic from the router being monitored but never to transmit it back. If you are monitoring traffic flow, the Internet Processor II application-specific integrated circuit (ASIC) in the router forwards a copy of the traffic to the Monitoring Services, Adaptive Services, or Multiservices PIC in the monitoring station. If more than one monitoring PIC is installed, the monitoring station distributes the load of the incoming traffic across the multiple PICs. The monitoring PICs generate flow records in cflowd version 5 format, and the records are then exported to the cflowd collector. If you are performing lawful interception of traffic between the two routers, the Internet Processor II ASIC filters the incoming traffic and forwards it to the Tunnel Services PIC. Filter-based forwarding is then applied to direct the traffic to the packet analyzers. Optionally, the intercepted traffic or the cflowd records can be encrypted by the ES PIC or IP Security (IPsec) services and then sent to a cflowd server or packet analyzer.

Active Flow Monitoring Overview

Although the Monitoring Services PIC was designed initially for use as an offline passive flow monitoring tool, it can also be used in an active flow monitoring topology. In contrast, the AS or Multiservices PIC is designed exclusively for active flow monitoring. To use either the Monitoring Services PIC, AS PIC, or Multiservices PIC for active flow monitoring, you must install the PIC in an M Series or T Series router. The router participates in both the monitoring application and in the normal routing functionality of the network. Starting with Junos OS Release 11.4, support for active monitoring is extended to logical systems running on T Series and MX Series routers. A logical system is a partition created from a physical router that performs independent routing tasks. Several logical systems

1016

Copyright 2011, Juniper Networks, Inc.

Chapter 50: Flow Monitoring and Discard Accounting Overview

in a single router with their own interfaces, policies, instances, and routing tables can perform functions handled by several different routers. A shared services PIC handles flows from all the logical systems. Only version 9 flows, IPv4, and MPLS templates are supported. See Example: Configuring Active Monitoring on Logical Systems on page 1037 for a sample configuration that enables active monitoring on a logical system. Specified packets can be filtered and sent to the monitoring interface. For the Monitoring Services PIC, the interface name contains the mo- prefix. For the AS or Multiservices PIC, the interface name contains the sp- prefix.

NOTE: If you upgrade from the Monitoring Services PIC to the Adaptive Services or Multiservices PIC for active flow monitoring, you must change the name of your monitoring interface from mo-fpc/pic/port to sp-fpc/pic/port.

The major active flow monitoring actions you can configure at the [edit forwarding-options] hierarchy level are as follows:

Sampling, with the [edit forwarding-options sampling] hierarchy. This option sends a copy of the traffic stream to an AS or Monitoring Services PIC, which extracts limited information (such as the source and destination IP address) from some of the packets in a flow. The original packets are forwarded to the intended destination as usual. Discard accounting, with the [edit forwarding-options accounting] hierarchy. This option quarantines unwanted packets, creates cflowd records that describe the packets, and discards the packets instead of forwarding them. Port mirroring, with the [edit forwarding-options port-mirroring] hierarchy. This option makes one full copy of all packets in a flow and delivers the copy to a single destination. The original packets are forwarded to the intended destination. Multiple port mirroring, with the [edit forwarding-options next-hop-group] hierarchy. This option allows multiple copies of selected traffic to be delivered to multiple destinations. (Multiple port mirroring requires a Tunnel Services PIC.)

Unlike passive flow monitoring, you do not need to configure a monitoring group. Instead, you can send filtered packets to a monitoring services or adaptive services interface (moor sp-) by using sampling or discard accounting. Optionally, you can configure port mirroring or multiple port mirroring to direct packets to additional interfaces. These active flow monitoring options provide a wide variety of actions that can be performed on network traffic flows. However, the following restrictions apply:

The router can perform sampling or port mirroring at any one time. The router can perform forwarding or discard accounting at any one time.

Because the Monitoring Services, AS, and Multiservices PICs allow only one action to be performed at any one time, the following configuration options are available:

Sampling and forwarding Sampling and discard accounting

Copyright 2011, Juniper Networks, Inc.

1017

Junos 11.4 Services Interfaces Configuration Guide

Port mirroring and forwarding Port mirroring and discard accounting Sampling and port mirroring on different sets of traffic

Figure 14 on page 1018 shows a sample topology.

Figure 14: Active Monitoring Configuration Topology

cflowd server .1 10.60.2.x .2 fe-1/0/0

10.1.1.x 1 .1 .2 ge-2/3/0 F

mo-2/0/0.0 .1

10.2.2.x .2 2 ge-3/0/0

Active monitoring router (J Series, M Series, or T Series)

g003104

Accepted and forwarded traffic Sampled traffic

In Figure 14 on page 1018, traffic from Router 1 arrives on the monitoring routers Gigabit Ethernet ge-2/3/0 interface. The exit interface on the monitoring router leading to destination Router 2 is ge-3/0/0, but this could be any interface type (such as SONET, Gigabit Ethernet, and so on). The export interface leading to the cflowd server is fe-1/0/0. To enable active monitoring, configure a firewall filter on the interface ge-2/3/0 with the following match conditions:

Traffic matching certain firewall conditions is sent to the Monitoring Services PIC using filter-based forwarding. This traffic is quarantined and not forwarded to other routers. All other traffic is port-mirrored to the Monitoring Services PIC. Port mirroring copies each packet and sends the copies to the port-mirroring next hop (in this case, a Monitoring Services PIC). The original packets are forwarded out of the router as usual.

1018

Copyright 2011, Juniper Networks, Inc.

CHAPTER 51

Flow Monitoring and Discard Accounting Configuration Guidelines

To configure flow monitoring and accounting interfaces, include the following statements at the [edit interfaces] hierarchy level:
[edit interfaces] mo-fpc/pic/port { unit logical-unit-number { family inet { accounting { destination-class-usage; source-class-usage direction; } } address address { destination address; } filter { group filter-group-number; input filter-name; output filter-name; } receive-options-packets; receive-ttl-exceeded; sampling direction; } } multiservice-options { (core-dump | no-core-dump); (syslog | no-syslog); flow-control-options { down-on-flow-control; dump-on-flow-control; reset-on-flow-control; } } (at-fpc/pic/port | fe-fpc/pic/port | ge-fpc/pic/port) { passive-monitor-mode; } so-fpc/pic/port { unit logical-unit-number {

Copyright 2011, Juniper Networks, Inc.

1019

Junos 11.4 Services Interfaces Configuration Guide

passive-monitor-mode; } }

To configure flow monitoring and accounting properties, include the following statements at the [edit forwarding-options] hierarchy level:
[edit forwarding-options] accounting name { output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); port port-number; version format; } flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } } monitoring name { family family { output { cflowd hostname port port-number; export-format format; flow-active-timeout seconds; flow-export-destination { collector-pic; } flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } } } next-hop-group group-names { interface interface-name { next-hop address;

1020

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

} } port-mirroring { input { rate rate; run-length number; } family (inet | inet6) { output { interface interface-name { next-hop address; } no-filter-check; } } traceoptions { file filename { files number; size bytes; (world-readable | no-world-readable); } } } sampling { disable; sample-once; input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } traceoptions { no-remote-trace; file filename <files number> <size bytes> <match expression> <world-readable | no-world-readable>; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump);

Copyright 2011, Juniper Networks, Inc.

1021

Junos 11.4 Services Interfaces Configuration Guide

port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); } } } instance instance-name { disable; input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } }

1022

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

interface interface-name { engine-id number; engine-type number; source-address address; } inline-jflow { source-address address; flow-export-rate rate; } } } } }

NOTE: For the complete [edit forwarding-options] hierarchy, see the Junos OS Routing Policy Configuration Guide. This section documents only the statements used in flow monitoring and accounting services.

To configure flow monitoring that uses cflowd version 9, include the following statements at the [edit services] hierarchy level:
[edit services] flow-monitoring { version9 { template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; ipv6-template; mpls-template { label-position [ positions ]; } mpls-ipv4-template { label-position [ positions ]; } peer-as-billing-template; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } } }

This chapter contains the following sections:

Configuring Traffic Sampling on page 1024 Configuring Flow Monitoring on page 1032 Example: Configuring Active Monitoring on Logical Systems on page 1037 Enabling Flow Aggregation on page 1039 Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd on page 1040 Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043 Configuring Sampling Instances on page 1051

Copyright 2011, Juniper Networks, Inc.

1023

Junos 11.4 Services Interfaces Configuration Guide

Configuring Inline Flow Monitoring on page 1053 Configuring Inline Flow Monitoring on MX80 Routers on page 1055 Directing Replicated Flows to Multiple Flow Servers on page 1056 Logging cflowd Flows Before Export on page 1059 Configuring Port Mirroring on page 1059 Load Balancing Among Multiple Monitoring Interfaces on page 1073 Configuring Discard Accounting on page 1076 Enabling Passive Flow Monitoring on page 1077 Configuring Services Interface Redundancy with Flow Monitoring on page 1084

Configuring Traffic Sampling

Traffic sampling enables you to copy traffic to a Physical Interface Card (PIC) that performs flow accounting while the router forwards the packet to its original destination. You can configure the router to perform sampling in either of two locations:

On the Routing Engine, using the sampled process. To select this method, use a filter (input or output) with a matching term that contains the then sample statement. On the Monitoring Services, Adaptive Services, or Multiservices PIC.

NOTE: Routing Engine based sampling is not supported on VPN routing and forwarding (VRF) instances.

The following sections provide configuration instructions for traffic sampling:

Minimum Configuration for Traffic Sampling on page 1024 Configuring Traffic Sampling on page 1025 Disabling Traffic Sampling on page 1026 Sampling Once on page 1027 Configuring Traffic Sampling Output on page 1027 Tracing Traffic Sampling Operations on page 1029 Traffic Sampling Examples on page 1029

Minimum Configuration for Traffic Sampling

To configure traffic sampling on a logical interface, you must perform at least the following tasks:

Create a firewall filter to apply to the logical interfaces being sampled by including the filter statement at the [edit firewall family family-name] hierarchy level. In the filter then statement, you must specify the action modifier sample and the action accept.
filter filter-name { term term-name { then {

1024

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

sample; accept; } } }

For more information about firewall filter actions and action modifiers, see the Junos OS Routing Policy Configuration Guide.

Apply the filter to the interfaces on which you want to sample traffic by including the address and filter statements at the [edit interfaces interface-name unit logical-unit-number family family-name] hierarchy level:
address address { destination destination-address; } filter { input filter-name; }

Enable sampling and specify a nonzero sampling rate by including the sampling statement at the [edit forwarding-options] hierarchy level:
sampling { input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } }

Configuring Traffic Sampling

To configure traffic sampling on any logical interface, include the input statement at the [edit forwarding-options sampling] hierarchy level:
input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; }

When you use Routing Engine-based sampling, specify the threshold traffic value by including the max-packets-per-second statement. The value is the maximum number of packets to be sampled, beyond which the sampling mechanism begins dropping packets. The range is from 0 through 65,535. A value of 0 instructs the Packet Forwarding Engine not to sample any packets. The default value is 1000.

NOTE: When you configure active monitoring and specify a Monitoring Services, Adaptive Services, or Multiservices PIC in the output statement, the max-packets-per-second value is ignored.

Copyright 2011, Juniper Networks, Inc.

1025

Junos 11.4 Services Interfaces Configuration Guide

Specify the sampling rate by setting the values for rate and run-length (see Figure 15 on page 1026).

Figure 15: Configure Sampling Rate

The rate statement specifies the ratio of packets to be sampled. For example, if you configure a rate of 10, x number of packets out of every 10 is sampled, where x=run-length+1. By default, the rate is 0, which means that no traffic is sampled. The run-length statement specifies the number of matching packets to sample following the initial one-packet trigger event. By default, the run-length is 0, which means that no more traffic is sampled after the trigger event. The range is from 0 through 20. Configuring a run length greater than 0 allows you to sample packets following those already being sampled.

NOTE: The run-length and maximum-packet-length configuration statements are not supported on MX80 routers.

If you do not include the input statement, sampling is disabled. To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling output] hierarchy level. Output file formats are discussed later in the chapter.

Disabling Traffic Sampling

To explicitly disable traffic sampling on the router, include the disable statement at the [edit forwarding-options sampling] hierarchy level:
disable;

1026

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Sampling Once
To explicitly sample a packet for active monitoring only once, include the sample-once statement at the [edit forwarding-options sampling] hierarchy level:
sample-once;

Setting this option avoids duplication of packets in cases where sampling is enabled at both the ingress and egress interfaces and simplifies analysis of the sampled traffic.

Configuring Traffic Sampling Output

To configure traffic sampling output, include the following statements at the [edit forwarding-options sampling family (inet | inet6 | mpls) output] hierarchy level:
aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); }

To configure inline flow monitoring on MX Series routers, include the inline-jflow statement at the [edit forwarding-options sampling instance instance-name family (inet | inet6 | mpls) output] hierarchy level. Inline sampling exclusively supports a new format called IP_FIX

Copyright 2011, Juniper Networks, Inc.

1027

Junos 11.4 Services Interfaces Configuration Guide

that uses UDP as the transport protocol. When you configure inline sampling, you must include the version-ipfix statement at the [edit forwarding-options sampling instance instance-name family (inet | inet6 | mpls) output flow-server address] hierarchy level and also at the [edit services flow-monitoring] hierarchy level. For more information about configuring inline flow monitoring, see Configuring Inline Flow Monitoring on page 1053. To direct sampled traffic to a flow-monitoring interface, include the interface statement. The engine-id and engine-type statements specify the identity and type numbers of the interface; they are dynamically generated based on the Flexible PIC Concentrator (FPC), PIC, and slot numbers and the chassis type. The source-address statement specifies the traffic source. To configure flow sampling version 9 output, you need to include the template statement at the [edit forwarding-options sampling output version9] hierarchy level. For information on cflowd, see Enabling Flow Aggregation on page 1039. The aggregate-export-interval statement is described in Configuring Discard Accounting on page 1076, and the flow-active-timeout and flow-inactive-timeout statements are described in Configuring Flow Monitoring on page 1032. Traffic sampling results are automatically saved to a file in the /var/tmp directory. To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling family inet output] hierarchy level:
file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); }

Traffic Sampling Output Format

Traffic sampling output is saved to an ASCII text file. The following is an example of the traffic sampling output that is saved to a file in the /var/tmp directory. Each line in the output file contains information for one sampled packet. You can optionally display a timestamp for each line. The column headers are repeated after each group of 1000 packets.
# Apr Time 7 15:48:50 Dest addr 192.168.9.194 192.168.9.194 192.168.9.194 192.168.9.194 192.168.9.194 Src Dest Src Proto TOS Pkt Intf addr port port 192.168.9.195 0 0 192.168.9.195 0 0 192.168.9.195 0 0 192.168.9.195 0 0 192.168.9.195 0 0 IP TCP

Apr Apr Apr Apr Apr

7 7 7 7 7

15:48:54 15:48:55 15:48:56 15:48:57 15:48:58

1 1 1 1 1

0x0 0x0 0x0 0x0 0x0

len num frag flags 84 8 0x0 0x0 84 8 0x0 0x0 84 8 0x0 0x0 84 8 0x0 0x0 84 8 0x0 0x0

To set the timestamp option for the file my-sample, enter the following:
[edit forwarding-options sampling output file]

1028

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

user@host# set filename my-sample files 5 size 2m world-readable stamp;

Whenever you toggle the timestamp option, a new header is included in the file. If you set the stamp option, the Time field is displayed.
# Apr 7 15:48:50 # Time Dest # addr # Feb 1 20:31:21 # Dest # addr Src addr Src addr Dest port Dest port Src Proto port Src Proto port TOS Pkt len Pkt len Intf num Intf num IP TCP frag flags IP TCP frag flags

TOS

Tracing Traffic Sampling Operations

Tracing operations track all traffic sampling operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/sampled. The default file size is 128K, and 10 files are created before the first one gets overwritten. To trace traffic sampling operations, include the traceoptions statement at the [edit forwarding-options sampling] hierarchy level:
traceoptions { no-remote-trace; file filename <files number> <size bytes> <match expression> <world-readable | no-world-readable>; }

Traffic Sampling Examples

The following sections provide examples of configuring traffic sampling:

Example: Sampling a Single SONET/SDH Interface on page 1029 Example: Sampling All Traffic from a Single IP Address on page 1030 Example: Sampling All FTP Traffic on page 1031

Example: Sampling a Single SONET/SDH Interface

The following configuration gathers statistical sampling information from a small percentage of all traffic on a single SONET/SDH interface and collects it in a file named sonet-samples.txt. Create the filter:
[edit firewall family inet] filter { input sample-sonet { then { sample; accept; } } }

Apply the filter to the SONET/SDH interface:

[edit interfaces]

Copyright 2011, Juniper Networks, Inc.

1029

Junos 11.4 Services Interfaces Configuration Guide

so-0/0/1 { unit 0 { family inet { filter { input sample-sonet; } address 10.127.68.254/32 { destination 172.16.74.7; } } } }

Finally, configure traffic sampling:

[edit forwarding-options] sampling { input { family inet { rate 100; run-length 2; } } family inet { output { file { filename sonet-samples.txt; files 40; size 5m; } } } }

Example: Sampling All Traffic from a Single IP Address

The following configuration gathers statistical information about every packet entering the router on a specific Gigabit Ethernet port originating from a single source IP address of 172.16.92.31, and collects it in a file named samples-172-16-92-31.txt. Create the filter:
[edit firewall family inet] filter one-ip { term get-ip { from { source-address 172.16.92.31; } then { sample; accept; } } }

Apply the filter to the Gigabit Ethernet interface:

1030

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

[edit interfaces] ge-4/1/1 { unit 0 { family inet { filter { input one-ip; } address 10.45.92.254; } } }

Finally, gather statistics on all the candidate samples; in this case, gather all statistics:
[edit forwarding-options] sampling { input { family inet { rate 1; } } family inet { output { file { filename samples-172-16-92-31.txt; files 100; size 100k; } } } }

Example: Sampling All FTP Traffic

The following configuration gathers statistical information about a moderate percentage of packets using the FTP data transfer protocol in the output path of a specific T3 interface, and collects the information in a file named t3-ftp-traffic.txt. Create a filter:
[edit firewall family inet] filter ftp-stats { term ftp-usage { from { destination-port [ftp ftp-data]; } then { sample; accept; } } }

Apply the filter to the T3 interface:

[edit interfaces] t3-7/0/2 {

Copyright 2011, Juniper Networks, Inc.

1031

Junos 11.4 Services Interfaces Configuration Guide

unit 0 { family inet { filter { input ftp-stats; } address 10.35.78.254/32 { destination 10.35.78.4; } } } }

Finally, gather statistics on 10 percent of the candidate samples:

[edit forwarding-options] sampling { input { family inet { rate 10; } } family inet { output { file { filename t3-ftp-traffic.txt; files 50; size 1m; } } } }

Configuring Flow Monitoring

The flow-monitoring application performs traffic flow monitoring and enables lawful interception of traffic between two routers. Traffic flows can either be passively monitored by an offline router or actively monitored by a router participating in the network. To configure flow monitoring you need to do the following:

Configuring Flow-Monitoring Interfaces on page 1032 Configuring Flow-Monitoring Properties on page 1034 Example: Configuring Flow Monitoring on page 1036

Configuring Flow-Monitoring Interfaces

To enable flow monitoring on the Monitoring Services PIC, include the mo-fpc/pic/port statement at the [edit interfaces] hierarchy level:
mo-fpc/pic/port { unit logical-unit-number { family inet { address address { destination address; }

1032

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

filter { group filter-group-number; input filter-name; output filter-name; } sampling { [ input output ]; } } } multiservice-options { (core-dump | no-core-dump); (syslog | no-syslog); flow-control-options { down-on-flow-control; dump-on-flow-control; reset-on-flow-control; } } }

Specify the physical and logical location of the flow-monitoring interface. You cannot use unit 0, because it is already used by internal processes. Specify the source and destination addresses. The filter statement allows you to associate an input or output filter or a filter group that you have already configured for this purpose. The sampling statement specifies the traffic direction: input, output, or both. The multiservice-options statement allows you to configure properties related to flow-monitoring interfaces:

Include the core-dump statement to enable storage of core files in /var/tmp. Include the syslog statement to enable storage of system logging information in /var/log.

NOTE: Boot images for monitoring services interfaces are specified at the [edit chassis images pic] hierarchy level. You must include the following configuration to make the flow monitoring feature operable:
[edit system] ntp { boot-server ntp.juniper.net; server 172.17.28.5; } processes { ntp enable; }

For more information, see the Junos OS System Basics Configuration Guide.

Include the flow-control-options statement to configure flow control.

Copyright 2011, Juniper Networks, Inc.

1033

Junos 11.4 Services Interfaces Configuration Guide

Configuring Flow-Monitoring Properties

To configure flow-monitoring properties, include the monitoring statement at the [edit forwarding-options] hierarchy level:
monitoring name { family inet { output { cflowd hostname port port-number; export-format format; flow-active-timeout seconds; flow-export-destination { collector-pic; } flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } } }

A monitoring instance is a named entity that specifies collector information under the monitoring name statement. The following sections describe the properties you can configure:

Directing Traffic to Flow-Monitoring Interfaces on page 1034 Exporting Flows on page 1035 Configuring Time Periods when Flow Monitoring is Active and Inactive on page 1035

Directing Traffic to Flow-Monitoring Interfaces

To direct traffic to a flow-monitoring interface, include the interface statement at the [edit forwarding-options monitoring name output] hierarchy level. By default, the Junos OS automatically assigns values for the engine-id and engine-type statements:

engine-idMonitoring interface location. engine-typePlatform-specific monitoring interface type.

The source-address statement specifies the traffic source for transmission of cflowd information; you must configure it manually. If you provide a different source-address statement for each monitoring services output interface, you can track which interface processes a particular cflowd record. By default, the input-interface-index value is the SNMP index of the input interface. You can override the default by including a specific value. The input-interface-index and output-interface-index values are exported in fields present in the cflowd version 5 flow format.

1034

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

NOTE: On J Series Services Routers, cflowd sampling in the input direction of an interface reports the output interface index as 0.

Exporting Flows
To direct traffic to a flow collection interface, include the flow-export-destination statement. For more information about flow collection, see Flow Collection. To configure the cflowd version number, include the export-format statement at the [edit forwarding-options monitoring name output] hierarchy level. By default, version 5 is used. Version 8 enables the router software to aggregate the flow information using broader criteria and reduce cflowd traffic. Version 8 aggregation is performed periodically (every few seconds) on active flows and when flows are allowed to expire. Because the aggregation is performed periodically, active timeout events are ignored. For more information on cflowd properties, see Enabling Flow Aggregation on page 1039.

Configuring Time Periods when Flow Monitoring is Active and Inactive

To configure time periods for active flow monitoring and intervals of inactivity, include the flow-active-timeout and flow-inactive-timeout statements at the [edit forwarding-options monitoring name output] hierarchy level:

The flow-active-timeout statement specifies the time interval between flow exports for active flows. If the interval between the time the last packet was received and the time the flow was last exported exceeds the configured value, the flow is exported. This timer is needed to provide periodic updates when a flow has a long duration. The active timeout setting enables the router to retain the start time for the flow as a constant and send out periodic cflowd reports. This in turn allows the collector to register the start time and determine that a flow has survived for a duration longer than the configured active timeout.

NOTE: In active flow monitoring, the cflowd records are exported after a time period that is a multiple of 60 seconds and greater than or equal to the configured active timeout value. For example, if the active timeout value is 90 seconds, the cflowd records are exported at 120-second intervals. If the active timeout value is 150 seconds, the cflowd records are exported at 180-second intervals, and so forth.

The flow-inactive-timeout statement specifies the interval of inactivity for a flow that triggers the flow export. If the interval between the current time and the time that the last packet for this flow was received exceeds the configured inactive timeout value, the flow is allowed to expire. If the flow stops transmitting for longer than the configured inactive timeout value, the router purges it from the flow table and exports the cflowd record. As a result, the flow is forgotten as far as the PIC is concerned and if the same 5-tuple appears again, it is assigned a new start time and considered a new flow.

Copyright 2011, Juniper Networks, Inc.

1035

Junos 11.4 Services Interfaces Configuration Guide

Both timers are necessary. The active timeout setting is needed to provide information for flows that constantly transmit packets for a long duration. The inactive timeout setting enables the router to purge flows that have become inactive and would waste tracking resources.

NOTE: The router must contain an Adaptive Services, Multiservices, or Monitoring Services PIC for the flow-active-timeout and flow-inactive-timeout statements to take effect.

Example: Configuring Flow Monitoring

The following is an example of flow-monitoring properties configured to support input SONET/SDH interfaces, output monitoring services interfaces, and export to cflowd for flow analysis. To complete the configuration, you also need to configure the interfaces and set up a virtual private network (VPN) routing and forwarding (VRF) instance. For a complete example, see the Junos OS Feature Guides. For information on cflowd, see Enabling Flow Aggregation on page 1039.
[edit forwarding-options] monitoring group1 { family inet { output { cflowd 192.168.245.2 port 2055; export-format cflowd-version-5; flow-active-timeout 60; flow-inactive-timeout 30; interface mo-4/0/0.1 { engine-id 1; engine-type 1; input-interface-index 44; output-interface-index 54; source-address 192.168.245.1; } interface mo-4/1/0.1 { engine-id 2; engine-type 1; input-interface-index 45; output-interface-index 55; source-address 192.168.245.1; } interface mo-4/2/0.1 { engine-id 3; engine-type 1; input-interface-index 46; output-interface-index 56; source-address 192.168.245.1; } interface mo-4/3/0.1 { engine-id 4; engine-type 1; input-interface-index 47; output-interface-index 57;

1036

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

source-address 192.168.245.1; } } } }

Example: Configuring Active Monitoring on Logical Systems

This example shows a sample configuration that allows you to configure active monitoring on a logical system. The following section shows the configuration on the master router:
[edit forwarding-options] sampling { instance inst1 { input { rate 1; } family inet; output { flow-server 2.2.2.2 { port 2055; version9 { template { ipv4; } } } } interface sp-0/1/0 { source-address 10.11.12.13; } } } family mpls; output { flow-server 2.2.2.2 { port 2055; version9 { template { mpls; } } } } interface sp-0/1/0 { source-address 10.11.12.13; } } } services { flow-monitoring { version9 { template ipv4 { flow-active-timeout 60; flow-inactive-timeout 60;

Copyright 2011, Juniper Networks, Inc.

1037

Junos 11.4 Services Interfaces Configuration Guide

ipv4-template; template-refresh-rate { packets 1000; seconds 10; } option-refresh-rate { packets 1000; seconds 10; } } template mpls { mpls-template; } } } }

The configuration for the logical router uses the input parameters and the output interface for sampling from the master router. Each logical router should have separate template definitions for the flow-server configuration. The following section shows the configuration on the logical router:
logical-systems { ls-1 { firewall { family inet { filter test-sample { term term-1 { then { sample; accept; } } } } } interfaces { ge-0/0/1 { unit 0 { family inet { filter { input test-sample; output test-sample; } } } } } forwarding-options { sampling { instance sample-inst1 { family inet; output { flow-server 2.2.2.2 { port 2055; version9 {

1038

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

template { ipv4-ls1; } } } } } } family mpls; output { flow-server 2.2.2.2 { port 2055; version9 { template { mpls-ls1; } } } } } } } services { flow-monitoring { version9 { template ipv4-ls1 { flow-active-timeout 60; flow-inactive-timeout 60; ipv4-template; template-refresh-rate { packets 1000; seconds 10; } option-refresh-rate { packets 1000; seconds 10; } } template mpls-ls1 { mpls-template; } } } } } }

Enabling Flow Aggregation

You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs either the cflowd application available from CAIDA (http://www.caida.org) or the newer version 9 format defined in RFC 3954, Cisco Systems NetFlow Services Export Version 9. Before you can perform flow aggregation, the routing protocol process must export the autonomous system (AS) path and routing information to the sampling

Copyright 2011, Juniper Networks, Inc.

1039

Junos 11.4 Services Interfaces Configuration Guide

process. To do this, include the route-record statement at the [edit routing-options] hierarchy level (for routing instances, include the statement at the [edit routing-instances routing-instance-name routing-options] hierarchy level):
[edit routing-instances routing-instance-name routing-options] route-record;

By default, flow aggregation is disabled. By using flow aggregation, you can obtain various types of byte and packet counts of flows through a router. The application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute. You configure flow aggregation in different ways, depending on whether you want to export flow records in cflowd version 5 or 8 format, or the separate version 9 format. The latter allows you to sample MPLS, IPv4, IPv6, and peer AS billing traffic. You can also combine configuration statements between the MPLS and IPv4 formats.

NOTE: When PIC-based sampling is enabled, collection of flow statistics for sampled packets on flows in virtual private networks (VPNs) is also supported. No additional CLI configuration is required.

For configuration instructions for flow aggregation, see the following sections:

Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd on page 1040 Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043 Directing Replicated Flows to Multiple Flow Servers on page 1056 Logging cflowd Flows Before Export on page 1059

Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd

To enable the collection of cflowd version 5 or version 8 flow formats, include the flow-server statement:
flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; version format; }

1040

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

You can include this statement at the following hierarchy levels:

[edit forwarding-options sampling family (inet | inet6 | mpls) output] [edit forwarding-options sampling instance instance-name output] [edit forwarding-options accounting name output cflowd hostname]

You must configure the family inet statement on logical interface unit 0 on the monitoring interface, as in the following example:
[edit interfaces] sp-3/0/0 { unit 0 { family inet { ... } } }

NOTE: Boot images for monitoring services interfaces are specified at the [edit chassis images pic] hierarchy level. You must enable the NTP client to make the cflowd feature operable, by including the following configuration:
[edit system] ntp { boot-server ntp.juniper.net; server 172.17.28.5; } processes { ntp enable; }

For more information, see the Junos OS System Basics Configuration Guide.

You can also configure cflowd version 5 for flow-monitoring applications by including the cflowd statement at the [edit forwarding-options monitoring name family inet output] hierarchy level:
cflowd hostname { port port-number; }

The following restrictions apply to cflowd flow formats:

You can configure up to one version 5 and one version 8 flow format at the [edit forwarding-options accounting name output] hierarchy level. You can configure only one version 5 or one version 8 flow format at the [edit forwarding-options sampling family (inet | inet6 | mpls) output] hierarchy level for Routing Engine-based sampling by including the flow-server statement. In contrast, PIC-based sampling allows you to specify one cflowd version 5 server and one version 8 server simultaneously. However, the two cflowd servers must have different IP addresses.

Copyright 2011, Juniper Networks, Inc.

1041

Junos 11.4 Services Interfaces Configuration Guide

You can configure up to eight version 5 flow formats at the [edit forwarding-options monitoring name output] hierarchy level. Version 8 flow formats and aggregation are not supported for flow-monitoring applications. Outbound Routing Engine traffic is not sampled. A firewall filter is applied as output on the egress interface, which samples packets and exports the data. For transit traffic, egress sampling works correctly. For internal traffic, the next hop is installed in the Packet Forwarding Engine but sampled packets are not exported. Flows are created on the monitoring PIC only after the route record resynchronization operation is complete, which is 60 seconds after the PIC comes up. Any packets sent to the PIC would be dropped until the synchronization process is complete. The configuration includes a proprietary v5 extension template for supporting 4-byte AS information in flow records. Its template version is set to 500, indicating it to be proprietary. All other fields remain the same; the source AS and destination AS are each 4 bytes long, rather than 2 bytes as in the traditional v5 template. This option is available at the [edit forwarding-options sampling family inet output flow-server server-name version] hierarchy level.

In the cflowd statement, specify the name or identifier of the host that collects the flow aggregates. You must also include the User Datagram Protocol (UDP) port number on the host and the version, which gives the format of the exported cflowd aggregates. To collect cflowd records in a log file before exporting, include the local-dump statement.

NOTE: You can specify both host (cflowd) sampling and port mirroring in the same configuration; however, only one action takes effect at any one time. Port mirroring takes precedence. For more information, see Configuring Port Mirroring on page 1059.

For cflowd version 8 only, you can specify aggregation of specific types of traffic by including the aggregation statement. This conserves memory and bandwidth by enabling cflowd to export targeted flows rather than all aggregated traffic. To specify a flow type, include the aggregation statement:
aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; }

You can include this statement at the following hierarchy levels:

[edit forwarding-options sampling family (inet | inet6 | mpls) output flow-server hostname]

[edit forwarding-options accounting name output cflowd hostname]

1042

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

The autonomous-system statement configures aggregation by the AS number; this statement might require setting the separate cflowd autonomous-system-type statement to include either origin or peer AS numbers. The origin option specifies to use the origin AS of the packet source address in the Source Autonomous System cflowd field. The peer option specifies to use the peer AS through which the packet passed in the Source Autonomous System cflowd field. By default, cflowd exports the origin AS number. The destination-prefix statement configures aggregation by the destination prefix only. The protocol-port statement configures aggregation by the protocol and port number; requires setting the separate cflowd port statement. The source-destination-prefix statement configures aggregation by the source and destination prefix. Version 2.1b1 of CAIDAs cflowd application does not record source and destination mask length values in compliance with CAIDAs cflowd Configuration Guide, dated August 30, 1999. If you configure the caida-compliant statement, the Junos OS complies with Version 2.1b1 of cflowd. If you do not include the caida-compliant statement in the configuration, the Junos OS records source and destination mask length values in compliance with the cflowd Configuration Guide. The source-prefix statement configures aggregation by the source prefix only. Collection of sampled packets in a local ASCII file is not affected by the cflowd statement.

Configuring Flow Aggregation to Use Version 9 Flow Templates

Use of version 9 allows you to define a flow record template suitable for IPv4 traffic, IPv6 traffic, MPLS traffic, a combination of IPv4 and MPLS traffic, or peer AS billing traffic. Templates and the fields included in the template are transmitted to the collector periodically, and the collector need not be aware of the router configuration.

NOTE: Version 9 requires that you install a services PIC, such as the Adaptive Services PIC or Multiservices PIC in the router. On MX Series routers, the Multiservices DPC fulfills this requirement. For more information on determining which services PIC is suitable for your router, see Enabling Service Packages on page 39 or the appropriate hardware documentation.

The following sections contain additional information:

Configuring the Traffic to Be Sampled on page 1044 Configuring the Version 9 Template Properties on page 1044 Restrictions on page 1045 Fields Included in Each Template Type on page 1046 MPLS Sampling Behavior on page 1047 Verification on page 1048 Examples: Configuring Version 9 Flow Templates on page 1048

Copyright 2011, Juniper Networks, Inc.

1043

Junos 11.4 Services Interfaces Configuration Guide

Configuring the Traffic to Be Sampled

To specify sampling of IPv4, IPv6, MPLS, or peer AS billing traffic, include the appropriate configuration of the family statement at the [edit forwarding-options sampling input] hierarchy level:
[edit forwarding-options sampling input] family (inet | inet6 | mpls) { max-packets-per-second number; rate number; run-length number;

You can include family inet ,family inet6, or family mpls.

NOTE: If you specify sampling for peer AS billing traffic, the family statement supports only IPv4 and IPv6 traffic (inet or inet6). Peer AS billing traffic is enabled only at the global instance hierarchy level and is not available for per Packet Forwarding Engine instances.

Configuring the Version 9 Template Properties

To define the version 9 templates, include the following statements at the [edit services flow-monitoring version9] hierarchy level:
[edit services flow-monitoring version9] template name { flow-active-timeout seconds; flow-inactive-timeout seconds; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; (ipv4-template | ipv6-template | mpls-ipv4-template | mpls-template | peer-as-billing-template) { label-position [ positions ]; } }

The following details apply to the configuration statements:

You assign each template a unique name by including the template name statement. You then specify each template for the appropriate type of traffic by including the ipv4-template, ipv6template, mpls-ipv4-template, mpls-template, or peer-as-billing-template. If the template is used for MPLS traffic, you can also specify up to three label positions for the MPLS header label data by including the label-position statement; the default values are [1 2 3]. Within the template definition, you can optionally include values for the flow-active-timeout and flow-inactive-timeout statements. These statements have specific default and range values when they are used in template definitions; the default is 60 seconds and the range is from 10 through 600 seconds. Values you specify in

1044

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

template definitions override the global timeout values configured at the [edit forwarding-options sampling family (inet | inet6 | mpls) output flow-server] hierarchy level.

NOTE: In active flow monitoring, the cflowd records are exported after a time period that is a multiple of 60 seconds and greater than or equal to the configured active timeout value. For example, if the active timeout value is 90 seconds, the cflowd records are exported at 120-second intervals. If the active timeout value is 150 seconds, the cflowd records are exported at 180-second intervals, and so forth.

You can also include settings for the option-refresh-rate and template-refresh-rate statements within a template definition. For both of these properties, you can include a timer value (in seconds) or a packet count (in number of packets). For the seconds option, the default value is 60 and the range is from 10 through 600. For the packets option, the default value is 4800 and the range is from 1 through 480,000. To filter IPV6 traffic on a media interface, the following configuration is supported:
interfaces interface-name { unit 0 { family inet6 { sampling { input; output; } } } }

Restrictions
The following restrictions apply to version 9 templates:

You cannot apply the two different types of flow aggregation configuration (cflowd version 5/8 and flow aggregation version 9) at the same time. Flow export based on an mpls-ipv4 template assumes that the IPv4 header follows the MPLS header. In the case of Layer 2 VPNs, the packet on the provider router (P router) would look like this:
MPLS | Layer 2 Header | IPv4

In this case, mpls-ipv4 flows are not created on the PIC, because the IPv4 header does not directly follow the MPLS header. Packets are dropped on the PIC and are accounted as parser errors.

Outbound Routing Engine traffic is not sampled. A firewall filter is applied as output on the egress interface, which samples packets and exports the data. For transit traffic,

Copyright 2011, Juniper Networks, Inc.

1045

Junos 11.4 Services Interfaces Configuration Guide

egress sampling works correctly. For internal traffic, the next hop is installed in the Packet Forwarding Engine but sampled packets are not exported.

Flows are created on the monitoring PIC only after the route record resynchronization operation is complete, which is 60 seconds after the PIC comes up. Any packets sent to the PIC would be dropped until the synchronization process is complete.

Fields Included in Each Template Type

The following fields are common to all template types:

Input interface Output interface Number of bytes Number of packets Flow start time Flow end time

The IPv4 template includes the following specific fields:

IPv4 Source Address IPv4 Destination Address L4 Source Port L4 Destination Port IPv4 TOS IPv4 Protocol ICMP type and code TCP Flags IPv4 Next Hop Address

The IPv6 template includes the following specific fields:

IPv6 Source Address and Mask IPv6 Destination Address and Mask L4 Source Port L4 Destination Port IPv6 TOS IPv6 Protocol TCP Flags IP Protocol Version IPv6 Next Hop Address

1046

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Egress Interface Information Source Autonomous System (AS) number Destination AS number

The MPLS template includes the following specific fields:

MPLS Label #1 MPLS Label #2 MPLS Label #3 MPLS EXP Information FEC IP Address

The MPLS-IPv4 template includes all the fields found in the IPv4 and MPLS templates. The peer AS billing template includes the following specific fields:

IPV4 Class of Service (TOS) Ingress Interface BGP IPV4 Next Hop Address BGP Peer Destination AS Number

MPLS Sampling Behavior

This section describes the behavior when MPLS sampling is used on egress interfaces in various scenarios (label pop or swap) on provider routers (P routers). For more information on configuration and background specific to MPLS applications, see the Junos OS MPLS Applications Configuration Guide.
1.

You configure MPLS sampling on an egress interface on the P router and configure an MPLS flow aggregation template. The route action is label pop because penultimate hop popping (PHP) is enabled. Previously, IPv4 packets (only) would have been sent to the PIC for sampling even though you configured MPLS sampling. No flows should be created, with the result that the parser fails. With the current capability of applying MPLS templates, MPLS flows are created.

2. As in the first case, you configure MPLS sampling on an egress interface on the P router

and configure an MPLS flow aggregation template. The route action is label swap and the swapped label is 0 (explicit null). The resulting behavior is that MPLS packets are sent to the PIC. The flow being sampled corresponds to the label before the swap.
3. You configure a Layer 3 VPN network, in which a customer edge router (CE-1) sends

traffic to a provider edge router (PE-A), through the P router, to a similar provider edge router (PE-B) and customer edge router (CE-2) on the remote end.

Copyright 2011, Juniper Networks, Inc.

1047

Junos 11.4 Services Interfaces Configuration Guide

The resulting behavior is that you cannot sample MPLS packets on the PE-A to P router link.

Verification
To verify the configuration properties, you can use the show services accounting aggregation template template-name name operational mode command. All other show services accounting commands also support version 9 templates, except for show services accounting flow-detail and show services accounting aggregation aggregation-type. For more information about operational mode commands, see the Junos OS System Basics and Services Command Reference.

Examples: Configuring Version 9 Flow Templates

The following is a sample version 9 template configuration:
services { flow-monitoring { version9 { template ip-template { flow-active-timeout 20; flow-inactive-timeout 120; ipv4-template; } template mpls-template-1 { mpls-template { label-position [1 3 4]; } } template mpls-ipv4-template-1 { mpls-ipv4-template { label-position [1 5 7]; } } template peer-as-billing-template-1 { peer-as-billing-template; } } } } }

The following is a sample firewall filter configuration for MPLS traffic:

firewall { family mpls { filter mpls_sample { term default { then { accept; sample; } } }

1048

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

} }

The following sample configuration applies the MPLS sampling filter on a networking interface and configures the AS PIC to accept both IPv4 and MPLS traffic:
interfaces { at-0/1/1 { unit 0 { family mpls { filter { input mpls_sample; } } } } sp-7/0/0 { unit 0 { family inet; family mpls; } } }

The following example applies the MPLS version 9 template to the sampling output and sends it to the AS PIC:
forwarding-options { sampling { input { family mpls { rate 1; } } family mpls { output { flow-active-timeout 60; flow-inactive-timeout 30; flow-server 1.2.3.4 { port 2055; version9 { template mpls-ipv4-template-1; } } interface sp-7/0/0 { source-address 1.1.1.1; } } } } }

The following is a sample firewall filter configuration for the peer AS billing traffic:
firewall { family inet { filter peer-as-filter {

Copyright 2011, Juniper Networks, Inc.

1049

Junos 11.4 Services Interfaces Configuration Guide

term 0 { from { destination-class dcu-1; interface ge-2/1/0; forwarding-class class-1; } then count count_team_0; } } term 1 { from { destination-class dcu-2; interface ge-2/1/0; forwarding-class class-1; } then count count_team_1; } term 2 { from { destination-class dcu-3; interface ge-2/1/0; forwarding-class class-1; } then count count_team_2; } } } }

The following sample configuration applies the peer AS firewall filter as a filter attribute under the forwarding-options hierarchy for CoS-level data traffic usage information collection:
forwarding-options { family inet { filter output peer-as-filter; } }

The following sample configuration applies the peer AS DCU policy options to collect usage statistics for the traffic stream for as-path ingressing at a specific input interface with the firewall configuration hierarchy applied as Forwarding Table Filters (FTFs). The configuration functionality with COS capability can be achieved through FTFs for destination-class usage with forwarding-class for specific input interfaces:
policy-options { policy-statement P1 { from { protocol bgp; neighbor 10.2.25.5; #BGP router configuration; as-path AS-1; #AS path configuration; } then destination-class dcu-1; #Destination class configuration; } policy-statement P2 { from {

1050

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

neighbor 1.2.25.5; as-path AS-2; } then destination-class dcu2; } policy-statement P3 { from { protocol bgp; neighbor 192.2.1.1; as-path AS-3; } then destination-class dcu3; } as-path AS-1 3131:1111:1123; as-path AS-2 100000; as-path AS-3 192:29283:2; }

The following example applies the peer-as-billing version 9 template to enable sampling of traffic for billing purposes:
forwarding-options { sampling { } input { rate 1; } family inet { output { flow-server 10.209.15.58 { port 300; version9 { template { peer-as; } } } interface sp-5/2/0 { source-address 2.3.4.5; } } } } } family inet { filter { output peer-as-filter; } }

Configuring Sampling Instances

You can configure active sampling by defining a sampling instance that specifies a name for the sampling parameters and binding the instance name to a particular engine. This configuration enables you to define multiple named sampling parameter sets associated

Copyright 2011, Juniper Networks, Inc.

1051

Junos 11.4 Services Interfaces Configuration Guide

with multiple destinations (as many as the number of Packet Forwarding Engines in the chassis), with multiple protocol families per each sampling destination. This configuration is supported on MX Series, M120, M320, T640, T1600, and TX matrix routers and on the cflowd version5/8 and flow aggregation version 9 templates. To implement this feature, you include the instance statement at the [edit forwarding-options sampling] hierarchy level:
instance instance-name { # named instances of sampling parameters disable; input { # input parameters common to all protocol families rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } inline-jflow { source-address address; flow-export-rate rate; } } } }

1052

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

The following considerations apply to the sampling instance configuration:

This configuration is supported on the IP version 4 (inet), IP version 6 (ipv6), and MPLS protocol families. You can configure the rate and run-length options at the [edit forwarding-options sampling input] hierarchy level to apply common values for all families on a global basis. Alternatively, you can configure these options at the [edit forwarding-options sampling instance instance-name input] hierarchy level to apply specific values for each instance or at the [edit forwarding-options sampling instance instance-name family family input] hierarchy level to apply specific values for each protocol family you configure.

NOTE: The run-length and maximum-packet-length configuration statements are not supported on MX80 routers.

To associate the defined instance with a particular Packet Forwarding Engine, you include the sampling-instances statement at the [edit chassis fpc number] hierarchy level, as in the following example:
chassis { fpc 2 { sampling-instances samp1; } }

For more information about chassis configuration, see the Junos OS System Configuration Guide

Configuring Inline Flow Monitoring

On MX Series routers only, you can configure active sampling to be performed on an inline data path without the need for a services Dense Port Concentrator (DPC). To do this, you define a sampling instance with specific properties. One Flexible PIC Concentrator (FPC) can support only one instance; for each instance, either PIC-based sampling or inline flow monitoring is supported per family. As a result, a particular instance can define PIC-based sampling for one family and inline flow monitoring for a different family. Currently only IPv4 is supported for inline flow monitoring. Inline flow monitoring supports a specified sampling output format designated IP_FIX. It uses UDP as the transport protocol. The configuration for inline flow monitoring on MX80 routers is slightly different. To configure inline flow monitoring on all other MX Series routers:

Enable inline flow monitoring and specify the source address for the traffic:
[edit forwarding-options sampling instance instance-name family inet output] user@host# set inline-jflow source address address

Specify the IP_FIX output format:

Copyright 2011, Juniper Networks, Inc.

1053

Junos 11.4 Services Interfaces Configuration Guide

[edit forwarding-options sampling instance instance-name family inet output flow-server address] user@host# set version-ipfix template ipv4

Specify the output properties:

[edit services flow-monitoring] user@host# set version-ipfix

The output format properties are common to other output formats and are described in Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. The following is an example of the sampling configuration for an instance that supports inline flow monitoring on family inet and PIC-based sampling on family inet6:
[edit forwarding-options] sampling { instance { sample-ins1 { input { rate 1; } family inet { output { flow-server 2.2.2.2 { port 2055; version-ipfix { template { ipv4; } } } inline-jflow { source-address 10.11.12.13; } } } family inet6 { output { flow-server 2.2.2.2 { port 2055; version9 { template { ipv6; } } } interface sp-0/1/0 { source-address 10.11.12.13; } } } } } }

The following example shows the output format configuration:

1054

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

services { flow-monitoring { version-ipfix { template ipv4 { flow-active-timeout 60; flow-inactive-timeout 60; ipv4-template; template-refresh-rate { packets 1000; seconds 10; } option-refresh-rate { packets 1000; seconds 10; } } } } }

The following considerations apply to the inline flow-monitoring instance configuration:

This configuration is supported only on the IP version 4 (inet) protocol family. Sampling run-length and clip-size are not supported. For inline configurations, each family can support only one collector. Configuring Inline Flow Monitoring on MX80 Routers on page 1055

Related Documentation

Configuring Inline Flow Monitoring on MX80 Routers

To configure inline flow monitoring on MX80 routers:

Associate a sampling instance with the Forwarding Engine Processor:

[edit] user@host# set chassis tfeb slot sampling-instance sampling-instance

The Forwarding Engine Processor slot is always 0 because MX80 routers have only one Packet Forwarding Engine (PFE). In this configuration, the sampling instance is sample-ins1.
[edit] user@host# set chassis tfeb 0 sampling-instance sample-ins1

NOTE: MX80 routers support only one sampling instance.

Configure the rate at the [edit forwarding-options sampling instance instance-name input] hierarchy level to apply specific values for the sampling instance sample-ins1:
[edit forwarding-options sampling instance sample-ins1 input] user@host# set rate number

Copyright 2011, Juniper Networks, Inc.

1055

Junos 11.4 Services Interfaces Configuration Guide

In this configuration, the rate is 1.

[edit forwarding-options sampling instance sample-ins1 input] user@host# set rate 1

Enable inline flow monitoring and specify the source address for the traffic:
[edit forwarding-options sampling instance sample-ins1 family inet output] user@host# set inline-jflow source-address address

In this configuration, the source address is 10.11.12.13.

[edit forwarding-options sampling instance sample-ins1 family inet output] user@host# set inline-jflow source-address 10.11.12.13

The following is an example of the sampling configuration for an instance that supports inline flow monitoring on MX80 routers:
[edit forwarding-options] sampling { instance { sample-ins1 { input { rate 1; } family inet { output { inline-jflow { source-address 10.11.12.13; } } } } } }

NOTE: You need not configure Flexible PIC Concentrator (FPC) slot because MX80 routers have only one PFE.

The following considerations apply to the inline flow-monitoring instance configuration:

This configuration does not support MPLS-IPv6. Clip-size is not supported.

Directing Replicated Flows to Multiple Flow Servers

You can configure replication of the sampled flow records for use by multiple flow servers. You can use either sampling based on the Routing Engine, using cflowd version 5 or

1056

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

version 8, or sampling based on the services PIC, using flow aggregation version 9, as described in the following sections:

Directing Replicated Routing EngineBased Sampling Flows to Multiple Servers on page 1057 Directing Replicated Version 9 Flow Aggregates to Multiple Servers on page 1058

Directing Replicated Routing EngineBased Sampling Flows to Multiple Servers

Routing Enginebased sampling supports up to eight flow servers for both cflowd version 5 and version 8 configurations. The total number of servers is limited to eight regardless of how many are configured for cflowd v5 or v8. When you configure cflowd-based sampling, the export packets are replicated to all flow servers configured to receive them. If two servers are configured to receive v5 records, both the servers will receive records for a specified flow.

NOTE: With Routing Enginebased sampling, if multiple flow servers are configured with version 8 export format, all of them must use the same aggregation type. For example, all servers receiving version 8 export could be configured for source-destination aggregation type.

The following configuration example allows replication of export packets to two flow servers.
forwarding-options { sampling { instance inst1 { input { rate 1; } family inet; output { flow-server 10.10.3.2 { port 2055; version 5; source-address 192.168.164.119; } flow-server 172.17.20.62 { port 2055; version 5; source-address 192.168.164.119; } } } } } }

Copyright 2011, Juniper Networks, Inc.

1057

Junos 11.4 Services Interfaces Configuration Guide

Directing Replicated Version 9 Flow Aggregates to Multiple Servers

The export packets generated for a template are replicated to all the flow servers that are configured to receive information for that template. The maximum number of servers supported is eight. This also implies that periodic updates required by version 9 (RFC 3954) are sent to each configured collector. The following updates are sent periodically as part of this requirement:

Options data Template definition

The refresh period for options data and template definition is configured on a per-template basis at the [edit services flow-monitoring] hierarchy level. The following configuration example allows replication of version 9 export packets to two flow servers.
forwarding-options { sampling { instance inst1 { input { rate 1; } family inet; output { flow-server 10.10.3.2 { port 2055; version9 { template { ipv4; } } } flow-server 172.17.20.62 { port 2055; version9 { template { ipv4; } } } } flow-inactive-timeout 30; flow-active-timeout 60; interface sp-4/0/0 { source-address 10.10.3.4; } } } } }

1058

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Logging cflowd Flows Before Export

To collect the cflowd flows in a log file before they are exported, include the local-dump statement at the [edit forwarding-options sampling output flow-server hostname] hierarchy level:
[edit forwarding-options sampling output flow-server hostname] local-dump;

By default, the flows are collected in /var/log/sampled; to change the filename, include the filename statement at the [edit forwarding-options sampling traceoptions] hierarchy level. For more information about changing the filename, see Configuring Traffic Sampling Output on page 1027.

NOTE: Because the local-dump statement adds extra overhead, you should use it only while debugging cflowd problems, not during normal operation.

The following is an example of the flow information. The AS number exported is the origin AS number. All flows that belong under a cflowd header are dumped, followed by the header itself:
Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun Jun 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 18:35:43 v5 flow entry 18:35:43 Src addr: 192.53.127.1 18:35:43 Dst addr: 192.6.255.15 18:35:43 Nhop addr: 192.6.255.240 18:35:43 Input interface: 5 18:35:43 Output interface: 3 18:35:43 Pkts in flow: 15 18:35:43 Bytes in flow: 600 18:35:43 Start time of flow: 7230 18:35:43 End time of flow: 7271 18:35:43 Src port: 26629 18:35:43 Dst port: 179 18:35:43 TCP flags: 0x10 18:35:43 IP proto num: 6 18:35:43 TOS: 0xc0 18:35:43 Src AS: 7018 18:35:43 Dst AS: 11111 18:35:43 Src netmask len: 16 18:35:43 Dst netmask len: 0

[... 41 more version 5 flow entries; then the following header:]

Jun Jun Jun Jun Jun Jun 27 27 27 27 27 27 18:35:43 cflowd header: 18:35:43 Num-records: 42 18:35:43 Version: 5 18:35:43 low seq num: 118 18:35:43 Engine id: 0 18:35:43 Engine type: 3

Configuring Port Mirroring

On routers containing an Internet Processor II application-specific integrated circuit (ASIC) or T Series Internet Processor, you can send a copy of an IP version 4 (IPv4) or IP

Copyright 2011, Juniper Networks, Inc.

1059

Junos 11.4 Services Interfaces Configuration Guide

version 6 (IPv6) packet from the router to an external host address or a packet analyzer for analysis. This is known as port mirroring. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface. You can configure simultaneous use of sampling and port mirroring, and set an independent sampling rate and run-length for port-mirrored packets. However, if a packet is selected for both sampling and port mirroring, only one action can be performed and port mirroring takes precedence. For example, if you configure an interface to sample every packet input to the interface and a filter also selects the packet to be port mirrored to another interface, only the port mirroring would take effect. All other packets not matching the explicit filter port-mirroring criteria continue to be sampled when forwarded to their final destination.

NOTE: Configuration for both port mirroring and traffic sampling are handled by the same daemon, so in order to view a trace log file for port mirroring, you must configure the traceoptions option under traffic sampling.

To prepare traffic for port mirroring, include the filter statement at the [edit firewall family inet] hierarchy level:
filter filter-name;

This filter at the [edit firewall family (inet | inet6)] hierarchy level selects traffic to be port-mirrored:
filter filter-name { term term-name { then { port-mirror; accept; } } }

To configure port mirroring on a logical interface, configure the following statements at the [edit forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring family (inet|inet6)] input { rate rate; run-length number; } output { interface interface-name { next-hop address; } no-filter-check; }

1060

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

NOTE: The input statement can also be configured at the [edit forwarding-options port-mirroring] hierarchy level. This is only maintained for backward compatibility. However, the configuration of the output statement is deprecated at the [edit forwarding-options port-mirroring] hierarchy level.

Specify the port-mirroring destination by including the next-hop statement at the [edit forwarding-options port-mirroring output interface interface-name] hierarchy level:
next-hop address;

NOTE: For IPv4 port mirroring to reach a next-hop destination, you must manually include a static Address Resolution Protocol (ARP) entry in the router configuration.

The no-filter-check statement is required when you send port-mirrored traffic to a Tunnel PIC that has a filter applied to it. en The interface used to send the packets to the analyzer is the output interface configured above at the [edit forwarding-options port-mirroring family (inet | inet6) output] hierarchy level. You can use any physical interface type, including generic routing encapsulation (GRE) tunnel interfaces. The next-hop address specifies the destination address; this statement is mandatory for non point-to-point interfaces, such as Ethernet interfaces. To configure the sampling rate or duration, include the rate or run-length statement at the [edit forwarding-options port-mirroring input] hierarchy level. You can trace port-mirroring operations the same way you trace sampling operations. For more information, see Tracing Traffic Sampling Operations on page 1029. For more information about port mirroring, see the following sections:

Configuring Tunnels on page 1061 Port Mirroring with Next-Hop Groups on page 1062 Configuring Inline Port Mirroring on page 1063 Filter-Based Forwarding with Multiple Monitoring Interfaces on page 1064 Restrictions on page 1064 Configuring Port Mirroring on Services Interfaces on page 1065 Examples: Configuring Port Mirroring on page 1066

Configuring Tunnels
In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, rather than another router. If you must send this traffic over a network, you should use tunnels. For more information about tunnel interfaces, see Tunnel Properties.

Copyright 2011, Juniper Networks, Inc.

1061

Junos 11.4 Services Interfaces Configuration Guide

If your router is equipped with a Tunnel PIC, you can forward duplicate packets to multiple interfaces by configuring a next-hop group. To configure a next-hop group, include the next-hop-group statement at the [edit forwarding-options] hierarchy level:
[edit forwarding-options] next-hop-group group-names { interface interface-name { next-hop address; } }

The interface statement specifies the interface that sends out sampled information. The next-hop statement specifies the next-hop addresses to which to send the sampled information. Next-hop groups have the following restrictions:

Next-hop groups are supported for IPv4 addresses only. Next-hop groups are supported on M Series routers only, except the M120 and the M320. Next-hop groups support up to 16 next-hop addresses. Up to 30 next-hop groups are supported. Each next-hop group must have at least two next-hop addresses.

Port Mirroring with Next-Hop Groups

You can configure next-hop groups for MX, TX, and T Series routers using either IP addresses or Layer 2 addresses for the next hops. Use the group-type [ inet | layer-2 ] statement at [edit forwarding-options next-hop-group next-hop-group-name] hierarchy level to establish the next-hop groups. You can also reference more than one port mirroring instance in a filter on MX, TX, and T Series routers. Use the port-mirror-instance instance-name statement at the [edit firewall family family-name filter filter-name term term-name] to refer to one of several port mirroring instances. For more information about this configuration, see the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.

NOTE: On the Trio chipset for MX series routers, port mirroring instances can only be bound to the FPC level and not up to the PIC level. For MX series routers with a DPC card, both levels are supported.

On MX, TX, and T Series routers only, you can configure port mirroring using next-hop groups, also known as multipacket port mirroring, without the presence of a Tunnel PIC. To configure this functionality, include the next-hop-group statement at the [edit forwarding-options port-mirror family inet output] or [edit forwarding-options port-mirror instance instance-name family inet output] hierarchy level:
[edit forwarding-options] port-mirror { family inet {

1062

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

output { next-hop-group group-name; } } }

or
[edit forwarding-options] port-mirror { instance instance-name { family (inet | vpls) { output { next-hop-group group-name; } } } }

You define the next-hop group by including the next-hop-group statement at the [edit forwarding-options] hierarchy level. For an example, see Examples: Configuring Port Mirroring on page 1066.This configuration is supported only with IPv4 addresses. You can disable this configuration by including a disable or disable-all-instances statement at the [edit forwarding-options port-mirror] hierarchy level or by including a disable statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level. You can display the settings and network status by issuing the show forwarding-options next-hop-group and show forwarding-options port-mirroring operational commands.

Configuring Inline Port Mirroring

Inline port mirroring provides you with the ability to specify instances that are not bound to the flexible PIC concentrator (FPC) in the firewall filters then port-mirror-instance action. This way you are not limited to only two port-mirror instances per FPC. Inline port mirroring decouples the port mirror destination from the input parameters like rate. While the input parameters are programmed in the switch interface board, the next-hop destination of the mirrored packet is available in the packet itself. Inline port mirroring is available on Trio based modular port concentrators. Using inline port mirroring, a port-mirror instance will have an option to inherit input parameters from another instance that specifies it, as shown in the following CLI configuration example:
instance pm2 { + input-parameters-instance pm1; family inet { output { interface ge-1/2/3.0 { next-hop 50.0.0.3; } } } }

Copyright 2011, Juniper Networks, Inc.

1063

Junos 11.4 Services Interfaces Configuration Guide

Multiple levels of inheritance are not allowed. One instance can be referred by multiple instances. An instance can refer to another instance that is defined before it. Forward references are not allowed and an instance cannot refer to itself, doing so will cause an error during configuration parsing. The user can specify an instance that is not bound to the FPC in the firewall filter. The specified filter should inherit one of the two instances that have been bound to the FPC. If it does not, the packet is not marked for port-mirroring. If it does, then the packet will be sampled using the input parameters specified by the referred instance but the copy will be sent to the its own destination.

Filter-Based Forwarding with Multiple Monitoring Interfaces

If port-mirrored packets are to be distributed to multiple monitoring or collection interfaces based on patterns in packet headers, it is helpful to configure a filter-based forwarding (FBF) filter on the port-mirroring egress interface. When an FBF filter is installed as an output filter, a packet that is forwarded to the filter has already undergone at least one route lookup. After the packet is classified at the egress interface by the FBF filter, it is redirected to another routing table for additional route lookup. Obviously, the route lookup in the latter routing table (designated by an FBF routing instance) must result in a different next hop from those from the previous tables the packet has passed through, to avoid packet looping inside the Packet Forwarding Engine. For more information about FBF configuration, see the Junos OS Routing Protocols Configuration Guide. For an example of FBF applied to an output interface, see Examples: Configuring Port Mirroring on page 1066.

Restrictions
The following restrictions apply to port-mirroring configurations:

The interface you configure for port mirroring should not participate in any kind of routing activity. The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 10.68.9.10 and the port-mirrored traffic is sent to 10.68.20.15 for analysis, the device associated with the latter address should not know a route to 10.68.9.10. Also, it should not send the sampled packets back to the source address. IPv4 and IPv6 traffic is supported. For IPv6 port mirroring, you must configure the next-hop router with an IPv6 neighbor before mirroring the traffic, similar to an ARP request for IPv4 traffic. All the restrictions applied to IPv4 configurations should also apply to IPv6. On M120 and M320 routers, multiple next-hop mirroring is not supported. On M Series routers other than the M120 and M320 routers, only one family protocol (either IPv4 or IPv6) is supported at a time. Port mirroring supports up to 16 next hops, but there is no next-hop group support for inet6.

1064

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Only transit data is supported. You can configure multiple port-mirroring interfaces per router. On routers containing an Internet Processor II application-specific integrated circuit (ASIC), you must include a firewall filter with both the accept action and the port-mirror action modifier on the inbound interface. Do not include the discard action, or port mirroring will not work. If the port-mirroring interface is a non-point-to-point interface, you must include an IP address under the port-mirroring statement to identify the other end of the link. This IP address must be reachable for you to see the sampled traffic. If the port-mirroring interface is an Ethernet interface, the router should have an Address Resolution Protocol (ARP) entry for it. The following sample configuration sets up a static ARP entry. You do not need to configure firewall filters on both inbound and outbound interfaces, but at least one is necessary on the inbound interface to provide the copies of the packets to send to an analyzer.

Configuring Port Mirroring on Services Interfaces

A special situation arises when you configure unit 0 of a services interface (AS or Multiservices PIC) to be the port-mirroring logical interface, as in the following example:
[edit forwarding-options] port-mirroring { input { rate 1; } family inet { output { interface sp-1/0/0.0; } } }

Since any traffic directed to unit 0 on a services interface is targeted for monitoring (cflowd packets are generated for it), the sample port-mirroring configuration indicates that the customer would like to have cflowd records generated for the port-mirrored traffic. However, generation of cflowd records requires the following additional configuration; if it is missing, the port-mirrored traffic is simply dropped by the services interface without generating any cflowd packets.
[edit forwarding-options] sampling { instance instance1 { # named instances of sampling parameters input { rate 1; } family inet { output { flow-server 172.16.28.65 { port 1230;

Copyright 2011, Juniper Networks, Inc.

1065

Junos 11.4 Services Interfaces Configuration Guide

} interface sp-1/0/0 { # If the port-mirrored traffic requires monitoring, this # interface must be same as that specified in the # port-mirroring configuration. source-address 3.1.2.3; } } } } }

NOTE: Another way to configure sp-1/0/0 to generate cflowd records is to use only the sampling configuration, but include a firewall filter sample action instead of a port-mirror action.

Examples: Configuring Port Mirroring

The following example sends port-mirrored traffic to multiple cflowd servers or packet analyzers:
[edit interfaces] ge-1/0/0 { # This is the input interface where packets enter the router. unit 0 { family inet { filter { input mirror_pkts; # Here is where you apply the first filter. } address 10.11.0.1/24; } } } ge-1/1/0 { # This is an exit interface for HTTP packets. unit 0 { family inet { address 10.12.0.1/24; } } } ge-1/2/0 { # This is an exit interface for HTTP packets. unit 0 { family inet { address 10.13.0.1/24; } } } so-0/3/0 { # This is an exit interface for FTP packets. unit 0 { family inet { address 10.1.1.1/30; } } } so-4/3/0 { # This is an exit interface for FTP packets.

1066

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

unit 0 { family inet { address 10.2.2.2/30; } } } so-7/0/0 { # This is an exit interface for all remaining packets. unit 0 { family inet { address 10.5.5.5/30; } } } so-7/0/1 { # This is an exit interface for all remaining packets. unit 0 { family inet { address 10.6.6.6/30; } } } vt-3/3/0 { # The tunnel interface is where you send the port mirrored traffic. unit 0 { family inet; } unit 1 { family inet { filter { input collect_pkts; # This is where you apply the second firewall filter. } } } } [edit forwarding-options] port-mirroring { # This is required when you configure next-hop groups. input { rate 1; # This rate port mirrors one packet for every one received (1:1 = all # packets). } family inet { output { # This sends traffic to a tunnel interface to prepare for multiport mirroring. interface vt-3/3/0.1; no-filter-check; } } } next-hop-group ftp-traffic { # Point-to-point interfaces require you to specify the interface # name only. interface so-4/3/0.0; interface so-0/3/0.0; } next-hop-group http-traffic { # You need to configure a next hop for multipoint interfaces # (Ethernet). interface ge-1/1/0.0 { next-hop 10.12.0.2; } interface ge-1/2/0.0 {

Copyright 2011, Juniper Networks, Inc.

1067

Junos 11.4 Services Interfaces Configuration Guide

next-hop 10.13.0.2; } } next-hop-group default-collect { interface so-7/0/0.0; interface so-7/0/1.0; } [edit firewall] family inet { filter mirror_pkts { # Apply this filter to the input interface. term catch_all { then { count input_mirror_pkts; port-mirror; # This action sends traffic to be copied and port mirrored. accept; } } } filter collect_pkts { # Apply this filter to the tunnel interface. term ftp-term { # This term sends FTP traffic to an FTP next-hop group. from { protocol ftp; } then next-hop-group ftp-traffic; } term http-term {# This term sends HTTP traffic to an HTTP next-hop group. from { protocol http; } then next-hop-group http-traffic; } term default {# This term sends all remaining traffic to a final next-hop group. then next-hop-group default-collectors; } } }

The following example demonstrates configuration of filter-based forwarding at the output interface. In this example, the packet flow follows this path:
1.

A packet arrives at interface fe-1/2/0.0 with source and destination addresses 10.50.200.1 and 10.50.100.1, respectively.

2. The route lookup in routing table inet.0 points to the egress interface so-0/0/3.0. 3. The output filter installed at so-0/0/3.0 redirects the packet to routing table fbf.inet.0. 4. The packet matches the entry 10.50.100.0/25, and finally leaves the router from

interface so-2/0/0.0.
[edit interfaces] so-0/0/3 { unit 0 { family inet { filter { output fbf; }

1068

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

address 10.50.10.2/25; } } } fe-1/2/0 { unit 0 { family inet { address 10.50.50.2/25; } } } so-2/0/0 { unit 0 { family inet { address 10.50.20.2/25; } } } [edit firewall] filter fbf { term 0 { from { source-address { 10.50.200.0/25; } } then routing-instance fbf; } term d { then count d; } } [edit routing-instances] fbf { instance-type forwarding; routing-options { static { route 10.50.100.0/25 next-hop so-2/0/0.0; } } } [edit routing-options] interface-routes { rib-group inet fbf-group; } static { route 10.50.100.0/25 next-hop 10.50.10.1; } rib-groups { fbf-group { import-rib [ inet.0 fbf.inet.0 ]; } }

Copyright 2011, Juniper Networks, Inc.

1069

Junos 11.4 Services Interfaces Configuration Guide

The following example shows configuration of port mirroring using next-hops groups or multipacket port mirroring:
forwarding-options { next-hop-group inet_nhg { group-type inet; interface ge-2/0/2.101 { next-hop 10.2.0.2; } interface ge-2/2/8.2 { next-hop 10.8.0.2; } } next-hop-group vpls_nhg { group-type layer-2; interface ge-2/0/1.100; interface ge-2/2/9.0; inactive: next-hop-subgroup vpls_subg { interface ge-2/0/1.101; interface ge-2/2/9.1; } } next-hop-group vpls_nhg_2 { group-type layer-2; interface ge-2/2/1.100; interface ge-2/3/9.0; } port-mirror { disable-all-instances; /* Disable all port-mirroring instances */ disable; /* Disable the global instance */ input { rate 10; # start mirroring every 10th packet run-length 4; # mirror 4 additional packets } family inet { output { next-hop-group inet_nhg; } } family vpls { output { next-hop-group vpls_nhg; } } instance { inst1 { disable; /* Disable this instance */ input { rate 1; maximum-packet-length 200; } family inet { output { next-hop-group inet_nhg; } }

1070

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

family vpls { output { next-hop-group vpls_nhg_2; } } } } } }

The following example shows configuration of port mirroring using next-hops groups or multipacket port mirroring on a T series router:
forwarding-options { next-hop-group inet_nhg { group-type inet; interface so-0/0/0.0; # There is no need for the nexthop address on T series routers interface ge-2/0/2/.0 { next-hop 1.2.3.4 } next-hop-subgroup sub_inet { interface so-1/2/0.0; interface ge-6/1/2.0 { next-hop 6.7.8.9; } } next-hop-group vpls_nhg_2 { group-type layer-2; interface ge-2/2/1.100; interface ge-2/3/9.0; } } port-mirroring { disable-all-instances; /*Disable all port-mirroring instances */ disable; /* Disable the global instance */ input { rate 10; run-length 4; } family inet { output { next-hop-group inet_nhg; } } family vpls { output { next-hop-group vpls_nhg; } } instance { inst1 { disable; /* Disable this instance */ input { rate 1; maximum-packet-length 200; }

Copyright 2011, Juniper Networks, Inc.

1071

Junos 11.4 Services Interfaces Configuration Guide

family inet { output { next-hop-group inet_nhg; } } family vpls { output { next-hop-group vpls_nhg_2; } } } } } }

The following example shows configuration of inline port mirroring using PM1 and PM2 as our port mirror instances.
instance { pm1 { input { rate 3; } family inet { output { interface ge-1/2/2.0 { next-hop 40.0.0.2; } } } } pm2 { input-parameters-instance pm1; family inet { output { interface ge-1/2/3.0 { next-hop 50.0.0.3; } } } } } firewall { filter pm_filter { term t1 { then port-mirror-instance pm2; } } } chassis { fpc 1 { port-mirror-instance pm1; } }

The packets will be sampled at a rate of 3 and the copy is sent to 50.0.0.3.

1072

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Load Balancing Among Multiple Monitoring Interfaces

The active monitoring application was initially intended for port-mirroring packets on an interface on a normal network router to single or multiple destinations. By port-mirroring these packets to a tunnel interface and using filter-based forwarding on the tunnel interface, port-mirrored packets can be load-balanced across set of interfaces. This method employs existing configuration statements for passive monitoring. The configuration consists of the following parts; sample values are included for illustration only.

Firewall filter configurationFirewall filter PORT-MIRROR-TO-VT is used to port-mirror the packet to a Tunnel PIC, and filter catch, applied on the virtual tunnel (vt) interface, is used to send traffic to a filter-based routing instance.
[edit firewall] filter PORT-MIRROR-TO-VT { term a { then { port-mirror; accept; } } } filter catch { term def { then { count counter; routing-instance fbf_instance; } } }

For more information about firewall filters, see the Junos OS Routing Policy Configuration Guide.

Interface configurationApply filter PORT-MIRROR-TO-VT to the interface on which traffic is to be monitored actively.
[edit interfaces] ge-1/3/0 { unit 0 { family inet { filter { input PORT-MIRROR-TO-VT; } address 10.38.0.2/30; } } } vt-3/2/0 { unit 0 { family inet { filter {

Copyright 2011, Juniper Networks, Inc.

1073

Junos 11.4 Services Interfaces Configuration Guide

input catch; } } } } mo-6/1/0 { unit 0 { family inet; } } mo-6/2/0 { unit 0 { family inet; } } mo-6/3/0 { unit 0 { family inet; } } mo-7/1/0 { unit 0 { family inet; } } mo-7/2/0 { unit 0 { family inet; } } mo-7/3/0 { unit 0 { family inet; } }

For more information on configuring interface properties, see the Junos OS Network Interfaces Configuration Guide.

Routing instance configuration for filter-based forwarding:

[edit routing-instances fbf_instance] instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop [ mo-7/1/0.0 mo-7/2/0.0 mo-7/3/0.0 mo-6/3/0.0 mo-6/2/0.0 mo-6/1/0.0 ]; } }

For more information on routing instance configuration, see the Junos OS Routing Protocols Configuration Guide.

Routing table groupsConfigure the routing table group to resolve the routes installed in the routing instances to directly connected next hops on the interface:

1074

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

[edit routing-options] interface-routes { rib-group inet common; } rib-groups { common { import-rib [ inet.0 fbf_instance.inet.0 ]; } } forwarding-table { export pplb; }

For more information on routing table groups, see the Junos OS Routing Protocols Configuration Guide.

Policy for per-packet load balancing:

[edit policy-options] policy-statement pplb { then { load-balance per-packet; } }

For more information on routing policy groups, see the Junos OS Routing Policy Configuration Guide.

Port mirroring and monitoring groupsConfigure the monitoring services options, and also define hash-based load balancing:
[edit forwarding-options] port-mirroring { input { rate 1; } family inet { output { interface vt-3/2/0.0; no-filter-check; } } } monitoring group1 { family inet { output { export-format cflowd-version-5; flow-active-timeout 60; flow-inactive-timeout 15; cflowd 10.36.252.1 port 2055; interface mo-6/1/0.0 { source-address 10.36.252.2; } interface mo-6/2/0.0 { source-address 10.36.252.2; }

Copyright 2011, Juniper Networks, Inc.

1075

Junos 11.4 Services Interfaces Configuration Guide

interface mo-6/3/0.0 { source-address 10.36.252.2; } interface mo-7/1/0.0 { source-address 10.36.252.2; } interface mo-7/2/0.0 { source-address 10.36.252.2; } interface mo-7/3/0.0 { source-address 10.36.252.2; } } } } hash-key { family inet { layer-3; } }

For more information on hash keys, see the Junos OS Routing Policy Configuration Guide.

Configuring Discard Accounting

Discard accounting is similar to traffic sampling, but varies from it in two ways:

In discard accounting, the packet is intercepted by the monitoring PIC and is not forwarded to its destination. Traffic sampling allows you to limit the number of packets sampled by configuring the max-packets-per-second, rate, and run-length statements. Discard accounting does not provide these options, and a high packet count can potentially overwhelm the monitoring PIC.

To configure discard accounting, include the accounting statement at the [edit forwarding-options] hierarchy level:
accounting name { output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); port port-number; version format; }

1076

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } }

A discard instance is a named entity that specifies collector information under the accounting name statement. Discard instances are referenced in firewall filter term statements by including the then discard accounting name statement. Most of the other statements are also found at the [edit forwarding-options sampling] hierarchy level. For information on cflowd, see Enabling Flow Aggregation on page 1039. The flow-active-timeout and flow-inactive-timeout statements are described in Configuring Flow Monitoring on page 1032. To direct sampled traffic to a flow-monitoring interface, include the interface statement. The engine-id and engine-type statements specify the accounting interface used on the traffic, and the source-address statement specifies the traffic source. You cannot use rate-limiting with discard accounting; however, you can specify the duration of the interval for exporting aggregated accounting information by including the aggregate-export-interval statement in the configuration. This enables you to put a boundary on the amount of traffic exported to a flow-monitoring interface.

Enabling Passive Flow Monitoring

You can monitor IPv4 traffic from another router if you have the following components installed in an M Series, MX Series, or T Series router:

Monitoring Services, Adaptive Services, or Multiservices PICs to perform the service processing SONET/SDH, Fast Ethernet, or Gigabit Ethernet PICs as transit interface

On SONET/SDH interfaces, you enable passive flow monitoring by including the passive-monitor-mode statement at the [edit interfaces so-fpc/pic/port unit logical-unit-number] hierarchy level:
[edit interfaces so-fpc/pic/port unit logical-unit-number] passive-monitor-mode;

On Asynchronous Transfer Mode (ATM), Fast Ethernet, or Gigabit Ethernet interfaces, you enable passive flow monitoring by including the passive-monitor-mode statement at the [edit interfaces interface-name] hierarchy level:
[edit interfaces interface-name] passive-monitor-mode;

IPv6 passive monitoring is not supported on Monitoring Services PICs. You must configure port mirroring to forward the packets from the passive monitored ports to other interfaces.

Copyright 2011, Juniper Networks, Inc.

1077

Junos 11.4 Services Interfaces Configuration Guide

Interfaces configured on the following FPCs and PIC support IPv6 passive monitoring on the T640 and T1600 routers:

Enhanced Scaling FPC2 Enhanced Scaling FPC3 Enhanced II FPC1 Enhanced II FPC2 Enhanced II FPC3 Enhanced Scaling FPC4 Enhanced Scaling FPC4.1 4-port 10-Gigabit Ethernet LAN/WAN PIC with XFP (supported on both WAN-PHY and LAN-PHY mode for both IPv4 and IPv6 addresses) Gigabit Ethernet PIC with SFP 10-Gigabit Ethernet PIC with XENPAK (T1600 router) SONET/SDH OC192/STM64 PIC (T1600 router) SONET/SDH OC192/STM64 PICs with XFP (T1600 router) SONET/SDH OC48c/STM16 PIC with SFP (T1600 router) SONET/SDH OC48/STM16 (Multi-Rate) SONET/SDH OC12/STM4 (MultiRate) PIC with SFP Type 1 SONET/SDH OC3/STM1 (MultiRate) PIC with SFP

To configure port mirroring, include the port-mirroring statement at the [edit forwarding-options] hierarchy level. When you configure an interface in passive monitoring mode, the Packet Forwarding Engine silently drops packets coming from that interface and destined to the router itself. Passive monitoring mode also stops the Routing Engine from transmitting any packet from that interface. Packets received from the monitored interface can be forwarded to monitoring interfaces. If you include the passive-monitor-mode statement in the configuration:

The ATM interface is always up, and the interface does not receive or transmit incoming control packets, such as Operation, Administration, and Maintenance (OAM) and Interim Local Management Interface (ILMI) cells. The SONET/SDH interface does not send keepalives or alarms and does not participate actively on the network. Gigabit and Fast Ethernet interfaces can support both per-port passive monitoring and per-VLAN passive monitoring. The destination MAC filter on the receive port of the Ethernet interfaces is disabled.

1078

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

Ethernet encapsulation options are not allowed. Ethernet interfaces do not support the stacked-vlan-tagging statement for both IPv4 and IPv6 packets in passive monitoring mode.

On monitoring services interfaces, you enable passive flow monitoring by including the family statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level, specifying the inet option:
[edit interfaces interface-name unit logical-unit-number] family inet;

For the monitoring services interface, you can configure multiservice physical interface properties. For more information, see Configuring Flow-Monitoring Interfaces on page 1032. For conformity with the cflowd record structure, you must include the receive-options-packets and receive-ttl-exceeded statements at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:
[edit interfaces interface-name unit logical-unit-number family inet] receive-options-packets; receive-ttl-exceeded;

For more information, see the following sections:

Passive Flow Monitoring for MPLS Encapsulated Packets on page 1079 Example: Enabling IPv4 Passive Flow Monitoring on page 1081 Example: Enabling IPv6 Passive Flow Monitoring on page 1083

Passive Flow Monitoring for MPLS Encapsulated Packets

On monitoring services interfaces, you can process MPLS packets that have not been assigned label values and have no corresponding entry in the mpls.0 routing table. This allows you to assign a default route to unlabeled MPLS packets. To configure a default label value for MPLS packets, include the default-route statement at the [edit protocols mpls interface interface-name label-map] hierarchy level:
[edit protocols mpls interface interface-name label-map] default-route { (next-hop (address | interface-name | address/interface-name)) | (reject | discard); (pop | (swap <out-label>); class-of-service value; preference preference; type type; }

For more information about static labels, see the Junos OS MPLS Applications Configuration Guide.

Removing MPLS Labels from Incoming Packets

The Junos OS can forward only IPv4 packets to a Monitoring Services, Adaptive Services, or Multiservices PIC. IPv4 and IPv6 packets with MPLS labels cannot be forwarded to a monitoring PIC. By default, if packets with MPLS labels are forwarded to the monitoring

Copyright 2011, Juniper Networks, Inc.

1079

Junos 11.4 Services Interfaces Configuration Guide

PIC, they are discarded. To monitor IPv4 and IPv6 packets with MPLS labels, you must remove the MPLS labels as the packets arrive on the interface. You can remove up to two MPLS labels from an incoming packet by including the pop-all-labels statement at the [edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls] hierarchy level:
[edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls] pop-all-labels { required-depth [ numbers ]; }

By default, the pop-all-labels statement takes effect for incoming packets with one or two labels. You can specify the number of MPLS labels that an incoming packet must have for the pop-all-labels statement to take effect by including the required-depth statement at the [edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls pop-all-labels] hierarchy level:
[edit interfaces interface-name (atm-options | fastether-options | gigether-options | sonet-options) mpls pop-all-labels] required-depth [ numbers ];

The required depth can be 1, 2, or [ 1 2 ]. If you include the required-depth 1 statement, the pop-all-labels statement takes effect for incoming packets with one label only. If you include the required-depth 2 statement, the pop-all-labels statement takes effect for incoming packets with two labels only. If you include the required-depth [ 1 2 ] statement, the pop-all-labels statement takes effect for incoming packets with one or two labels. A required depth of [ 1 2 ] is equivalent to the default behavior of the pop-all-labels statement. When you remove MPLS labels from incoming packets, note the following:

The pop-all-labels statement has no effect on IP packets with three or more MPLS labels. When you enable MPLS label removal, you must configure all ports on a PIC with the same label popping mode and required depth. You use the pop-all-labels statement to enable passive monitoring applications, not active monitoring applications. You cannot apply MPLS filters or accounting to the MPLS labels because the labels are removed as soon as the packet arrives on the interface. On ATM2 interfaces, you must use a label value greater than 4095 because the lower range of MPLS labels is reserved for label-switched interface (LSI) and virtual private LAN service (VPLS) support. For more information, see the Junos OS VPNs Configuration Guide. The following ATM encapsulation types are not supported on interfaces with MPLS label removal:

atm-ccc-cell-relay atm-ccc-vc-mux

1080

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

atm-mlppp-llc atm-tcc-snap atm-tcc-vc-mux ether-over-atm-llc ether-vpls-over-atm-llc

Example: Enabling IPv4 Passive Flow Monitoring

The following example shows a complete configuration for enabling passive flow monitoring on an Ethernet interface. In this example, the Gigabit Ethernet interface can accept all Ethernet packets. It strips VLAN tags (if there are any) and up to two MPLS labels blindly, and passes IPv4 packets to the monitoring interface. With this configuration, it can monitor IPv4, VLAN+IPv4, VLAN+MPLS+IPv4, and VLAN+MPLS+MPLS+IPv4 labeled packets. The Fast Ethernet interface can accept only packets with VLAN ID 100. All other packets are dropped. With this configuration, it can monitor VLAN (ID=100)+IPv4, VLAN (ID=100)+MPLS+IPv4, and VLAN (ID=100)+MPLS+MPLS+IPv4 labeled packets.
[edit firewall] family inet { filter input-monitoring-filter { term def { then { count counter; accept; } } } } [edit interfaces] ge-0/0/0 { passive-monitor-mode; gigether-options { mpls { pop-all-labels; } } unit 0 { family inet { filter { input input-monitoring-filter; } } } } fe-0/1/0 { passive-monitor-mode; vlan-tagging;

Copyright 2011, Juniper Networks, Inc.

1081

Junos 11.4 Services Interfaces Configuration Guide

fastether-options { mpls { pop-all-labels required-depth [ 1 2 ]; } } unit 0 { vlan-id 100; family inet { filter { input input-monitoring-filter; } } } } mo-1/0/0 { unit 0 { family inet { receive-options-packets; receive-ttl-exceeded; } } unit 1 { family inet; } } [edit forwarding-options] monitoring mon1 { family inet { output { export-format cflowd-version-5; cflowd 50.0.0.2 port 2055; interface mo-1/0/0.0 { source-address 50.0.0.1; } } } } [edit routing-instances] monitoring-vrf { instance-type vrf; interface ge-0/0/0.0; interface fe-0/1/0.0; interface mo-1/0/0.1; route-distinguisher 68:1; vrf-import monitoring-vrf-import; vrf-export monitoring-vrf-export; routing-options { static { route 0.0.0.0/0 next-hop mo-1/0/0.1; } } } [edit policy-options] policy-statement monitoring-vrf-import { then { reject;

1082

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

} } policy-statement monitoring-vrf-export { then { reject; } }

Example: Enabling IPv6 Passive Flow Monitoring

The following example shows a complete configuration for enabling IPv6 passive flow monitoring on an Ethernet interface. In this example, the Gigabit Ethernet interface can accept all Ethernet packets. It strips VLAN tags (if there are any) and up to two MPLS labels blindly, and passes IPv6 packets to the monitoring interface. With this configuration, the Gigabit Ethernet interface can monitor IPv6, VLAN+IPv6, VLAN+MPLS+IPv6, and VLAN+MPLS+MPLS+IPv6 labeled packets. The vlan-tagged Gigabit Ethernet interface can accept only packets with VLAN ID 100. All other packets are dropped. With this configuration, it can monitor VLAN (ID=100)+IPv6, VLAN (ID=100)+MPLS+IPv6, and VLAN (ID=100)+MPLS+MPLS+IPv6 labeled packets.
[edit interfaces] xe-0/1/0 { passive-monitor-mode; unit 0 { family inet6 { filter { input port-mirror6; } address 2001::1/128; } } } xe-0/1/2 { passive-monitor-mode; vlan-tagging; unit 0 { vlan-id 100; family inet6 { filter { input port-mirror6; } } } } xe-0/1/1 { unit 0 { family inet6 { address 2000::1/128; } } } [edit firewall]

Copyright 2011, Juniper Networks, Inc.

1083

Junos 11.4 Services Interfaces Configuration Guide

family inet6 { filter port-mirror6 { term term2 { then { count count_pm; port-mirror; accept; } } } } [edit forwarding options] port-mirroring { input { rate 1; } family inet6 { output { interface xe-0/1/1.0 { next-hop 2000::3; } no-filter-check; } } }

Configuring Services Interface Redundancy with Flow Monitoring

Active monitoring services configurations on AS, Multiservices PICs, and Multiservices DPCs support redundancy. To configure redundancy, you specify a redundancy services PIC (rsp) interface in which the primary AS or Multiservices PIC is active and a secondary PIC is on standby. If the primary PIC fails, the secondary PIC becomes active, and all service processing is transferred to it. If the primary PIC is restored, it remains on standby and does not preempt the secondary PIC; you need to manually restore the services to the primary PIC. To determine which PIC is currently active, issue the show interfaces redundancy command.

NOTE: On flow-monitoring configurations, the only service option supported is warm standby, in which one backup PIC supports multiple working PICs. Recovery times are not guaranteed, because the configuration must be completely restored on the backup PIC after a failure is detected. However, configuration is preserved and available on the new active PIC. As with the other services that support warm standby, you can issue the request interfaces (revert | switchover) command to switch manually between the primary and secondary flow monitoring interfaces.

For more information, see Configuring AS or Multiservices PIC Redundancy on page 620. For information on operational mode commands, see the Junos OS Interfaces Command Reference.

1084

Copyright 2011, Juniper Networks, Inc.

Chapter 51: Flow Monitoring and Discard Accounting Configuration Guidelines

A sample configuration follows.

interface { rsp0 { redundancy-options { primary sp-0/0/0; secondary sp-1/3/0; } unit 0 { family inet; } } } interface { ge-0/2/0 { unit 0 { family inet { filter { input as_sample; } } address 10.58.255.49/28; } } } forwarding-options { sampling { instance instance1 { # named instances of sampling parameters input { rate 1; run-length 0; max-packets-per-second 65535; } family inet { output { flow-server 10.10.10.2 { port 5000; version 5; } flow-active-timeout 60; interface rsp0 { source-address 10.10.10.1; } } } } } } firewall { filter as_sample { term t1 { then { sample; accept; } }

Copyright 2011, Juniper Networks, Inc.

1085

Junos 11.4 Services Interfaces Configuration Guide

} }

1086

Copyright 2011, Juniper Networks, Inc.

CHAPTER 52

Summary of Flow-Monitoring Configuration Statements

The following sections explain each of the flow-monitoring configuration statements. The statements are organized alphabetically.

Copyright 2011, Juniper Networks, Inc.

1087

Junos 11.4 Services Interfaces Configuration Guide

accounting
Syntax
accounting name { output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); port port-number; version format; } flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } } [edit forwarding-options]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the discard accounting instance name and options. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Discard Accounting on page 1076. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1088

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

address
Syntax
address address { destination address; } [edit interfaces interface-name unit logical-unit-numberfamily family]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure the interface address.
addressAddress of the interface.

The remaining statement is explained separately. Usage Guidelines See Configuring Flow Monitoring on page 1032 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other options not associated with

flow monitoring.

aggregate-export-interval
Syntax Hierarchy Level
aggregate-export-interval seconds; [edit forwarding-options accounting name output], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output], [edit forwarding-options sampling family (inet |inet6 |mpls) output]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the duration, in seconds, of the interval for exporting aggregate accounting information.
secondsDuration.

Options Usage Guidelines Required Privilege Level

See Configuring Discard Accounting on page 1076. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1089

Junos 11.4 Services Interfaces Configuration Guide

aggregation
Syntax
aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } [edit forwarding-options accounting output cflowd hostname], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. For cflowd version 8 only, specify the type of data to be aggregated; cflowd records and sends only those flows that match the specified criteria.
autonomous-systemAggregate by autonomous system (AS) number. caida-compliantRecord source and destination mask-length values in compliance with

Options

the Version 2.1b1 release of CAIDAs cflowd application. If this statement is not configured, the Junos OS records source and destination mask length values in compliance with the cflowd Configuration Guide, dated August 30, 1999.
destination-prefixAggregate by destination prefix. protocol-portAggregate by protocol and port number. source-destination-prefixAggregate by source and destination prefix. source-prefixAggregate by source prefix.

Usage Guidelines Required Privilege Level

See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1090

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

autonomous-system-type
Syntax Hierarchy Level
autonomous-system-type (origin | peer); [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Release Information Description Default Options

Statement introduced before Junos OS Release 7.4. Specify the type of AS numbers that cflowd exports.
origin originExport origin AS numbers of the packet source address in the Source Autonomous

System cflowd field.

peerExport peer AS numbers through which the packet passed in the Source

Autonomous System cflowd field. Usage Guidelines Required Privilege Level See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1091

Junos 11.4 Services Interfaces Configuration Guide

cflowd
See the following sections:

cflowd (Discard Accounting) on page 1092 cflowd (Flow Monitoring) on page 1093

cflowd (Discard Accounting)

Syntax
cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); label-position { template template-name; } (local-dump | no-local-dump); port port-number; source-address address; version format; } [edit forwarding-options accounting name output],

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Collect an aggregate of sampled flows and send the aggregate to a specified host system that runs the collection utility cfdcollect. You can configure up to one version 5 and one version 8 flow format at the [edit forwarding-options accounting name output] hierarchy level.

Options

hostnameThe IP address or identifier of the host system (the workstation running the

cflowd utility). The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1092

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

cflowd (Flow Monitoring)

Syntax
cflowd hostname { port port-number; } [edit forwarding-options monitoring name inet output]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Collect an aggregate of sampled flows and send the aggregate to a specified host system that runs the collection utility cfdcollect. You can configure up to eight version 5 flow formats at the [edit forwarding-options monitoring name output] hierarchy level. Version 8 flow formats are not supported for flow-monitoring applications.

Options

hostnameThe IP address or identifier of the host system (the workstation running the

cflowd utility). The remaining statement is explained separately. Usage Guidelines Required Privilege Level See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

core-dump
Syntax Hierarchy Level Release Information Description
(core-dump | no-core-dump); [edit interfaces mo-fpc/pic/port multiservice-options]

Statement introduced before Junos OS Release 7.4. A useful tool for isolating the cause of a problem. Core dumping is enabled by default. The directory /var/tmp contains core files. The Junos OS saves the current core file (0) and the four previous core files, which are numbered from 1 through 4 (from newest to oldest):

core-dumpEnable the core dumping operation. no-core-dumpDisable the core dumping operation.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1093

Junos 11.4 Services Interfaces Configuration Guide

destination
Syntax Hierarchy Level Release Information Description Options Usage Guidelines
destination destination-address; [edit interfaces interface-name unit logical-unit-number tunnel]

Statement introduced before Junos OS Release 7.4. For tunnel interfaces, specify the remote address of the tunnel.
destination-addressAddress of the remote side of the connection.

See Configuring Unicast Tunnels on page 1355, Configuring Traffic Sampling on page 1024, and Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

disable
Syntax Hierarchy Level
disable; [edit forwarding-options port-mirror], [edit forwarding-options port-mirror instance instance-name], [edit forwarding-options sampling], [edit forwarding-options sampling instance instance-name], [edit forwarding-options sampling family (inet |inet6 |mpls) ], [edit forwarding-options sampling family (inet |inet6 |mpls) output file]

Release Information

Statement introduced before Junos OS Release 7.4. Statement added to port-mirror hierarchy in Junos OS Release 9.6. Disable traffic accounting, port mirroring, or sampling. See Configuring Traffic Sampling on page 1024 or Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description Usage Guidelines Required Privilege Level

1094

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

disable-all-instances
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
disable-all-instances; [edit forwarding-options port-mirror]

Statement introduced in Junos OS Release 9.6. Disable all port mirroring instances globally. See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

engine-id
Syntax Hierarchy Level
engine-id number; [edit forwarding-options accounting name output interface interface-name], [edit forwarding-options monitoring name output interface interface-name], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output interface interface-name], [edit forwarding-options sampling family (inet |inet6 |mpls) output interface interface-name]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Specify the engine ID number for flow monitoring and accounting services.
numberIdentity of accounting interface.

See Configuring Traffic Sampling on page 1024, Configuring Flow Monitoring on page 1032, or Configuring Discard Accounting on page 1076. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1095

Junos 11.4 Services Interfaces Configuration Guide

engine-type
Syntax Hierarchy Level
engine-type number; [edit forwarding-options accounting name output interface interface-name], [edit forwarding-options monitoring name output interface interface-name], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output interface interface-name], [edit forwarding-options sampling family (inet |inet6 |mpls) output interface interface-name]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the engine type number for flow monitoring and accounting services. The engine type attribute refers to the type of the flow switching engine, such as the route processor or a line module. The configured engine type is inserted in output cflowd packets. The Source ID, a 32-bit value to ensure uniqueness for all flows exported from a particular device, is the equivalent of the engine type and the engine ID fields.

NOTE: You must configure a source address in the output interface statements. The interface-level statement of engine-type is added automatically but you may override this value with manually configured statements to track different flows with a single cflowd collector.

Options Usage Guidelines

numberPlatform-specific accounting interface type.

See Configuring Traffic Sampling on page 1024, Configuring Flow Monitoring on page 1032, or Configuring Discard Accounting on page 1076. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1096

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

extension-service
Syntax
extension-service service-name { provider-specific rules; } [edit forwarding-options sampling instance instance-name family (inet |inet6) output] [edit forwarding-options sampling family (inet |inet6) output] [edit services service-set service-set-name]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 9.0. Define a customer specific sampling configuration. Define a service set or traffic monitoring for applications using application-specific configuration guidelines.

NOTE: If the extension-service statement is specified while configuring a service set, the service-order statement is mandatory.

Options

provider-specific rulesProvider-specific subhierarchy for services and service sets. See

the application-specific documentation for details.

service-nameName of the service.

Required Privilege Level Related Documentation

systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.

service-order sampling on page 1144

Copyright 2011, Juniper Networks, Inc.

1097

Junos 11.4 Services Interfaces Configuration Guide

export-format
Syntax Hierarchy Level Release Information Description Options
export-format format; [edit forwarding-options monitoring name output]

Statement introduced before Junos OS Release 7.4. Flow monitoring export format.
formatFormat of the flows.

Values: 5 or 8 Default: 5 Usage Guidelines Required Privilege Level Related Documentation See Exporting Flows on page 1035. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

version on page 1154

1098

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

family
See the following sections:

family (Interfaces) on page 1099 family (Monitoring) on page 1100 family (Port Mirroring) on page 1101 family (Sampling) on page 1102

family (Interfaces)
Syntax
family family { address address { destination destination-address; } filter { group filter-group-number; input filter-name; output filter-name; } sampling direction; receive-options-packets; receive-ttl-exceeded; } [edit interfaces interface-name unit logical-unit-number]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure protocol family information for the logical interface.
familyProtocol family; for flow monitoring and accounting services, only the IP version 4

(IPv4) protocol (inet) is supported. The remaining statements are explained separately. Usage Guidelines Required Privilege Level Related Documentation See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide for other options not used with services

interfaces.

Copyright 2011, Juniper Networks, Inc.

1099

Junos 11.4 Services Interfaces Configuration Guide

family (Monitoring)
Syntax
family inet { output { flow-active-timeout seconds; flow-inactive-timeout seconds; export-format format; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } port port-number; } interface interface-name { engine-id number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } } } [edit forwarding-options monitoring name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Specify input and output interfaces and properties for flow monitoring. Only IPv4 (inet) is supported. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1100

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

family (Port Mirroring)

Syntax
family (inet | inet6) { output { interface interface-name { next-hop address; } no-filter-check; } } [edit forwarding-options port-mirroring]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the protocol family to be sampled. Only IPv4 (inet) and IPv6 (inet6) are supported. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1101

Junos 11.4 Services Interfaces Configuration Guide

family (Sampling)
Syntax
family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); } inline-jflow { source-address address; flow-export-rate rate; } } } [edit forwarding-options sampling], [edit forwarding-options sampling instance instance-name]

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4. mpls option introduced in Release 8.3. inet6 option introduced in Release 9.4.

1102

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

Description

Configure the protocol family to be sampled. IPv4 (inet) is supported for most purposes, but you can configure family mpls to collect and export MPLS label information or family inet6 to collect and export IPv6 traffic using flow aggregation version 9. The remaining statements are explained separately.

NOTE: The inline-jflow statement is valid only under the [edit

forwarding-options sampling instance instance-name family inet output]

hierarchy level. The file statement is valid only under the [edit forwarding-options sampling family inet output] hierarchy level.

Usage Guidelines Required Privilege Level

See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1103

Junos 11.4 Services Interfaces Configuration Guide

file
See the following sections:

file (Sampling) on page 1104 file (Trace Options) on page 1104

file (Sampling)
Syntax
file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); } [edit forwarding-options sampling family inet output]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Collect the traffic samples in a file. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

file (Trace Options)

Syntax Hierarchy Level
file filename <files number <size bytes> <world-readable | no-world-readable>; [edit forwarding-options port-mirroring traceoptions], [edit forwarding-options sampling traceoptions]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure information about the files that contain trace logging information.
filenameThe name of the file containing the trace information.

Default: /var/log/sampled The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Tracing Traffic Sampling Operations on page 1029. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1104

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

filename
Syntax Hierarchy Level Release Information Description Options
filename filename; [edit forwarding-options sampling family (inet |inet6 |mpls) output file]

Statement introduced before Junos OS Release 7.4. Configure the name of the output file.
filenameName of the file in which to place the traffic samples. All files are placed in

the directory /var/tmp. Usage Guidelines Required Privilege Level See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

files
Syntax Hierarchy Level
files number; [edit forwarding-options port-mirroring traceoptions file], [edit forwarding-options sampling family (inet |inet6 |mpls) output file], [edit forwarding-options sampling traceoptions file]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure the total number of files to be saved with samples or trace data.
numberMaximum number of traffic sampling or trace log files. When a file named sampling-file reaches its maximum size, it is renamed sampling-file.0, then sampling-file.1, and so on, until the maximum number of traffic sampling files is

reached. Then the oldest sampling file is overwritten. Range: 1 through 100 files Default: 5 files for sampling output; 10 files for trace log information Usage Guidelines Required Privilege Level See Configuring Port Mirroring on page 1059 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1105

Junos 11.4 Services Interfaces Configuration Guide

filter
Syntax
filter { input filter-name; output filter-name; group filter-group-number; } [edit interfaces interface-name unit logical-unit-number family inet]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Apply a firewall filter to an interface. You can also use filters for encrypted traffic.
group filter-group-numberDefine an interface to be part of a filter group. The default

filter group number is 0.

input filter-nameName of one filter to evaluate when packets are received on the

interface.
output filter-nameName of one filter to evaluate when packets are transmitted on the

interface. Usage Guidelines Required Privilege Level Related Documentation See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Routing Policy Configuration Guide or the Junos OS System Basics Configuration Guide

1106

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

flow-active-timeout
Syntax Hierarchy Level
flow-active-timeout seconds; [edit forwarding-options accounting name output], [edit forwarding-options monitoring name output], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output], [edit forwarding-options sampling family (inet |inet6 |mpls) output], [edit services flow-monitoring version9]

Release Information Description

Statement introduced before Junos OS Release 7.4. Interval after which an active flow is exported.

NOTE: The router must include an Adaptive Services, Multiservices, or Monitoring Services PIC for this statement to take effect.

Options

secondsDuration of the timeout period.

Range: 60 through 1800 seconds (for forwarding-options configurations); 10 through 600 seconds (for services configurations) Default: 1800 seconds (for forwarding-options configurations); 60 seconds (for services configurations)

NOTE: In active flow monitoring, the cflowd records are exported after a time period that is a multiple of 60 seconds and greater than or equal to the configured active timeout value. For example, if the active timeout value is 90 seconds, the cflowd records are exported at 120-second intervals. If the active timeout value is 150 seconds, the cflowd records are exported at 180-second intervals, and so forth.

Usage Guidelines

See Configuring Time Periods when Flow Monitoring is Active and Inactive on page 1035 or Configuring the Version 9 Template Properties on page 1044. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1107

Junos 11.4 Services Interfaces Configuration Guide

flow-export-rate
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
flow-export-rate rate; [edit forwarding-options sampling instance instance-name family inet output inline-jflow]

Statement introduced before Junos OS Release 7.4. Specify the flow export rate of monitored packets in kpps.
rateFlow export rate of monitored packets in kpps (from 1 to 400).

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Discard Accounting on page 1076 Configuring Flow Monitoring on page 1032 Configuring Traffic Sampling on page 1024

flow-control-options
Syntax
flow-control-options { down-on-flow-control; dump-on-flow-control; reset-on-flow-control; } [edit interfaces mo-fpc/pic/port multiservice-options]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 8.4. Configure the flow control options for application recovery in case of a prolonged flow control failure.

down-on-flow-controlBring interface down during prolonged flow control. dump-on-flow-controlCause core dump during prolonged flow control. reset-on-flow-controlReset interface during prolonged flow control.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1108

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

flow-export-destination
Syntax
flow-export-destination { (cflowd-collector | collector-pic); } [edit forwarding-options monitoring group-name family inet output]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure flow collection.

cflowd-collectorcflowd collector. collector-picCollector PIC.

Usage Guidelines Required Privilege Level

See Exporting Flows on page 1035. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1109

Junos 11.4 Services Interfaces Configuration Guide

flow-inactive-timeout
Syntax Hierarchy Level
flow-inactive-timeout seconds; [edit forwarding-options accounting name output], [edit forwarding-options monitoring name output], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output], [edit forwarding-options sampling family (inet |inet6 |mpls) output], [edit services flow-monitoring version9]

Release Information Description

Statement introduced before Junos OS Release 7.4. Interval of inactivity that marks a flow inactive.

NOTE: The router must include an Adaptive Services, Multiservices, or Monitoring Services PIC for this statement to take effect.

Options

secondsDuration of the timeout period.

Range: 60 through 1800 seconds (for forwarding-options configurations); 10 through 600 seconds (for services configurations) Default: 1800 seconds (for forwarding-options configurations); 60 seconds (for services configurations) Usage Guidelines See Configuring Time Periods when Flow Monitoring is Active and Inactive on page 1035 or Configuring the Version 9 Template Properties on page 1044. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1110

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

flow-monitoring
Syntax
flow-monitoring { version9 { template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; ipv6-template; mpls-template { label-position [ positions ]; } mpls-ipv4-template { label-position [ positions ]; } peer-as-billing-template; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } } } [edit services]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.3. Specify the active monitoring properties for flow aggregation version 9. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1111

Junos 11.4 Services Interfaces Configuration Guide

flow-server
Syntax
flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output], [edit forwarding-options sampling family (inet |inet6 |mpls) output]

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4. version9 statement introduced in Junos OS Release 8.3. Collect an aggregate of sampled flows and send the aggregate to a specified host system that runs the collection utility cfdcollect. Specify a host system to collect sampled flows using the version 9 format. You can configure up to one version 5 and one version 8 flow format at the [edit
forwarding-options sampling family (inet | inet6| mpls) output flow-server hostname]

Description

hierarchy level. For the same configuration, you can specify only either version 9 flow record formats or formats using versions 5 and 8, not both types of formats. Options
hostnameThe IP address or identifier of the host system (the workstation either running

the cflowd utility or collecting traffic flows using version 9). You can configure only one host system for version 9. The remaining statements are explained separately. Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Traffic Sampling on page 1024

1112

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

forwarding-options
Syntax Hierarchy Level Release Information Description
forwarding-options { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure traffic forwarding. The statements that apply to services interfaces are explained separately. For other statements, see the Junos OS Routing Policy Configuration Guide.

Usage Guidelines

See Configuring Flow Monitoring on page 1032 and Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

inline-jflow
Syntax
inline-jflow { source-address address; flow-export-rate rate; } [edit forwarding-options sampling instance instance-name family inet output]

Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Specify inline flow monitoring for traffic from the designated address.
addressSource IP address.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Inline Flow Monitoring on page 1053

Copyright 2011, Juniper Networks, Inc.

1113

Junos 11.4 Services Interfaces Configuration Guide

input
See the following sections:

input (Port Mirroring) on page 1114 input (Sampling) on page 1114

input (Port Mirroring)

Syntax
input { rate number; run-length number; } [edit forwarding-options port-mirroring], [edit forwarding-options port-mirroring instance instance-name] [edit forwarding-options port-mirroring family (inet | inet6)]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure port mirroring on a logical interface. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

input (Sampling)
Syntax
input { max-packets-per-second number; rate number; run-length number; maximum-packet-length bytes; } [edit forwarding-options sampling], [edit forwarding-options sampling instance instance-name]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure traffic sampling on a logical interface. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1114

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

input-interface-index
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
input-interface-index number; [edit forwarding-options monitoring name output interface interface-name]

Statement introduced before Junos OS Release 7.4. Specify a value for the input interface index that overrides the default supplied by SNMP.
numberInput interface index value.

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1115

Junos 11.4 Services Interfaces Configuration Guide

instance
See the following sections:

instance (Port Mirroring) on page 1116 instance (Sampling) on page 1117

instance (Port Mirroring)

Syntax
instance instance-name { disable; input { rate number; maximum-packet-length number; } family (inet | inet6 | vpls) { output { next-hop-group group-name; } } } [edit forwarding-options port-mirroring]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.6. Configure a port-mirroring instance. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Sampling Instances on page 1051. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1116

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

instance (Sampling)
Syntax
instance instance-name { disable; input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } inline-jflow { source-address address; flow-export-rate rate; } } } } [edit forwarding-options sampling]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.6. Configure a sampling instance.

Copyright 2011, Juniper Networks, Inc.

1117

Junos 11.4 Services Interfaces Configuration Guide

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Sampling Instances on page 1051. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1118

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

interface
See the following sections:

interface (Accounting or Sampling) on page 1119 interface (Monitoring) on page 1120 interface (Port Mirroring) on page 1120

interface (Accounting or Sampling)

Syntax
interface interface-name { engine-id number; engine-type number; source-address address; } [edit forwarding-options accounting name output], [edit forwarding-options sampling family (inet |inet6 |mpls) output], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the output interface for monitored traffic.
interface-nameName of the interface.

The remaining statements are explained separately. Usage Guidelines See Configuring Discard Accounting on page 1076 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1119

Junos 11.4 Services Interfaces Configuration Guide

interface (Monitoring)
Syntax
interface interface-name { engine-id number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } [edit forwarding-options monitoring name family inet output]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the output interface for monitored traffic.
interface-nameName of the interface.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interface (Port Mirroring)

Syntax
interface interface-name { next-hop address; } [edit forwarding-options port-mirroring family (inet | inet6) output]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the output interface for sending copies of packets elsewhere to be analyzed.
interface-nameName of the interface.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1120

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. See the Junos OS Network Interfaces Configuration Guide for general information. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

ipv4-template
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
ipv4-template; [edit services flow-monitoring version9 template template-name]

Statement introduced in Junos OS Release 8.3. Specify that the flow aggregation version 9 template is used only for IPv4 records. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ipv6-template
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
ipv6-template; [edit services flow-monitoring version9 template template-name]

Statement introduced in Junos OS Release 9.4. Specify that the flow aggregation version 9 template is used only for IPv6 records. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1121

Junos 11.4 Services Interfaces Configuration Guide

label-position
Syntax Hierarchy Level
label-position [ positions ]; [edit services flow-monitoring version9 template template-name mpls-ipv4-template], [edit services flow-monitoring version9 template template-name mpls-template]

Release Information Description Default Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 8.3. Specify positions for up to three labels in the template. [1 2 3]
positionsNumbered positions for the labels.

See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

local-dump
Syntax Hierarchy Level
(local-dump | no-local-dump); [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Enable collection of cflowd records in a log file.
no-local-dumpDo not dump cflowd records to a log file before exporting. local-dumpDump cflowd records to a log file before exporting.

Usage Guidelines Required Privilege Level

See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1122

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

match
Syntax Hierarchy Level
match expression; [edit forwarding-options port-mirroring traceoptions file], [edit forwarding-options sampling traceoptions file]

Release Information Description Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. Regular expression for lines to be logged for tracing. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Port Mirroring on page 1059 Configuring Traffic Sampling on page 1024

maximum-packet-length
Syntax Hierarchy Level
maximum-packet-length bytes; [edit forwarding-options port-mirroring input], [edit forwarding-options port-mirroring instance instance-name input], [edit forwarding-options sampling input], [edit forwarding-options sampling instance instance-name input]

Release Information Description

Statement introduced in Junos OS Release 9.6. Set the maximum length of the packet used for port mirroring or traffic sampling. Packets with lengths greater than the specified maximum are truncated.

NOTE: The maximum-packet-length statement is not supported on MX80 routers.

Options Required Privilege Level Related Documentation

bytesNumber of bytes.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Port Mirroring Configuring Traffic Sampling

Copyright 2011, Juniper Networks, Inc.

1123

Junos 11.4 Services Interfaces Configuration Guide

max-packets-per-second
Syntax Hierarchy Level
max-packets-per-second number; [edit forwarding-options sampling input], [edit forwarding-options sampling instance instance-name input]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the traffic threshold that must be exceeded before packets are dropped. A value of 0 instructs the Packet Forwarding Engine not to sample any traffic.

NOTE: When you configure active monitoring and specify a Monitoring Services, Adaptive Services, or Multiservices PIC in the output statement, the max-packets-per-second value is ignored.

Options

numberMaximum number of packets per second.

Range: 0 through 65,535 Default: 1000 Usage Guidelines Required Privilege Level See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1124

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

monitoring
Syntax
monitoring name { family inet { output { cflowd hostname port-number; export-format cflowd-version-5; flow-active-timeout seconds; flow-export-destination { (cflowd-collector | collector-pic); } flow-inactive-timeout seconds; interface interface-name { number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } } } } [edit forwarding-options]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the flow monitoring instance name and properties. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1125

Junos 11.4 Services Interfaces Configuration Guide

mpls-ipv4-template
Syntax
mpls-ipv4-template { label-position [ positions ]; } [edit services flow-monitoring version9 template template-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.3. Specify the flow aggregation version 9 properties for templates that combine IPv4 and MPLS records. The remaining statement is explained separately. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

mpls-template
Syntax
mpls-template { label-position [ positions ]; } [edit services flow-monitoring version9 template template-name]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.3. Specify the flow aggregation version 9 properties for templates used only for MPLS records. The remaining statement is explained separately. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

1126

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

multiservice-options
Syntax
multiservice-options { (core-dump | no-core-dump); (syslog | no-syslog); flow-control-options { down-on-flow-control; dump-on-flow-control; reset-on-flow-control; } } [edit interfaces mo-fpc/pic/port]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. For flow-monitoring interfaces only, configure multiservice-specific interface properties. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

next-hop
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
next-hop address; [edit forwarding-options port-mirroring family (inet | inet6) output interface interface-name]

Statement introduced before Junos OS Release 7.4. Specify the next-hop address for sending copies of packets to an analyzer.
addressIP address of the next-hop router.

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1127

Junos 11.4 Services Interfaces Configuration Guide

next-hop-group
See the following sections:

next-hop-group (Forwarding Options) on page 1128 next-hop-group (Port Mirroring) on page 1129

next-hop-group (Forwarding Options)

Syntax
next-hop-group group-name { interface interface-name { next-hop address; } } [edit forwarding-options]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the next-hop address for sending copies of packets to an analyzer.
addressIP address of the next-hop router. Each next-hop group supports up to 16

next-hop addresses. Up to 30 next-hop groups are supported. Each next-hop group must have at least two next-hop addresses.
group-nameName of next-hop group. Up to 30 next-hop groups are supported for the

router. Each next-hop group must have at least two next-hop addresses.
interface-nameName of interface used to reach the next-hop destination.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1128

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

next-hop-group (Port Mirroring)

Syntax Hierarchy Level
next-hop-group group-name; [edit forwarding-options port-mirroring family (inet | vpls) output], [edit forwarding-options port-mirroring instance instance-name family (inet | vpls) output]

Release Information Description

Statement introduced in Junos OS Release 9.6. Specify the next-hop address for sending copies of packets to an analyzer. This configuration enables multipacket port mirroring on MX Series routers without the use of a Tunnel PIC.
group-nameName of next-hop group.

Options Usage Guidelines Required Privilege Level

See Port Mirroring with Next-Hop Groups on page 1062. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

no-core-dump
See core-dump

no-filter-check
Syntax Hierarchy Level Release Information Description
no-filter-check; [edit forwarding-options port-mirroring family (inet | inet6) output]

Statement introduced before Junos OS Release 7.4. Disable filter checking on the port-mirroring interface. This statement is required when you send port-mirrored traffic to a Tunnel PIC that has a filter applied to it.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

no-local-dump
See local-dump

Copyright 2011, Juniper Networks, Inc.

1129

Junos 11.4 Services Interfaces Configuration Guide

no-remote-trace (Trace Options)

Syntax Hierarchy Level
no-remote-trace; [edit forwarding-options port-mirroring traceoptions], [edit forwarding-options sampling traceoptions]

Release Information Description Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. Disable remote tracing. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Tracing Traffic Sampling Operations on page 1029

no-stamp
See stamp

no-syslog
See syslog

no-world-readable
See world-readable

1130

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

option-refresh-rate
Syntax Hierarchy Level
option-refresh-rate packets packets seconds seconds; [edit services flow-monitoring version9], [edit services flow-monitoring version9 template template-name]

Release Information Description Options

Statement introduced in Junos OS Release 8.3. Specify the refresh rate, in either packets or seconds.
packetsRefresh rate, in number of packets.

Range: 1 through 480,000 Default: 4800

secondsRefresh rate, in number of seconds.

Range: 10 through 600 Default: 60 Usage Guidelines Required Privilege Level See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1131

Junos 11.4 Services Interfaces Configuration Guide

output
See the following sections:

output (Accounting) on page 1132 output (Monitoring) on page 1133 output (Port Mirroring) on page 1133 output (Sampling) on page 1134

output (Accounting)
Syntax
output { aggregate-export-interval seconds; cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; } flow-active-timeout seconds; flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; source-address address; } } [edit forwarding-options accounting name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure cflowd, output interfaces, and flow properties. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Discard Accounting on page 1076. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1132

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

output (Monitoring)
Syntax
output { cflowd hostname port port-number; export-format format; flow-active-timeout seconds; flow-export-destination { (cflowd-collector | collector-pic); } flow-inactive-timeout seconds; interface interface-name { engine-id number; engine-type number; input-interface-index number; output-interface-index number; source-address address; } } [edit forwarding-options monitoring name family inet]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure cflowd, output interfaces, and flow properties. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

output (Port Mirroring)

Syntax
output { interface interface-name { next-hop address; } no-filter-check; } [edit forwarding-options port-mirroring family (inet | inet6)]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure output interfaces and flow properties. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1133

Junos 11.4 Services Interfaces Configuration Guide

output (Sampling)
Syntax
output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); } inline-jflow { source-address address; flow-export-rate rate; } } [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls)], [edit forwarding-options sampling family (inet |inet6 |mpls)]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure cflowd, output files and interfaces, and flow properties. The statements are explained separately.

1134

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

NOTE: The inline-jflow statement is valid only under the [edit

forwarding-options sampling instance instance-name family inet output]

hierarchy level. The file statement is valid only under the [edit forwarding-options sampling family inet output] hierarchy level.

Usage Guidelines Required Privilege Level

See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

output-interface-index
Syntax Hierarchy Level Release Information Description
output-interface-index number; [edit forwarding-options monitoring name output interface interface-name]

Statement introduced before Junos OS Release 7.4. Specify a value for the output interface index that overrides the default supplied by SNMP.

NOTE: On J Series routers, cflowd sampling in the input direction of an interface reports the output interface index as 0.

Options Usage Guidelines Required Privilege Level

numberOutput interface index value.

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1135

Junos 11.4 Services Interfaces Configuration Guide

passive-monitor-mode
Syntax Hierarchy Level Release Information Description
passive-monitor-mode; [edit interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. For Asynchronous Transfer Mode (ATM), SONET/SDH, Fast Ethernet, and Gigabit Ethernet interfaces only, monitor packet flows from another router. If you include this statement in the configuration, the SONET/SDH interface does not send keepalives or alarms, and does not participate actively on the network. See Enabling Passive Flow Monitoring on page 1077. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level Related Documentation

multiservice-options on page 1127

1136

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

pop-all-labels
Syntax
pop-all-labels { required-depth number; } [edit interfaces interface-name atm-options mpls], [edit interfaces interface-name fastether-options mpls], [edit interfaces interface-name gigether-options mpls], [edit interfaces interface-name sonet-options mpls]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. For passive monitoring on ATM, SONET/SDH, Fast Ethernet, and Gigabit Ethernet interfaces only, removes up to two MPLS labels from incoming IP packets. This statement has no effect on IP packets with more than two MPLS labels. Packets with MPLS labels cannot be processed by the monitoring PIC; if packets with MPLS labels are forwarded to the monitoring PIC, they are discarded. The remaining statement is explained separately.

Default

If you omit this statement, the MPLS labels are not removed, and the packet is not processed by the monitoring PIC. See Passive Flow Monitoring for MPLS Encapsulated Packets on page 1079. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide

Copyright 2011, Juniper Networks, Inc.

1137

Junos 11.4 Services Interfaces Configuration Guide

port
Syntax Hierarchy Level
port port-number; [edit forwarding-options accounting name output cflowd hostname], [edit forwarding-options monitoring name family inet output cflowd hostname], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the User Datagram Protocol (UDP) port number on the cflowd host system.
port-numberAny valid UDP port number on the host system.

See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1138

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

port-mirroring
Syntax
port-mirroring { input { rate rate; run-length number; } family inet { output { interface interface-name { next-hop address; } no-filter-check; } } instance instance-name { disable; input { rate rate; maximum-packet-length number; } family inet { output { next-hop-group group-name; } } } traceoptions { file filename <files number> <size bytes> <world-readable | no-world-readable>; } } [edit forwarding-options]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the input, output, and traceoptions properties for sending copies of packets to an analyzer. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Port Mirroring on page 1059. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1139

Junos 11.4 Services Interfaces Configuration Guide

rate
Syntax Hierarchy Level
rate number; [edit forwarding-options port-mirroring input], [edit forwarding-options sampling input], [edit forwarding-options sampling instance instance-name input], [edit forwarding-options port-mirroring family (inet|inet6) input]

Release Information Description

Statement introduced before Junos OS Release 7.4. Set the ratio of the number of packets to be sampled. For example, if you specify a rate of 10, every tenth packet (1 packet out of 10) is sampled.
numberDenominator of the ratio.

Options

Range: 1 through 65,535 Usage Guidelines Required Privilege Level See Configuring Port Mirroring on page 1059 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

receive-options-packets
Syntax Hierarchy Level Release Information Description
receive-options-packets; [edit interfaces interface-name unit logical-unit-number family inet]

Statement introduced before Junos OS Release 7.4. When you enable passive monitoring, this statement is required for conformity with cflowd records structure. See Enabling Passive Flow Monitoring on page 1077. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

1140

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

receive-ttl-exceeded
Syntax Hierarchy Level Release Information Description
receive-ttl-exceeded; [edit interfaces interface-name unit logical-unit-number family inet]

Statement introduced before Junos OS Release 7.4. When you enable passive monitoring, this statement is required for conformity with cflowd records structure. See Enabling Passive Flow Monitoring on page 1077. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

required-depth
Syntax Hierarchy Level
required-depth number; [edit interfaces interface-name atm-options mpls pop-all-labels], [edit interfaces interface-name fastether-options mpls pop-all-labels], [edit interfaces interface-name gigether-options mpls pop-all-labels], [edit interfaces interface-name sonet-options mpls pop-all-labels]

Release Information Description

Statement introduced before Junos OS Release 7.4. For passive monitoring on ATM, SONET/SDH, Fast Ethernet, and Gigabit Ethernet interfaces only, specify the number of MPLS labels an incoming packet must have for the pop-all-labels statement to take effect. If you include the required-depth 1 statement, the pop-all-labels statement takes effect for incoming packets with one label only. If you include the required-depth 2 statement, the pop-all-labels statement takes effect for incoming packets with two labels only.

Options

numberNumber of MPLS labels on incoming IP packets.

Range: 1 through 2 labels. Default: If you omit this statement, the pop-all-labels statement takes effect for incoming packets with one or two labels. The default is equivalent to including the required-depth [ 1 2 ] statement. Usage Guidelines Required Privilege Level Related Documentation See Passive Flow Monitoring for MPLS Encapsulated Packets on page 1079. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide

Copyright 2011, Juniper Networks, Inc.

1141

Junos 11.4 Services Interfaces Configuration Guide

run-length
Syntax Hierarchy Level
run-length number; [edit forwarding-options port-mirroring input], [edit forwarding-options port-mirroring instance port-mirroring-instance-name input], [edit forwarding-options port-mirroring family (inet|inet6) input], [edit forwarding-options sampling input], [edit forwarding-options sampling instance instance-name input]

Release Information Description

Statement introduced before Junos OS Release 7.4. Set the number of samples following the initial trigger event. This allows you to sample packets following those already being sampled.
numberNumber of samples.

Options

Range: 0 through 20 Default: 0 Usage Guidelines See Configuring Port Mirroring on page 1059 or Configuring Traffic Sampling on page 1024.

NOTE: The run-length statement is not supported on MX80 routers.

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

sample-once
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation
sample-once; [edit forwarding-options sampling]

Statement introduced in Junos OS Release 9.6. Sample traffic for active monitoring only once. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Traffic Sampling on page 1024

1142

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

sampling
See the following sections:

sampling (Forwarding Options) on page 1144 sampling (Interfaces) on page 1146

Copyright 2011, Juniper Networks, Inc.

1143

Junos 11.4 Services Interfaces Configuration Guide

sampling (Forwarding Options)

Syntax
sampling { disable; sample-once; input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } traceoptions { no-remote-trace; file filename <files number> <size bytes> <match expression> <world-readable | no-world-readable>; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } file { disable; filename filename; files number; size bytes; (stamp | no-stamp); (world-readable | no-world-readable); }

1144

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

} } instance instance-name { disable; input { rate number; run-length number; max-packets-per-second number; maximum-packet-length bytes; } family (inet | inet6 | mpls) { disable; output { aggregate-export-interval seconds; flow-active-timeout seconds; flow-inactive-timeout seconds; extension-service service-name; flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; source-address address; version format; version9 { template template-name; } } interface interface-name { engine-id number; engine-type number; source-address address; } inline-jflow { source-address address; flow-export-rate rate; } } } } }

Hierarchy Level Release Information

[edit forwarding-options]

Statement introduced before Junos OS Release 7.4.

Copyright 2011, Juniper Networks, Inc.

1145

Junos 11.4 Services Interfaces Configuration Guide

Description

Configure traffic sampling. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

sampling (Interfaces)
Syntax Hierarchy Level Release Information Description Options
sampling direction; [edit interfaces mo-fpc/pic/port unit logical-unit-number family inet]

Statement introduced before Junos OS Release 7.4. Configure the direction of traffic to be sampled.
inputConfigure at least one expected ingress point. outputConfigure at least one expected egress point. input outputOn a single interface, configure at least one expected ingress point and

one expect egress point. Usage Guidelines Required Privilege Level See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

services
Syntax Hierarchy Level Release Information Description
services { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure router services. The underlying statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1146

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

size
Syntax Hierarchy Level
size bytes; [edit forwarding-options port-mirroring traceoptions file], [edit forwarding-options sampling family (inet |inet6 |mpls) output file], [edit forwarding-options sampling traceoptions file]

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the maximum size of each file containing sample or log data. The file size is limited by the number of files to be created and the available hard disk space. When a traffic sampling file named sampling-file reaches the maximum size, it is renamed sampling-file.0. When the sampling-file again reaches its maximum size, sampling-file.0 is renamed sampling-file.1 and sampling-file is renamed sampling-file.0. This renaming scheme continues until the maximum number of traffic sampling files is reached. Then the oldest traffic sampling file is overwritten.

Options

bytesMaximum size of each traffic sampling file or trace log file, in kilobytes

(KB), megabytes (MB), or gigabytes (GB). Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your router Default: 1 MB for sampling data; 128 KB for log information Usage Guidelines Required Privilege Level See Configuring Port Mirroring on page 1059 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1147

Junos 11.4 Services Interfaces Configuration Guide

source-address
Syntax Hierarchy Level
source-address address; [edit forwarding-options accounting name outputinterface interface-name], [edit forwarding-options monitoring namefamilyfamily inet output interface interface-name], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output interface interface-name], [edit forwarding-options sampling family (inet |inet6 |mpls) output interface interface-name], [edit forwarding-options sampling instance instance-name family inet output inline-jflow]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Specify the source address for monitored packets.
addressInterface source address.

See Configuring Discard Accounting on page 1076, Configuring Flow Monitoring on page 1032, or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

stamp
Syntax Hierarchy Level Release Information Description Options
(stamp | no-stamp); [edit forwarding-options sampling family (inet |inet6 |mpls) output file]

Statement introduced before Junos OS Release 7.4. Include a timestamp with each line in the output file.
no-stampDo not include timestamps. This is the default. stampInclude a timestamp with each line of packet sampling information.

Default: No timestamp is included. Usage Guidelines Required Privilege Level See Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1148

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

syslog
Syntax Hierarchy Level Release Information Description
(syslog | no-syslog); [edit interfaces mo-fpc/pic/port multiservice-options]

Statement introduced before Junos OS Release 7.4. System logging is enabled by default. The system log information of the Monitoring Services PIC is passed to the kernel for logging in the /var/log directory.

syslogEnable PIC system logging. no-syslogDisable PIC system logging.

Usage Guidelines Required Privilege Level

See Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1149

Junos 11.4 Services Interfaces Configuration Guide

template
See the following sections:

template (Forwarding Options) on page 1150 template (Services) on page 1151

template (Forwarding Options)

Syntax Hierarchy Level
template template-name; [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname version9], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname version9]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 8.3. Specify flow aggregation version 9 template to be used for output of sampling records.
template-nameName of version 9 template.

See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1150

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

template (Services)
Syntax
template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; ipv6-template; mpls-template { label-position [ positions ]; } mpls-ipv4-template { label-position [ positions ]; } peer-as-billing-template; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } [edit services flow-monitoring version9]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.3. Specify the flow aggregation version 9 template properties. The remaining statements are explained separately.
template-nameName of the version 9 template.

Options Usage Guidelines Required Privilege Level

See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1151

Junos 11.4 Services Interfaces Configuration Guide

template-refresh-rate
Syntax Hierarchy Level Release Information Description Options
template-refresh-rate packets packets seconds seconds; [edit services flow-monitoring version9 template template-name]

Statement introduced in Junos OS Release 8.3. Specify the refresh rate, in either packets or seconds.
packetsRefresh rate, in number of packets.

Range: 1 through 480,000 Default: 4800

secondsRefresh rate, in number of seconds.

Range: 10 through 600 Default: 60 Usage Guidelines Required Privilege Level See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

traceoptions
Syntax
traceoptions { no-remote-trace; file filename <files number> <size bytes> <match expression> <world-readable | no-world-readable>; } [edit forwarding-options port-mirroring], [edit forwarding-options sampling]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure traffic sampling tracing operations. The statements are explained separately.

Usage Guidelines Required Privilege Level

See Tracing Traffic Sampling Operations on page 1029. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1152

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

unit
Syntax
unit logical-unit-number { family inet { address address { destination destination-address; } filter { group filter-group-number; input filter-name; output filter-name; } sampling direction; } } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines Required Privilege Level Related Documentation For general information, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide for other statements that do no affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

1153

Junos 11.4 Services Interfaces Configuration Guide

version
Syntax Hierarchy Level
version format; [edit forwarding-options accounting name output flow-server hostname], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Specify the version format of the aggregated flows exported to a cflowd server.
formatFormat of the flows.

Values: 5 or 8 Default: 5 Usage Guidelines Required Privilege Level Related Documentation See Enabling Flow Aggregation on page 1039. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

export-format on page 1098

1154

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

version9
See the following sections:

version9 (Forwarding Options) on page 1155 version9 (Services) on page 1156

version9 (Forwarding Options)

Syntax
version9 { template template-name; } [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output flow-server hostname], [edit forwarding-options sampling family (inet |inet6 |mpls) output flow-server hostname]

Hierarchy Level

Release Information Description

Statement introduced in Junos OS Release 8.3. Specify flow aggregation version 9 properties to apply to output sampling records. The remaining statements are explained separately. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1155

Junos 11.4 Services Interfaces Configuration Guide

version9 (Services)
Syntax
version9 { template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; ipv6-template; mpls-template { label-position [ positions ]; } mpls-ipv4-template { label-position [ positions ]; } peer-as-billing-template; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } } [edit services flow-monitoring]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.3. Specify flow aggregation version 9 template properties. The remaining statements are explained separately. See Configuring Flow Aggregation to Use Version 9 Flow Templates on page 1043. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

1156

Copyright 2011, Juniper Networks, Inc.

Chapter 52: Summary of Flow-Monitoring Configuration Statements

version-ipfix
See the following sections:

version-ipfix (Forwarding Options) on page 1157 version-ipfix (Services) on page 1158

version-ipfix (Forwarding Options)

Syntax
version-ipfix { template template-name; } [edit forwarding-options sampling instance instance-name family inet output flow-server address]

Hierarchy Level

Release Information Description Options Usage Guidelines Required Privilege Level Related Documentation

Statement introduced in Junos OS Release 10.2. Specify the output format to support inline flow monitoring.
template-nameCurrently ipv4 is the only output template format supported.

See Configuring Inline Flow Monitoring on page 1053. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

export-format on page 1098

Copyright 2011, Juniper Networks, Inc.

1157

Junos 11.4 Services Interfaces Configuration Guide

version-ipfix (Services)
Syntax
version-ipfix { template template-name { flow-active-timeout seconds; flow-inactive-timeout seconds; ipv4-template; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; } } [edit services flow-monitoring]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 10.2. Specify the output template properties to support inline flow monitoring. The remaining statements are explained separately. See Configuring Inline Flow Monitoring on page 1053. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

world-readable
Syntax Hierarchy Level
(world-readable | no-world-readable); [edit forwarding-options port-mirroring traceoptions file], [edit forwarding-options sampling family (inet |inet6 |mpls) output file], [edit forwarding-options sampling traceoptionsfile]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Enable unrestricted file access.
no-world-readableRestrict file access to owner. This is the default. world-readableEnable unrestricted file access.

Default: no-world-readable Usage Guidelines Required Privilege Level See Configuring Port Mirroring on page 1059 or Configuring Traffic Sampling on page 1024. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1158

Copyright 2011, Juniper Networks, Inc.

CHAPTER 53

Flow Collection Configuration Guidelines

You can process and export multiple cflowd records with a flow collector interface. You create a flow collector interface on a Monitoring Services II or Multiservices 400 PIC. The flow collector interface combines multiple cflowd records into a compressed ASCII data file and exports the file to an FTP server. To convert a services PIC into a flow collector interface, include the flow-collector statement at the [edit chassis fpc fpc-slot pic pic-slot monitoring-services application] hierarchy level. You can use the services PIC for either flow collection or monitoring, but not for both types of service simultaneously. When converting the PIC between service types, you must configure the flow-collector statement, take the PIC offline, and then bring the PIC back online. Restarting the router does not enable the new service type. A flow collector interface, designated by the cp-fpc/pic/port interface name, requires three logical interfaces for correct operation. Units 0 and 1 are used to send the compressed ASCII data files to an FTP server, while Unit 2 is used to receive cflowd records from a monitoring services interface.

NOTE: Unlike conventional interfaces, the address statement at the [edit interfaces cp-fpc/pic/port unit unit-number family inet] hierarchy level corresponds to the IP address of the Routing Engine. Likewise, the destination statement at the [edit interfaces cp-fpc/pic/port unit unit-number family inet address ip-address] hierarchy level corresponds to the IP address of the flow collector interface. As a result, you must configure the destination statement for Unit 0 and 1 with local addresses that can reach the FTP server. Similarly, configure the destination statement for Unit 2 with a local IP address so it can reach the monitoring services interface that sends cflowd records.

To activate flow collector services after the services PIC is converted into a flow collector, include the flow-collector statement at the [edit services] hierarchy level. After you activate the flow collector, you need to configure the following components:

Destination of the FTP server File specifications Input interface-to-flow collector interface mappings Transfer log settings

Copyright 2011, Juniper Networks, Inc.

1159

Junos 11.4 Services Interfaces Configuration Guide

To configure flow collection, include the flow-collector statement at the [edit services] hierarchy level:
flow-collector { analyzer-address address; analyzer-id name; destinations { ftp:url { password "password"; } file-specification { variant variant-number { data-format format; name-format format; transfer { record-level number; timeout seconds; } } } interface-map { collector interface-name; file-specification variant-number; interface-name { collector interface-name; file-specification variant-number; } } retry number; retry-delay seconds; transfer-log-archive { archive-sites { ftp:url { password "password"; username username; } } filename-prefix prefix; maximum-age minutes; } } }

This chapter contains the following sections:

Configuring Flow Collection on page 1161 Sending cflowd Records to Flow Collector Interfaces on page 1164 Configuring Flow Collection Mode and Interfaces on Services PICs on page 1164 Example: Configuring Flow Collection on page 1164

1160

Copyright 2011, Juniper Networks, Inc.

Chapter 53: Flow Collection Configuration Guidelines

Configuring Flow Collection

This section describes the following tasks for configuring flow collection:

Configuring Destination FTP Servers for Flow Records on page 1161 Configuring a Packet Analyzer on page 1161 Configuring File Formats on page 1162 Configuring Interface Mappings on page 1162 Configuring Transfer Logs on page 1163 Configuring Retry Attempts on page 1163

Configuring Destination FTP Servers for Flow Records

Flow collection destinations are where the compressed ASCII data files are sent after the cflowd records are collected and processed. To specify the destination FTP server, include the destinations statement at the [edit services flow-collector] hierarchy level. You can specify up to two FTP server destinations and include the password for each configured server. If two FTP servers are configured, the first server in the configuration is the primary server and the second is a backup server. To configure a destination for flow collection files, include the destinations statement at the [edit services flow-collector] hierarchy level:
[edit services flow-collector] destinations { ftp:url { password "password"; } }

To specify the destination FTP server, include the ftp:url statement. The value url is the FTP server address for the primary flow collection destination and can include macros. When you include macros in the ftp:url statement, a directory can be created only for a single level. For example, the path ftp://10.2.2.2/%m/%Y expands to ftp://10.2.2.2/01/2005, and the software attempts to create the directory 01/2005 on the destination FTP server. If the 01/ directory already exists on the destination FTP server, the software creates the /2005/ directory one level down. If the 01/ directory does not exist on the destination FTP server, the software cannot create the /2005/ directory, and the FTP server destination will fail. For more information about macros, see ftp. To specify the FTP server password, include the password password statement. The password must be enclosed in quotation marks. You can specify up to two destination FTP servers. The first destination specified is considered the primary destination.

Configuring a Packet Analyzer

You can specify values for the IP address and identifier of a packet analyzer to which the flow collector interface sends traffic for analysis. The values you specify here override any default values configured elsewhere.

Copyright 2011, Juniper Networks, Inc.

1161

Junos 11.4 Services Interfaces Configuration Guide

To configure an IP address and identifier for the packet analyzer, include the analyzer-address and analyzer-id statements at the [edit services flow-collector] hierarchy level:
[edit services flow-collector] analyzer-address address; analyzer-id name;

Configuring File Formats

You configure data file formats, name formats, and transfer characteristics for the flow collection files. File records are sent to the destination FTP server when the timer expires or when a preset number of records are received, whichever comes first. To configure the flow collection file format, include the file-specification statement at the [edit services flow-collector] hierarchy level:
[edit services flow-collector] file-specification { variant variant-number { data-format format; name-format format; transfer { record-level number; timeout seconds; } } }

To set the data file format, include the data-format statement. To set the file name format, include the name-format statement. To set the export timer and file size thresholds, include the transfer statement and specify values for the timeout and record-level options. For example, you can specify the name format as follows:
[edit services flow-collector file-specification variant variant-number] name-format "cFlowd-py69Ni69-0-%D_%T-%I_%N.bcp.bi.gz";

In this example, cFlowd-py69Ni69-0 is the static portion used verbatim, %D is the date in YYYYMMDD format, %T is the time in HHMMSS format, %I is the value of ifAlias, %N is the generation number, and bcp.bi.gz is a user-configured string. A number of macros are supported for expressing the date and time information in different ways; for a complete list, see the summary section for name-format.

Configuring Interface Mappings

You can match an input interface with a flow collector interface and apply the preset file specifications to the input interface. To configure an interface mapping, include the interface-map statement at the [edit services flow-collector] hierarchy level:
[edit services flow-collector] interface-map {

1162

Copyright 2011, Juniper Networks, Inc.

Chapter 53: Flow Collection Configuration Guidelines

collector interface-name; file-specification variant-number; interface-name { collector interface-name; file-specification variant-number; } }

To configure the default flow collector and file specifications for all input interfaces, include the file-specification and collector statements at the [edit services flow-collector interface-map] hierarchy level. To override the default settings and apply flow collector and file specifications to a specific input interface, include the file-specification and collector statements at the [edit services flow-collector interface-map interface-name] hierarchy level.

Configuring Transfer Logs

You can configure the filename, export interval, maximum size, and destination FTP server for log files containing the transfer activity history for a flow collector interface. To configure a transfer log, include the transfer-log-archive statement at the [edit services flow-collector] hierarchy level:
[edit services flow-collector] transfer-log-archive { archive-sites { ftp:url { password "password"; username username; } } filename-prefix prefix; maximum-age minutes; }

To configure the destination for archiving files, include the archive-sites statement. Specify the filename as follows:
[edit services flow-collector transfer-log] filename "cFlowd-py69Ni69-0-%D_%T";

where cFlowd-py69Ni69-0 is the static portion used verbatim, %D is the date in YYYYMMDD format, and %T is the time in HHMMSS format. You can optionally include the following statements:

filename-prefixSets a standard prefix for all the logged files. maximum-ageSpecifies the duration a file remains on the server. The range is 1 through

360 minutes.

Configuring Retry Attempts

You can specify values for situations in which the flow collector interface needs more than one attempt to transfer log files to the FTP server:

Copyright 2011, Juniper Networks, Inc.

1163

Junos 11.4 Services Interfaces Configuration Guide

Maximum number of retry attempts Amount of time the flow collector interface waits between successive retries

To configure retry settings, include the retry and retry-delay statements at the [edit services flow-collector] hierarchy level:
retry number; retry-delay seconds;

The retry value can be from 0 through 10. The retry-delay value can be from 0 through 60 seconds.

Sending cflowd Records to Flow Collector Interfaces

To specify a flow collector interface as the destination for cflowd records coming from a services PIC, include the collector-pic statement at the [edit forwarding-options monitoring group-name family inet output flow-export-destination] hierarchy level:
[edit forwarding-options monitoring group-name family inet output flow-export-destination] collector-pic;

You can select either the flow collector interface or a cflowd server as the destination for cflowd records, but not both at the same time.

Configuring Flow Collection Mode and Interfaces on Services PICs

You can select the services PIC to run in either flow collection mode or monitoring mode, but not both. To set the services PIC to run in flow collection mode, include the flow-collector statement at the [edit chassis fpc slot-number pic pic-number monitoring-services application] hierarchy level:
[edit chassis fpc slot-number pic pic-number monitoring-services application] flow-collector;

For further information on configuring chassis properties, see the Junos OS System Basics Configuration Guide. To specify flow collection interfaces, you configure the cp interface at the [edit interfaces] hierarchy level:
[edit interfaces] cp-fpc/pic/port { ... }

Example: Configuring Flow Collection

Figure 16 on page 1165 shows the path traveled by monitored traffic as it passes through the router. Packets arrive at input interfaces so-0/1/0, so-3/0/0, and so-3/1/0. The raw packets are directed into a filter-based forwarding routing instance and processed into cflowd records by the monitoring services interfaces mo-7/1/0, mo-7/2/0, and mo-7/3/0.

1164

Copyright 2011, Juniper Networks, Inc.

Chapter 53: Flow Collection Configuration Guidelines

The cflowd records are compressed into files at the flow collector interfaces cp-6/0/0 and cp-7/0/0 and sent to the FTP server for analysis. Finally, a mandatory class-of-service (CoS) configuration is applied to export channels 0 and 1 on the flow collector interfaces to manage the outgoing processed files.

Figure 16: Flow Collector Interface Topology Diagram

Router 1 Passive monitoring station (M40e, M160, M320, or T Series router) A so-0/1/0 B so-3/0/0 C so-3/1/0 .2 192.168.252.x .1 FTP server #2 ge-1/0/0 FBF

mo-7/x/0.0 cp-x/0/0.0

192.168.56.88/30 .90 .89 FTP server #1 fe-1/3/0

Monitored traffic is converted into cflowd records by the Monitoring Services interfaces cflowd records are delivered to the flow collector interfaces Processed files are sent from the flow collector interfaces to the FTP servers

[edit] chassis { fpc 6 { pic 0 { monitoring-services { application flow-collector; # This converts a Monitoring Services II or # Multiservices 400 PIC into a flow collector interface. } } } fpc 7 { pic 0 { monitoring-services { application flow-collector; # This converts a Monitoring Services II or # Multiservices 400 PIC into a flow collector interface. } } } } interfaces { cp-6/0/0 { unit 0 { # Logical interface .0 on a flow collector interface is export family inet { # channel 0 and sends records to the FTP server. filter { output cp-ftp; # Apply the CoS filter here. } address 10.0.0.1/32 { destination 10.0.0.2; }

Copyright 2011, Juniper Networks, Inc.

g003250

1165

Junos 11.4 Services Interfaces Configuration Guide

} } unit 1 { # Logical interface .1 on a flow collector interface is export family inet {# channel 1 and sends records to the FTP server. filter { output cp-ftp; # Apply the CoS filter here. } address 10.1.1.1/32 { destination 10.1.1.2; } } } unit 2 { # Logical interface .2 on a flow collector interface is the flow family inet { # receive channel that communicates with the Routing Engine. address 10.2.2.1/32 { # Do not apply a CoS filter on logical interface .2. destination 10.2.2.2; } } } } cp-7/0/0 { unit 0 {# Logical interface .0 on a flow collector interface is export family inet {# channel 0 and sends records to the FTP server. filter { output cp-ftp;# Apply the CoS filter here. } address 10.3.3.1/32 { destination 10.3.3.2; } } } unit 1 {# Logical interface .1 on a flow collector interface is export family inet {# channel 1 and sends records to the FTP server. filter { output cp-ftp;# Apply the CoS filter here. } address 10.4.4.1/32 { destination 10.4.4.2; } } } unit 2 {# Logical interface .2 on a flow collector interface is the flow family inet {# receive channel that communicates with the Routing Engine. address 10.5.5.1/32 {# Do not apply a CoS filter on logical interface .2. destination 10.5.5.2; } } } } fe-1/3/0 { # This is the exit interface leading to the first FTP server. unit 0 { family inet { address 192.168.56.90/30; } } }

1166

Copyright 2011, Juniper Networks, Inc.

Chapter 53: Flow Collection Configuration Guidelines

ge-1/0/0 { # This is the exit interface leading to the second FTP server. unit 0 { family inet { address 192.168.252.2/24; } } } mo-7/1/0 { # This is the first interface that creates cflowd records. unit 0 { family inet; } } mo-7/2/0 { # This is the second interface that creates cflowd records. unit 0 { family inet; } } mo-7/3/0 { # This is the third interface that creates cflowd records. unit 0 { family inet; } } so-0/1/0 { # This is the first input interface that receives traffic to be monitored. encapsulation ppp; unit 0 { passive-monitor-mode; # This allows the interface to be passively monitored. family inet { filter { input catch; # The filter-based forwarding filter is applied here. } } } } so-3/0/0 { # This is the second interface that receives traffic to be monitored. encapsulation ppp; unit 0 { passive-monitor-mode; # This allows the interface to be passively monitored. family inet { filter { input catch; # The filter-based forwarding filter is applied here. } } } } so-3/1/0 { # This is the third interface that receives traffic to be monitored. encapsulation ppp; unit 0 { passive-monitor-mode; # This allows the interface to be passively monitored. family inet { filter { input catch; # The filter-based forwarding filter is applied here. } } } } forwarding-options {

Copyright 2011, Juniper Networks, Inc.

1167

Junos 11.4 Services Interfaces Configuration Guide

monitoring group1 {# Always define your monitoring group here. family inet { output { export-format cflowd-version-5; flow-active-timeout 60; flow-inactive-timeout 15; flow-export-destination collector-pic; # Sends records to the flow collector. interface mo-7/1/0.0 { source-address 192.168.252.2; } interface mo-7/2/0.0 { source-address 192.168.252.2; } interface mo-7/3/0.0 { source-address 192.168.252.2; } } } } firewall { family inet { filter cp-ftp { # This filter provides CoS for flow collector interface traffic. term t1 { then forwarding-class expedited-forwarding; } } } filter catch { # This firewall filter sends incoming traffic into the interface-specific;# filter-based forwarding routing instance. term def { then { count counter; routing-instance fbf_instance; } } } } routing-options { interface-routes { rib-group inet common; } rib-groups { common { import-rib [inet.0 fbf_instance.inet.0]; } } forwarding-table { export pplb; } } policy-options { policy-statement pplb { then { load-balance per-packet; } }

1168

Copyright 2011, Juniper Networks, Inc.

Chapter 53: Flow Collection Configuration Guidelines

} routing-instances { fbf_instance { # This instance sends traffic to the monitoring services interface. instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop mo-7/1/0.0; } } } } class-of-service { # A class-of-service configuration for the flow collector interface interfaces { # is required for flow collector services. cp-6/0/0 { scheduler-map cp-map; } cp-7/0/0 { scheduler-map cp-map; } } } scheduler-maps { cp-map { forwarding-class best-effort scheduler Q0; forwarding-class expedited-forwarding scheduler Q1; forwarding-class network-control scheduler Q3; } } schedulers { Q0 { transmit-rate remainder; buffer-size percent 90; } Q1 { transmit-rate percent 5; buffer-size percent 5; priority strict-high; } Q3 { transmit-rate percent 5; buffer-size percent 5; } } services { flow-collector { # Define properties for flow collector interfaces here. analyzer-address 10.10.10.1; # This is the IP address of the analyzer. analyzer-id server1; # This helps to identify the analyzer. retry 3; # Maximum number of attempts by the PIC to send a file transfer log. retry-delay 30; # The time interval between attempts to send a file transfer log. destinations { # This defines the FTP servers that receive flow collector output. "ftp://[email protected]//tmp/collect1/" { # The primary FTP server. password "$9$lXJK8xN-w2oZdbZDHmF30O1"; # SECRET-DATA } "ftp://[email protected]//tmp/collect2/" { # The secondary FTP server. password "$9$eIbvL7-dsgaGVwGjkP3nOBI"; # SECRET-DATA }

Copyright 2011, Juniper Networks, Inc.

1169

Junos 11.4 Services Interfaces Configuration Guide

} file-specification { # Define sets of flow collector characteristics here. def-spec { name-format "default-allInt-0-%D_%T-%I_%N.bcp.bi.gz"; data-format flow-compressed; # The default compressed output format. } # When no overrides are specified, a collector uses default transfer values. f1 { name-format "cFlowd-py69Ni69-0-%D_%T-%I_%N.bcp.bi.gz"; data-format flow-compressed; # The default compressed output format. transfer timeout 1800 record-level 1000000; # Here are configured values. } } interface-map { # Allows you to map interfaces to flow collector interfaces. file-specification def-spec; # Flows generated for default traffic are sent to the collector cp-7/0/0; # default flow collector interface "cp-7/0/0". so-0/1/0.0 { # Flows generated for the so-0/1/0 interface are sent collector cp-6/0/0; # to cp-6/0/0, and the file-specification used is } # "default." so-3/0/0.0 { # Flows generated for the so-3/0/0 interface are sent file-specification f1; # to cp-6/0/0, and the file-specification used is "f1." collector cp-6/0/0; } so-3/1/0.0; # Because no settings are defined, flows generated for this } # interface use interface cp-7/0/0 and the default file specification. transfer-log-archive { # Sends flow collector interface log files to an FTP server. filename-prefix so_3_0_0_log; maximum-age 15; archive-sites { "ftp://[email protected]//tmp/transfers/" { password "$9$IFaEyevMXNVsWLsgaU.m6/C"; } } ] } }

1170

Copyright 2011, Juniper Networks, Inc.

CHAPTER 54

Summary of Flow Collection Configuration Statements

The following sections explain each of the flow collection configuration statements. The statements are organized alphabetically.

analyzer-address
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
analyzer-address address; [edit services flow-collector]

Statement introduced before Junos OS Release 7.4. Configure an IP address for the packet analyzer that overrides the default value.
addressIP address for packet analyzer.

See Configuring a Packet Analyzer on page 1161. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1171

Junos 11.4 Services Interfaces Configuration Guide

analyzer-id
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
analyzer-id name; [edit services flow-collector]

Statement introduced before Junos OS Release 7.4. Configure an identifier for the packet analyzer that overrides the default value.
nameIdentifier for packet analyzer.

See Configuring a Packet Analyzer on page 1161. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

archive-sites
Syntax
archive-sites { ftp:url { password "password"; username username; } } [edit services flow-collector transfer-log-archive]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the destination for transfer logs. The statements are explained separately. See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration.

1172

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

collector
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
collector interface-name; [edit services flow-collector interface-map]

Statement introduced before Junos OS Release 7.4. Configure the default flow collector interface for interface mapping.
collector interface-nameDefault flow collector interface.

See Configuring Interface Mappings on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

data-format
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
data-format format; [edit services flow-collector file-specification variant variant-number]

Statement introduced before Junos OS Release 7.4. Specify the data format for a specific file format variant.
formatData format. Specify flow-compressed as the data format.

See Configuring File Formats on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1173

Junos 11.4 Services Interfaces Configuration Guide

destinations
Syntax
destinations { ftp:url { password "password"; } } [edit services flow-collector]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary destination FTP servers. The statements are explained separately. See Configuring Destination FTP Servers for Flow Records on page 1161. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

filename-prefix
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
filename-prefix prefix; [edit services flow-collector transfer-log-archive]

Statement introduced before Junos OS Release 7.4. Configure the filename prefix for log files.
prefixFilename identifier.

See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1174

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

file-specification
See the following sections:

file-specification (File Format) on page 1175 file-specification (Interface Mapping) on page 1175

file-specification (File Format)

Syntax
file-specification { variant variant-number { data-format format; name-format format; transfer { record-level number; timeout seconds; } } } [edit services flow-collector]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure the file format for the flow collection files. The statements are explained separately. See Configuring File Formats on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

file-specification (Interface Mapping)

Syntax
file-specification { variant variant-number; } [edit services flow-collector interface-map]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure the default file specification for interface mapping.
variant variant-numberDefault file format variant.

See Configuring Interface Mappings on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1175

Junos 11.4 Services Interfaces Configuration Guide

flow-collector
Syntax
flow-collector { analyzer-address address; analyzer-id name; destinations { ftp:url { password "password"; } } file-specification { variant variant-number { data-format format; name-format format; transfer { record-level number; timeout seconds; } } } interface-map { collector interface-name; file-specification variant-number; interface-name { collector interface-name; file-specification variant-number; } } retry number; retry-delay seconds; transfer-log-archive { archive-sites { ftp:url { password "password"; username username; } } filename-prefix prefix; maximum-age minutes; } } [edit services]

Hierarchy Level Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. Define the flow collection. The statements are explained separately. See the topics in Flow Collection.

1176

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

Required Privilege Level

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1177

Junos 11.4 Services Interfaces Configuration Guide

ftp
See the following sections:

ftp (Flow Collector Files) on page 1179 ftp (Transfer Log Files) on page 1180

1178

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

ftp (Flow Collector Files)

Syntax Hierarchy Level Release Information Description Options
ftp:url; [edit services flow-collector destination]

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary destination FTP server addresses.
urlFTP server address. The URL can include the following macros, typed in braces:

{%D}Date {%T)Time when the file is created {%I}Description string for the logical interface configured using the collector interface-name statement at the [edit services flow-collector interface-map]

hierarchy

{%N}Unique, sequential number for each new file created {am_pm}AM or PM {date}Current date using the {year} {month} {day} macros {day}From 01 through 31 {day_abbr}Sun through Sat {day_full}Sunday through Saturday {generation number}Unique, sequential number for each new file created {hour_12}From 01 through 12 {hour_24}From 00 through 23 {ifalias}Description string for the logical interface configured using the collector

statement at the [edit services flow-collector interface-map] hierarchy

{minute}From 00 through 59 {month}From 01 through 12 {month_abbr}Jan through Dec {month_full}January through December {num_zone}From -2359 to +2359; this macro is not supported {second}From 00 through 60 {time}Time the file is created, using the {hour_24} {minute} {second} macros {time_zone}Time zone code name of the locale; for example, gmt (this macro is not

supported).

{year}In the format YYYY; for example, 1970 {year_abbr}From 00 through 99

Copyright 2011, Juniper Networks, Inc.

1179

Junos 11.4 Services Interfaces Configuration Guide

Usage Guidelines Required Privilege Level

See Configuring Destination FTP Servers for Flow Records on page 1161. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ftp (Transfer Log Files)

Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
ftp:url; [edit services flow-collector transfer-log-archive archive-sites]

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary destination FTP server addresses.
urlFTP server address.

See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interface-map
Syntax
interface-map { collector interface-name; file-specification variant-number; interface-name { collector interface-name; file-specification variant-number; } } [edit services flow-collector]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Match an input interface with a flow collector interface and apply the preset file specifications to the input interface. The statements are explained separately. See Configuring Interface Mappings on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

1180

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

maximum-age
Syntax Hierarchy Level Release Information Description Options
maximum-age minutes; [edit services flow-collector transfer-log-archive]

Statement introduced before Junos OS Release 7.4. Maximum age of transfer log file.
maximum-age minutesTransfer log file age.

Range: 1 through 360 Usage Guidelines Required Privilege Level See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1181

Junos 11.4 Services Interfaces Configuration Guide

name-format
Syntax Hierarchy Level Release Information Description
name-format format; [edit services flow-collector file-specification variant variant-number]

Statement introduced before Junos OS Release 7.4. Specify the name format for a specific file format. The files may include supported macros. Use macros to organize files on the external machine to which they are exported from the collector PIC.
formatSpecify the filename format, within quotation marks. The name format can

Options

include the following macros, typed in braces:

{%D}Date {%T)Time when the file is created {%I}Description string for the logical interface configured using the collector

statement at the [edit services flow-collector interface-map] hierarchy level

{%N}Unique, sequential number for each new file created {am_pm}AM or PM {date}Current date using the {year} {month} {day} macros {day}From 01 through 31 {day_abbr}Sun through Sat {day_full}Sunday through Saturday {generation number}Unique, sequential number for each new file created {hour_12}From 01 through 12 {hour_24}From 00 through 23 {ifalias}Description string for the logical interface configured using the collector

statement at the [edit services flow-collector interface-map] hierarchy level

{minute}From 00 through 59 {month}From 01 through 12 {month_abbr}Jan through Dec {month_full}January through December {num_zone}From -2359 through +2359; this macro is not supported {second}From 00 through 60 {time}Time the file is created, using the {hour_24} {minute} {second} macros {time_zone}Time zone code name of the locale; for example, gmt (this macro is not

supported).

1182

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

{year}In the format YYYY; for example, 1970 {year_abbr}From 00 through 99

Usage Guidelines Required Privilege Level

See Configuring File Formats on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1183

Junos 11.4 Services Interfaces Configuration Guide

password
See the following sections:

password (Flow Collector File Servers) on page 1184 password (Transfer Log File Servers) on page 1184

password (Flow Collector File Servers)

Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
password "password"; [edit services flow-collector destination ftp:url]

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary destination FTP server password.
passwordFTP server password.

See Configuring Destination FTP Servers for Flow Records on page 1161. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

password (Transfer Log File Servers)

Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
password "password"; [edit services flow-collector transfer-log-archive archive-sites]

Statement introduced before Junos OS Release 7.4. Specify the primary and secondary destination FTP server password.
passwordFTP server password.

See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1184

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

retry
Syntax Hierarchy Level Release Information Description
retry number; [edit services flow-collector]

Statement introduced before Junos OS Release 7.4. Configure the maximum number of attempts the flow collector interface will make to transfer log files to the FTP server.
numberMaximum number of transfer retry attempts.

Options

Range: 0 through 10 Usage Guidelines Required Privilege Level See Configuring Retry Attempts on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

retry-delay
Syntax Hierarchy Level Release Information Description Options
retry-delay seconds; [edit services flow-collector]

Statement introduced before Junos OS Release 7.4. Configure the amount of time the flow collector interface waits between retry attempts.
secondsAmount of time between transfer retry attempts.

Range: 0 through 60 Usage Guidelines Required Privilege Level See Configuring Retry Attempts on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1185

Junos 11.4 Services Interfaces Configuration Guide

transfer
Syntax
transfer { record-level number; timeout seconds; } [edit services flow-collector file-specification variant variant-number]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Specify when to send the flow collection file. The file is sent when either of the two conditions is met.
record-level numberNumber of flow collection files collected. timeout secondsTimeout duration.

Options

Usage Guidelines Required Privilege Level

See Configuring File Formats on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

transfer-log-archive
Syntax
transfer-log-archive { archive-sites { ftp:url { password "password"; username username; } } filename-prefix prefix; maximum-age minutes; } [edit services flow-collector]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the filename prefix, maximum age, and destination FTP server for log files containing the transfer activity history for a flow collector interface. The statements are explained separately. See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Options Usage Guidelines Required Privilege Level

1186

Copyright 2011, Juniper Networks, Inc.

Chapter 54: Summary of Flow Collection Configuration Statements

username
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
username user-name; [edit services flow-collector transfer-log-archive archive-sites]

Statement introduced before Junos OS Release 7.4. Specify the username for the transfer log server.
usernameFTP server username.

See Configuring Transfer Logs on page 1163. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

variant
Syntax
variant variant-number { data-format format; name-format format; transfer { record-level number; timeout seconds; } } [edit services flow-collector file-specification]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure a variant of the file format. The statements are explained separately. See Configuring File Formats on page 1162. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1187

Junos 11.4 Services Interfaces Configuration Guide

1188

Copyright 2011, Juniper Networks, Inc.

CHAPTER 55

Dynamic Flow Capture Configuration Guidelines

Dynamic flow capture enables you to capture packet flows on the basis of dynamic filtering criteria. Specifically, you can use this feature to forward passively monitored packet flows that match a particular filter list to one or more destinations using an on-demand control protocol. This chapter contains the following sections:

Dynamic Flow Capture Architecture on page 1189 Configuring Dynamic Flow Capture on page 1191 Example: Configuring Dynamic Flow Capture on page 1197

Dynamic Flow Capture Architecture

The architecture consists of one or more control sources that send requests to a Juniper Networks router to monitor incoming data, and then forward any packets that match specific filter criteria to a set of one or more content destinations. The architectural components are defined as follows:

Control sourceA client that monitors electronic data or voice transfer over the network. The control source sends filter requests to the Juniper Networks router using the Dynamic Task Control Protocol (DTCP), specified in draft-cavuto-dtcp-03.txt at http://www.ietf.org/internet-drafts. The control source is identified by a unique identifier and an optional list of IP addresses. Monitoring platformA T Series or M320 router containing one or more Dynamic Flow Capture (DFC) PICs, which support dynamic flow capture processing. The monitoring platform processes the requests from the control sources, creates the filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations. Content destinationRecipient of the matched packets from the monitoring platform. Typically the matched packets are sent using an IP Security (IPsec) tunnel from the monitoring platform to another router connected to the content destination. The content destination and the control source can be physically located on the same host. For more information on IPsec tunnels, see IPsec Properties.

Copyright 2011, Juniper Networks, Inc.

1189

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The DFC PIC (either a Monitoring Services III PIC or Multiservices 400 PIC) forwards the entire packet content to the content destination, rather than to a content record as is done with cflowd or flow aggregation version 9 templates.

Figure 17 on page 1190 shows a sample topology. The number of control sources and content destinations is arbitrary.

Figure 17: Dynamic Flow Capture Topology

Liberal Sequence Windowing

Each DTCP packet (add, delete, list, and refresh packets) contains a 64-bit sequence number to identify the order of the packets. Because the network is connectionless, the DTCP packets can arrive out of order to the router running the DFC application. The liberal sequence window feature implements a negative window for the sequence numbers received in the DTCP packets. It enables the DFC application to accept not only DTCP packets with sequence numbers greater than those previously received, but also DTCP packets with lesser sequence numbers, up to a certain limit. This limit is the negative window size; the positive and negative window sizes are +256 and 256 respectively, relative to the current maximum sequence number received. No configuration is required to activate this feature; the window sizes are hard-coded and nonconfigurable.

Intercepting IPv6 Flows

Starting with Junos OS Release 11.4, the Dynamic Flow Capture (DFC) application also supports intercepting IPv6 flows in M320, T320, T640, and T1600 routers with a Multiservices 400 or Multiservices 500 PIC. The DFC application can intercept passively monitored IPv6 traffic only. All support for IPv4 interception remains the same. The interception of IPv6 traffic happens in the same way the filters capture IPv4 flows. With

1190

Copyright 2011, Juniper Networks, Inc.

Chapter 55: Dynamic Flow Capture Configuration Guidelines

the introduction of IPv6 interception, both IPv4 and IPv6 filters can coexist. The mediation device , however, cannot be located in an IPv6 network. The DFC application does not support interception of VPLS and MPLS traffic. The application cannot intercept Address Resolution Protocol (ARP) or other Layer 2 exception packets. The interception filter can be configured to timeout based on factors like total time (seconds), idle time (seconds), total packets or total data transmitted (bytes).

Configuring Dynamic Flow Capture

To configure dynamic flow capture, include the dynamic-flow-capture statement at the [edit services] hierarchy level:
[edit services] dynamic-flow-capture { capture-group client-name { content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } control-source identifier { allowed-destinations [ destinations ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ addresses ]; } duplicates-dropped-periodicity seconds; input-packet-rate-threshold rate; interfaces interface-name; max-duplicates number; pic-memory-threshold percentage percentage; } g-duplicates-dropped-periodicity seconds; g-max-duplicates number; }

This section describes the following tasks for configuring dynamic flow capture:

Configuring the Capture Group on page 1192 Configuring the Content Destination on page 1192 Configuring the Control Source on page 1193 Configuring the DFC PIC Interface on page 1194 Configuring System Logging on page 1195 Configuring Thresholds on page 1196 Limiting the Number of Duplicates of a Packet on page 1196

Copyright 2011, Juniper Networks, Inc.

1191

Junos 11.4 Services Interfaces Configuration Guide

Configuring the Capture Group

A capture group defines a profile of dynamic flow capture configuration information. The static configuration includes information about control sources, content destinations, and notification destinations. Dynamic configuration is added through interaction with control sources using a control protocol. To configure a capture group, include the capture-group statement at the [edit services dynamic-flow-capture] hierarchy level:
capture-group client-name { content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } control-source identifier { allowed-destinations [ destinations ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ addresses ]; } duplicates-dropped-periodicity seconds; input-packet-rate-threshold rate; interfaces interface-name; max-duplicates number; pic-memory-threshold percentage percentage; }

To specify the capture-group, assign it a unique client-name that associates the information with the requesting control sources.

Configuring the Content Destination

You must specify a destination for the packets that match DFC PIC filter criteria. To configure the content destination, include the content-destination statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:
content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; }

Assign the content-destination a unique identifier. You must also specify its IP address and you can optionally include additional settings:

1192

Copyright 2011, Juniper Networks, Inc.

Chapter 55: Dynamic Flow Capture Configuration Guidelines

addressThe DFC PIC interface appends an IP header with this destination address

on the matched packet (with its own IP header and contents intact) and sends it out to the content destination.

ttlThe time-to-live (TTL) value for the IP-IP header. By default, the TTL value is 255.

Its range is 0 through 255.

Congestion thresholdsYou can specify per-content destination bandwidth limits that control the amount of traffic produced by the DFC PIC during periods of congestion. The thresholds are arranged in two pairs: hard-limit and hard-limit-target, and soft-limit and soft-limit-clear. You can optionally include one or both of these paired settings. All four settings are 10second average bandwidth values in bits per second. Typically soft-limit-clear < soft-limit < hard-limit-target < hard-limit. When the content bandwidth exceeds the soft-limit setting:
1.

A congestion notification message is sent to each control source of the criteria that point to this content destination

2. If the control source is configured for syslog, a system log message is generated. 3. A latch is set, indicating that the control sources have been notified. No additional

notification messages are sent until the latch is cleared, when the bandwidth falls below the soft-limit-clear value. When the bandwidth exceeds the hard-limit value:
1.

The dynamic flow capture application begins deleting criteria until the bandwidth falls below the hard-limit-target value.

2. For each criterion deleted, a CongestionDelete notification is sent to the control

source for that criterion.

3. If the control source is configured for syslog, a log message is generated.

The application evaluates criteria for deletion using the following data:

PriorityLower priority criteria are purged first, after adjusting for control source minimum priority. BandwidthHigher bandwidth criteria are purged first. TimestampThe more recent criteria are purged first.

Configuring the Control Source

You configure information about the control source, including allowed source addresses and destinations and authentication key values. To configure the control source information, include the control-source statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:
control-source identifier { allowed-destinations [ destination-identifiers ]; minimum-priority value; no-syslog; notification-targets address port port-number;

Copyright 2011, Juniper Networks, Inc.

1193

Junos 11.4 Services Interfaces Configuration Guide

service-port port-number; shared-key value; source-addresses [ addresses ]; }

Assign the control-source statement a unique identifier. You can also include values for the following statements:

allowed-destinationsOne or more content destination identifiers to which this control

source can request that matched data be sent in its control protocol requests. If you do not specify any content destinations, all available destinations are allowed.

minimum-priorityValue assigned to the control source that is added to the priority of

the criteria in the DTCP ADD request to determine the total priority for the criteria. The lower the value, the higher the priority. By default, minimum-priority has a value of 0 and the allowed range is 0 through 254.

notification-targetsOne or more destinations to which the DFC PIC interface can log

information about control protocol-related events and other events such as PIC bootup messages. You configure each notification-target entry with an IP address value and a User Datagram Protocol (UDP) port number.

service-portUDP port number to which the control protocol requests are directed.

Control protocol requests that are not directed to this port are discarded by DFC PIC interfaces.

shared-key20-byte authentication key value shared between the control source and

the DFC PIC monitoring platform.

source-addressesOne or more allowed IP addresses from which the control source

can send control protocol requests to the DFC PIC monitoring platform. These are /32 addresses.

Configuring the DFC PIC Interface

You specify the interface that interacts with the control sources configured in the same capture group. A Monitoring Services III PIC can belong to only one capture group, and you can configure only one PIC for each group. To configure a DFC PIC interface, include the interfaces statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:
interfaces interface-name;

You specify DFC interfaces using the dfc- identifier at the [edit interfaces] hierarchy level. You must specify three logical units on each DFC PIC interface, numbered 0, 1, and 2. You cannot configure any other logical interfaces.

unit 0 processes control protocol requests and responses. unit 1 receives monitored data. unit 2 transmits the matched packets to the destination address.

1194

Copyright 2011, Juniper Networks, Inc.

Chapter 55: Dynamic Flow Capture Configuration Guidelines

The following example shows the configuration necessary to set up a DFC PIC interface and intercept both IPv4 and IPv6 traffic:
[edit interfaces dfc-0/0/0] unit 0 { family inet { address 10.1.0.0/32 { # DFC PIC address destination 10.36.100.1; # DFC PIC address used by # the control source to correspond with the # monitoring platform } } } unit 1 { # receive data packets on this logical interface family inet; # receive IPv4 traffic for interception family inet6; # receive IPv6 traffic for interception } unit 2 { # send out copies of matched packets on this logical interface family inet; }

In addition, you must configure the dynamic flow capture application to run on the DFC PIC in the correct chassis location. The following example shows this configuration at the [edit chassis] hierarchy level:
fpc 0 { pic 0 { monitoring-services application dynamic-flow-capture; } }

For more information on configuring chassis properties, see the Junos OS System Basics Configuration Guide.

Configuring System Logging

By default, control protocol activity is logged as a separate system log facility, dfc. To modify the filename or level at which control protocol activity is recorded, include the following statements at the [edit syslog] hierarchy level:
file dfc.log { dfc any; }

To cancel logging, include the no-syslog statement at the [edit services

dynamic-flow-capture capture-group client-name control-source identifier] hierarchy level: no-syslog;

NOTE: The dynamic flow capture (dfc-) interface supports up to 10,000 filter criteria. When more than 10,000 filters are added to the interface, the filters are accepted, but system log messages are generated indicating that the filter is full.

Copyright 2011, Juniper Networks, Inc.

1195

Junos 11.4 Services Interfaces Configuration Guide

Configuring Thresholds
You can optionally specify threshold values for the following situations in which warning messages will be recorded in the system log:

Input packet rate to the DFC PIC interfaces Memory usage on the DFC PIC interfaces

To configure threshold values, include the input-packet-rate-threshold or pic-memory-threshold statements at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:
input-packet-rate-threshold rate; pic-memory-threshold percentage percentage;

If these statements are not configured, no threshold messages are logged. The threshold settings are configured for the capture group as a whole. The range of configurable values for the input-packet-rate-threshold statement is 0 through 1 Mpps. The PIC calibrates the value accordingly; the Monitoring Services III PIC caps the threshold value at 300 Kpps and the Multiservices 400 PIC uses the full configured value. The range of values for the pic-memory-threshold statement is 0 to 100 percent.

Limiting the Number of Duplicates of a Packet

You can optionally specify the maximum number of duplicate packets the DFC PIC is allowed to generate from a single input packet. This limitation is intended to reduce the load on the PIC when packets are sent to multiple destinations. When the maximum number is reached, the duplicates are sent to the destinations with the highest criteria class priority. Within classes of equal priority, criteria having earlier timestamps are selected first. To configure this limitation, include the max-duplicates statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level:
max-duplicates number;

You can also apply the limitation on a global basis for the DFC PIC by including the g-max-duplicates statement at the [edit services dynamic-flow-capture] hierarchy level:
g-max-duplicates number;

By default, the maximum number of duplicates is set to 3. The range of allowed values is 1 through 64. A setting for max-duplicates for an individual capture-group overrides the global setting. In addition, you can specify the frequency with which the application sends notifications to the affected control sources that duplicates are being dropped because the threshold has been reached. You configure this setting at the same levels as the maximum duplicates settings, by including the duplicates-dropped-periodicity statement at the [edit services dynamic-flow-capture capture-group client-name] hierarchy level or the

1196

Copyright 2011, Juniper Networks, Inc.

Chapter 55: Dynamic Flow Capture Configuration Guidelines

g-duplicates-dropped-periodicity statement at the [edit services dynamic-flow-capture]

hierarchy level:
duplicates-dropped-periodicity seconds; g-duplicates-dropped-periodicity seconds;

As with the g-max-duplicates statement, the g-duplicates-dropped-periodicity statement applies the setting globally for the application and is overridden by a setting applied at the capture-group level. By default, the frequency for sending notifications is 30 seconds.

Example: Configuring Dynamic Flow Capture

The following example includes all parts of a complete dynamic flow capture configuration. Configure the DFC PIC interface:
interfaces dfc-0/0/0 { unit 0 { family inet { address 2.1.0.0/32 { # DFC PIC address destination 10.36.100.1; # DFC PIC address used by # the control sources to correspond with # the monitoring platform } } } } unit 1 { # receive data packets on this logical interface family inet; family inet6; } unit 2 { # send out copies of matched packets on this logical interface family inet; }

Configure the capture group:

services dynamic-flow-capture { capture-group g1 { interfaces dfc-0/0/0; input-packet-rate-threshold 90k; pic-memory-threshold percentage 80; control-source cs1 { source-addresses 10.36.41.1; service-port 2400; notification-targets { 10.36.41.1 port 2100; } shared-key "$9$ASxdsYoX7wg4aHk"; allowed-destinations cd1; } content-destination cd1 { address 10.36.70.2; ttl 244; }

Copyright 2011, Juniper Networks, Inc.

1197

Junos 11.4 Services Interfaces Configuration Guide

} }

Configur3 filter-based forwarding (FBF) to the DFC PIC interface, logical unit 1. For more information about configuring passive monitoring interfaces, see Enabling Passive Flow Monitoring on page 1077.
interfaces so-1/2/0 { encapsulation ppp; unit 0 { passive-monitor-mode; family inet { filter { input catch; } } } }

Configure the firewall filter:

firewall { filter catch { interface-specific; term def { then { count counter; routing-instance fbf_inst; } } } }

Configure a forwarding routing instance. The next hop points specifically to the logical interface corresponding to unit 1, because only this particular logical unit is expected to relay monitored data to the DFC PIC.
routing-instances fbf_inst { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop dfc-0/0/0.1; } } }

Configure routing table groups:

[edit] routing-options { interface-routes { rib-group inet common; } rib-groups { common { import-rib [ inet.0 fbf_inst.inet.0 ]; }

1198

Copyright 2011, Juniper Networks, Inc.

Chapter 55: Dynamic Flow Capture Configuration Guidelines

} forwarding-table { export pplb; } }

Configure interfaces to the control source and content destination:

interfaces fe-4/1/2 { description "to cs1 from dfc"; unit 0 { family inet { address 10.36.41.2/30; } } } interfaces ge-7/0/0 { description "to cd1 from dfc"; unit 0 { family inet { address 10.36.70.1/30; } } }

Copyright 2011, Juniper Networks, Inc.

1199

Junos 11.4 Services Interfaces Configuration Guide

1200

Copyright 2011, Juniper Networks, Inc.

CHAPTER 56

Flow-Tap Configuration Guidelines

Dynamic flow capture enables you to capture packet flows on the basis of dynamic filtering criteria, using Dynamic Tasking Control Protocol (DTCP) requests. The flow-tap application extends the use of this protocol to intercept IPv4 and IPv6 packets in an active monitoring router and send a copy of packets that match filter criteria to one or more content destinations. Flow-tap data can be used in the following applications:

Flexible trend analysis for detection of new security threats Lawful intercept

Flow-tap service is supported on M Series and T Series routers, except M160 and TX Matrix routers. Flow-tap filters are applied on all IPv4 traffic and do not add any perceptible delay in the forwarding path. Flow-tap filters can also be applied on IPv6 traffic. For security, filters installed by one client are not visible to others and the CLI configuration does not reveal the identity of the monitored target. A lighter version of the application is supported on MX Series routers only; for more information, see Configuring FlowTapLite on page 1205.

NOTE: For information about dynamic flow capture, see Dynamic Flow Capture Configuration Guidelines on page 1189. For information about DTCP, see draft-cavuto-dtcp-01.txt at http://www.ietf.org/internet-drafts.

To configure flow-tap services, include the flow-tap statement at the [edit services] hierarchy level:
flow-tap { interface interface-name; }

Other statements are configured at the [edit interfaces] and [edit system] hierarchy levels. This chapter contains the following sections:

Flow-Tap Architecture on page 1202 Configuring the Flow-Tap Service on page 1203

Copyright 2011, Juniper Networks, Inc.

1201

Junos 11.4 Services Interfaces Configuration Guide

Configuring FlowTapLite on page 1205 Examples: Configuring Flow-Tap Services on page 1207

Flow-Tap Architecture
The flow-tap architecture consists of one or more mediation devices that send requests to a Juniper Networks router to monitor incoming data and forward any packets that match specific filter criteria to a set of one or more content destinations:

Mediation deviceA client that monitors electronic data or voice transfer over the network. The mediation device sends filter requests to the Juniper Networks router using the DTCP. The clients are not identified for security reasons, but have permissions defined by a set of special login classes. Each system can support up to 16 different mediation devices for each user, up to a maximum of 64 mediation devices for the whole system. Monitoring platformAn M Series or T Series router containing one or more Adaptive Services (AS) or Multiservices PICs, which are configured to support the flow-tap application. The monitoring platform processes the requests from the mediation devices, applies the dynamic filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations. Content destinationRecipient of the matched packets from the monitoring platform. Typically the matched packets are sent using an IP Security (IPsec) tunnel from the monitoring platform to another router connected to the content destination. The content destination and the mediation device can be physically located on the same host. For more information about IPsec tunnels, see IPsec Properties. Dynamic filtersFirewall filters automatically generated by the Packet Forwarding Engine and applied to all routing instances. Each term in the filter includes a flow-tap action that is similar to the existing sample or port-mirroring actions. As long as one of the filter terms matches an incoming packet, the router copies the packet and forwards it to the Adaptive Services or Multiservices PIC that is configured for flow-tap service. The Adaptive Services or Multiservices PIC runs the packet through the client filters and sends a copy to each matching content destination.

Following is a sample filter configuration; note that it is dynamically generated by the router (no user configuration required):
filter combined_LEA_filter { term LEA1_filter { from { source-address 1.2.3.4; destination-address 3.4.5.6; } then { flow-tap; } } term LEA2_filter { from { source-address 10.1.1.1; source-port 23;

1202

Copyright 2011, Juniper Networks, Inc.

Chapter 56: Flow-Tap Configuration Guidelines

} then { flow-tap; } } }

Figure 18 on page 1203 shows a sample topology that uses two mediation devices and two content destinations.

Figure 18: Flow-Tap Topology

IP traffic

Mediation device 1 Content destination 1

LEA1 LEA1

request response OK

Juniper Networks router Packet Forwarding Engine filter

Copied packet Mediation device 2 Content destination 2 LEA2 LEA2 request response OK Flows matching LEA1 installed filters Service PIC running Flow-tap Service Flows matching LEA2 installed filters

Original packet

Forwarded packet

Routing

LEA = Law Enforcing Authority

Configuring the Flow-Tap Service

This section describes the following tasks for configuring flow-tap service:

Configuring the Flow-Tap Interface on page 1203 Strengthening Flow-Tap Security on page 1204 Restrictions on Flow-Tap Services on page 1205

Configuring the Flow-Tap Interface

To configure an adaptive services interface for flow-tap service, include the interface statement at the [edit services flow-tap] hierarchy level:
interface sp-fpc/pic/port.unit-number;

You can assign any Adaptive Services or Multiservices PIC in the active monitoring router for flow-tap service, and use any logical unit on the PIC.

Copyright 2011, Juniper Networks, Inc.

g040869

1203

Junos 11.4 Services Interfaces Configuration Guide

NOTE: You cannot configure dynamic flow capture and flow-tap features on the same router simultaneously.

You must also configure the logical interface at the [edit interfaces] hierarchy level:
interface sp-fpc/pic/port { unit logical-unit-number { family inet; family inet6; } }

NOTE: If you do not include the family inet6 statement in the configuration, IPv6 flows will not be intercepted.

Strengthening Flow-Tap Security

You can add an extra level of security to Dynamic Tasking Control Protocol (DTCP) transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer. To configure SSH settings, include the flow-tap-dtcp statement at the [edit system services] hierarchy level:
flow-tap-dtcp { ssh { connection-limit value; rate-limit value; } }

To configure client permissions for viewing and modifying flow-tap configurations and for receiving tapped traffic, include the permissions statement at the [edit system login class class-name] hierarchy level:
permissions [permissions];

The permissions needed to use flow-tap features are as follows:

flow-tapCan view flow-tap configuration flow-tap-controlCan modify flow-tap configuration flow-tap-operationCan tap flows

You can also specify user permissions on a RADIUS server, for example:
Bob Auth-Type := Local, User-Password = = abc123 Juniper-User-Permissions = flow-tap-operation

For details on [edit system] and RADIUS configuration, see the Junos OS System Basics Configuration Guide.

1204

Copyright 2011, Juniper Networks, Inc.

Chapter 56: Flow-Tap Configuration Guidelines

Restrictions on Flow-Tap Services

The following restrictions apply to flow-tap services:

You cannot configure dynamic flow capture and flow-tap features on the same router simultaneously. Flow-tap service does not support interception of MPLS and virtual private LAN service (VPLS). Flow-tap service cannot intercept Address Resolution Protocol (ARP) and other Layer 2 exceptions. IPv4 and IPv6 intercept filters can coexist on a system, subject to a combined maximum of 100 filters. When the dynamic flow capture process or the Adaptive Services or Multiservices PIC configured for flow-tap processing restarts, all filters are deleted and the mediation devices are disconnected. Only the first fragment of an IPv4 fragmented packet stream is sent to the content destination. Port mirroring might not work in conjunction with flow-tap processing. Running the flow-tap application over an IPsec tunnel on the same router can cause packet loops and is not supported. M10i routers do not support the standard flow-tap application, but do support FlowTapLite (see Configuring FlowTapLite on page 1205). Flow-tap and FlowTapLite cannot be configured simultaneously on the same chassis. PIC-based flow-tap is not supported on M7i and M10i routers equipped with an Enhanced Compact Forwarding Engine Board (CFEB-E).

Configuring FlowTapLite
A lighter version of the flow-tap application is available on MX Series routers and also on M320 routers with Enhanced III Flexible PIC Concentrators (FPCs). All of the functionality resides in the Packet Forwarding Engine rather than a service PIC or Dense Port Concentrator (DPC).

NOTE: On M320 routers only, if the replacement of FPCs results in a mode change, you must restart the dynamic flow capture process manually by disabling and then re-enabling the CLI configuration.

FlowTapLite uses the same DTCP-SSH architecture to install the Dynamic Tasking Control Protocol (DTCP) filters and authenticate the users as the original flow-tap application and supports up to 3000 filters per chassis.

Copyright 2011, Juniper Networks, Inc.

1205

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The original flow-tap application and FlowTapLite cannot be used at the same time.

To configure FlowTapLite, include the flow-tap statement at the [edit services] hierarchy level:
flow-tap { tunnel-interface interface-name; }

For the Packet Forwarding Engine to encapsulate the intercepted packet, it must send the packet to a tunnel logical (vt-) interface. You need to allocate a tunnel interface and assign it to the dynamic flow capture process for FlowTapLite to use. To create the tunnel interface, include the following configuration:
chassis { fpc number { pic number { tunnel-services { bandwidth (1g | 10g); } } } }

NOTE: Currently FlowTapLite supports only one tunnel interface per instance.

For more information about this configuration, see the Junos OS System Basics Configuration Guide. To configure the logical interfaces and assign them to the dynamic flow capture process, include the following configuration:
interfaces { vt-fpc/pic/port { unit 0 { family inet; family inet6; } } }

NOTE: If a service PIC or DPC is available, you can use its tunnel interface for the same purpose.

NOTE: If you do not include the family intet6 statement in the configuration, IPv6 flows will not be intercepted.

1206

Copyright 2011, Juniper Networks, Inc.

Chapter 56: Flow-Tap Configuration Guidelines

Examples: Configuring Flow-Tap Services

The following example shows all parts of a complete flow-tap configuration. The example configuration intercepts IPv4 and IPv6 flows.
services { flow-tap { interface sp-1/2/0.100; } } interfaces { sp-1/2/0 { unit 100 { family inet; family inet6; } } } system { services { flow-tap-dtcp { ssh { connection-limit 5; rate-limit 5; } } } login { class ft-class { permissions flow-tap-operation; } user ft-user1 { class ft-class; authentication { encrypted-password xxxx; } } } }

The following example shows a FlowTapLite configuration that intercepts IPv4 and IPv6 flows:
system { login { class flowtap { permissions flow-tap-operation; } user ftap { uid 2000; class flowtap; authentication { encrypted-password "$1$nZfwNn4L$TWi/oxFwFZyOyyxN/87Jv0"; ## SECRET-DATA }

Copyright 2011, Juniper Networks, Inc.

1207

Junos 11.4 Services Interfaces Configuration Guide

} } services { flow-tap-dtcp { ssh; } } } chassis { fpc 0 { pic 0 { tunnel-services { bandwidth 10g; } } } } interfaces { vt-0/0/0 { unit 0 { family inet; family inet6; } } } services { flow-tap { tunnel-interface vt-0/0/0.0; } }

1208

Copyright 2011, Juniper Networks, Inc.

CHAPTER 57

Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

The following sections explain each of the dynamic flow capture and flow-tap configuration statements. The statements are organized alphabetically.

address
Syntax Hierarchy Level
address address; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.4. Configure an IP address for the flow capture destination.
addressIP address for the content destination.

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1209

Junos 11.4 Services Interfaces Configuration Guide

allowed-destinations
Syntax Hierarchy Level Release Information Description
allowed-destinations [ identifiers ]; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. Identify flow capture destinations that are allowed in messages sent from this control source.
identifierAllowed content destination name.

Options Usage Guidelines Required Privilege Level

See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1210

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

capture-group
Syntax
capture-group client-name { content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } control-source identifier { allowed-destinations [ destinations ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ addresses ]; } duplicates-dropped-periodicity seconds; input-packet-rate-threshold rate; interfaces interface-name; max-duplicates number; pic-memory-threshold percentage percentage; } [edit services dynamic-flow-capture]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.4. Define the capture group values. The remaining statements are explained separately. See Configuring the Capture Group on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1211

Junos 11.4 Services Interfaces Configuration Guide

content-destination
Syntax
content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } [edit services dynamic-flow-capture capture-group client-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 7.4. Identify the destination for captured packets.
identifierName of the destination.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1212

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

control-source
Syntax
control-source identifier { allowed-destinations [ destinations ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ addresses ]; } [edit services dynamic-flow-capture capture-group client-name]

Hierarchy Level Release Information Description Options

Statement introduced in Junos OS Release 7.4. Identify the source of the dynamic flow capture request.
identifierName of control source.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

duplicates-dropped-periodicity
Syntax Hierarchy Level Release Information Description
duplicates-dropped-periodicity seconds; [edit services dynamic-flow-capture capture-group client-name]

Statement introduced in Junos OS Release 9.2. Specify the frequency for sending notifications to affected control sources when transmission of duplicate sets of data is restricted because the max-duplicates threshold has been reached.
secondsPeriod for sending DuplicatesDropped notifications.

Options

Default: 30 seconds Usage Guidelines Required Privilege Level Related Documentation See Limiting the Number of Duplicates of a Packet on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

g-duplicates-dropped-periodicity on page 1216, max-duplicates on page 1220

Copyright 2011, Juniper Networks, Inc.

1213

Junos 11.4 Services Interfaces Configuration Guide

dynamic-flow-capture
Syntax
dynamic-flow-capture { capture-group client-name { content-destination identifier { address address; hard-limit bandwidth; hard-limit-target bandwidth; soft-limit bandwidth; soft-limit-clear bandwidth; ttl hops; } control-source identifier { allowed-destinations [ destinations ]; minimum-priority value; no-syslog; notification-targets address port port-number; service-port port-number; shared-key value; source-addresses [ addresses ]; } duplicates-dropped-periodicity seconds; input-packet-rate-threshold rate; interfaces interface-name; max-duplicates number; pic-memory-threshold percentage percentage; } g-duplicates-dropped-periodicity seconds; g-max-duplicates number; } [edit services]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.4. Define the dynamic flow capture properties to be applied to traffic. The remaining statements are explained separately. See Dynamic Flow Capture. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1214

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

flow-tap
Syntax
flow-tap { (interface interface-name | tunnel-interface interface-name); } [edit services]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 8.1. Enable the flow-tap or FlowTapLite application on an interface. FlowTapLite is a lighter version of the flow-tap application that is available on MX Series platforms, M120 routers, and M320 routers with Enhanced III FPCs only.
interface interface-nameSpecify the interface name for the flow-tap application. tunnel-interface interface-nameSpecify the tunnel interface name for the FlowTapLite

Options

application. The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Flow-Tap. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1215

Junos 11.4 Services Interfaces Configuration Guide

g-duplicates-dropped-periodicity
Syntax Hierarchy Level Release Information Description
g-duplicates-dropped-periodicity seconds; [edit services dynamic-flow-capture]

Statement introduced in Junos OS Release 9.2. Specify the frequency for sending notifications to affected control sources when transmission of duplicate sets of data is restricted because the g-max-duplicates threshold has been reached. This setting is applied globally; the duplicates-dropped-periodicity setting applied at the capture-group level overrides the global setting. The default period for sending notifications is 30 seconds.
secondsPeriod for sending DuplicatesDropped notifications.

Default Options Usage Guidelines Required Privilege Level Related Documentation

See Limiting the Number of Duplicates of a Packet on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

duplicates-dropped-periodicity on page 1213

1216

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

g-max-duplicates
Syntax Hierarchy Level Release Information Description
g-max-duplicates number; [edit services dynamic-flow-capture]

Statement introduced in Junos OS Release 9.2. Specify the maximum number of content destinations to which DFC PICs can send data from a single input set of packets. Limiting the number of duplicates reduces the load on the PIC. This setting is applied globally; the max-duplicates setting applied at the capture-group level overrides the global setting. If no value is configured, a default setting of 3 is used.
numberMaximum number of content destinations.

Default Options

Range: 1 through 64 Usage Guidelines Required Privilege Level Related Documentation See Limiting the Number of Duplicates of a Packet on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

max-duplicates on page 1220

hard-limit
Syntax Hierarchy Level Release Information Description
hard-limit bandwidth; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Statement introduced in Junos OS Release 9.2. Specify a bandwidth threshold at which the dynamic flow capture application begins deleting criteria, until the bandwidth falls below the hard-limit-target value.
bandwidthHard limit threshold, in bits per second.

Options Usage Guidelines Required Privilege Level Related Documentation

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

hard-limit-target on page 1218

Copyright 2011, Juniper Networks, Inc.

1217

Junos 11.4 Services Interfaces Configuration Guide

hard-limit-target
Syntax Hierarchy Level Release Information Description
hard-limit-target bandwidth; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Statement introduced in Junos OS Release 9.2. Specify a bandwidth threshold at which the dynamic flow capture application stops deleting criteria.
bandwidthTarget value, in bits per second.

Options Usage Guidelines Required Privilege Level Related Documentation

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

hard-limit on page 1217

input-packet-rate-threshold
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
input-packet-rate-threshold rate; [edit services dynamic-flow-capture capture-group client-name]

Statement introduced in Junos OS Release 7.4. Specify a packet rate threshold value that triggers a system log warning message.
rateThreshold value.

See Configuring Thresholds on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1218

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

interface
Syntax Hierarchy Level Release Information Description
interface sp-fpc/pic/port.logical-unit-number; [edit services flow-tap]

Statement introduced in Junos OS Release 8.1. Specify the AS PIC interface used with the flow-tap application. Any AS PIC available in the router can be assigned, and any logical interface on the AS PIC can be used.
interface-nameName of the DFC interface.

Options Usage Guidelines Required Privilege Level

See Configuring the Flow-Tap Interface on page 1203. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

interfaces
Syntax Hierarchy Level Release Information Description
interfaces interface-name; [edit services dynamic-flow-capture capture-group client-name]

Statement introduced in Junos OS Release 7.4. Specify the DFC interface used with the control source configured in the same capture group.
interface-nameName of the DFC interface.

Options Usage Guidelines Required Privilege Level

See Configuring the DFC PIC Interface on page 1194. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1219

Junos 11.4 Services Interfaces Configuration Guide

max-duplicates
Syntax Hierarchy Level Release Information Description
max-duplicates number; [edit services dynamic-flow-capture capture-group client-name]

Statement introduced in Junos OS Release 9.2. Specify the maximum number of content destinations to which the DFC PIC can send data from a single input set of packets. Limiting the number of duplicates reduces the load on the PIC. This setting overrides the globally applied g-max-duplicates setting. If no value is configured, a default setting of 3 is used.
numberMaximum number of content destinations.

Default Options

Range: 1 through 64 Usage Guidelines Required Privilege Level Related Documentation See Limiting the Number of Duplicates of a Packet on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

g-max-duplicates on page 1217

minimum-priority
Syntax Hierarchy Level Release Information Description Options
minimum-priority value; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 9.2. Specify the minimum priority for the control source.
valueMinimum priority value; if not specified, defaults to 0.

Range: 0 through 254 Usage Guidelines Required Privilege Level See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1220

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

no-syslog
Syntax Hierarchy Level Release Information Description
no-syslog; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. Disable system logging of control protocol requests and responses. By default, these messages are logged. See Configuring System Logging on page 1195. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

notification-targets
Syntax Hierarchy Level Release Information Description
notification-targets address port port-number; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. List of destination IP addresses and User Datagram Protocol (UDP) ports to which DFC PICs log exception information and control protocol state transitions, such as timeout values.
address addressAllowed destination IP address. port port-numberAllowed destination UDP port number.

Options

Usage Guidelines Required Privilege Level

See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1221

Junos 11.4 Services Interfaces Configuration Guide

pic-memory-threshold
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
pic-memory-threshold percentage percentage; [edit services dynamic-flow-capture capture-group client-name]

Statement introduced in Junos OS Release 7.4. Specify a PIC memory usage percentage that triggers a system log warning message.
percentage percentagePIC memory threshold value.

See Configuring Thresholds on page 1196. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

service-port
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
service-port port-number; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. Identify the User Datagram Protocol (UDP) port number for control protocol requests.
port-numberPort number for control protocol request messages.

See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1222

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

services
Syntax
services dynamic-flow-capture { ... }, services flow-tap {...} [edit] dynamic-flow-capture statement introduced in Junos OS Release 7.4. flow-tap statement introduced in Junos OS Release 8.1.

Hierarchy Level Release Information

Description Options

Define the services to be applied to traffic.

dynamic-flow-captureThe values configured for dynamic flow capture. flow-tapThe values configured for the flow-tap application.

The statements are explained separately. Usage Guidelines See Configuring Dynamic Flow Capture on page 1191 or Configuring the Flow-Tap Service on page 1203. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

shared-key
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
shared-key value; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. Configure the authentication key value.
valueSecret authentication value shared between a control source and destination.

See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1223

Junos 11.4 Services Interfaces Configuration Guide

soft-limit
Syntax Hierarchy Level Release Information Description
soft-limit bandwidth; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Statement introduced in Junos OS Release 9.2. Specify a bandwidth threshold at which congestion notifications are sent to each control source of the criteria that point to this content destination. If the control source is configured with the syslog statement, a log message will also be generated.
bandwidthSoft limit threshold, in bits per second.

Options Usage Guidelines Required Privilege Level

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

soft-limit-clear
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Related Documentation
soft-limit-clear bandwidth; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Statement introduced in Junos OS Release 9.2. Specify a bandwidth threshold at which the latch set by the soft-limit threshold is cleared.
bandwidthSoft-limit clear threshold, in bits per second.

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

soft-limit on page 1224

1224

Copyright 2011, Juniper Networks, Inc.

Chapter 57: Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements

source-addresses
Syntax Hierarchy Level Release Information Description
source-addresses [ addresses ]; [edit services dynamic-flow-capture capture-group client-name control-source identifier]

Statement introduced in Junos OS Release 7.4. List of IP addresses from which the control source can send control protocol requests to the Juniper Networks router.
addressAllowed IP source address.

Options Usage Guidelines Required Privilege Level

See Configuring the Control Source on page 1193. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

ttl
Syntax Hierarchy Level
ttl hops; [edit services dynamic-flow-capture capture-group client-name content-destination identifier]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 7.4. Time-to-live (TTL) value for the IP-IP header.
hopsTTL value.

See Configuring the Content Destination on page 1192. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1225

Junos 11.4 Services Interfaces Configuration Guide

1226

Copyright 2011, Juniper Networks, Inc.

PART 6

Link and Multilink Services

Link and Multilink Services Overview on page 1229 Link and Multilink Services Configuration Guidelines on page 1233 Summary of Multilink and Link Services Configuration Statements on page 1271

Copyright 2011, Juniper Networks, Inc.

1227

Junos 11.4 Services Interfaces Configuration Guide

1228

Copyright 2011, Juniper Networks, Inc.

CHAPTER 58

Link and Multilink Services Overview

This chapter discusses the following topics:

Link and Multilink Services Overview on page 1229

Link and Multilink Services Overview

The Multilink Protocol enables you to split, recombine, and sequence datagrams across multiple logical data links. The goal of multilink operation is to coordinate multiple independent links between a fixed pair of systems, providing a virtual link with greater bandwidth than any of the members. The Juniper Networks Junos OS supports several MP-based services PICs: the Multilink Services PIC, the Link Services PIC, and the link services intelligent queuing (IQ) and voice services configured on the Adaptive Services (AS) and MultiServices PICs. For more information about link services IQ, see Layer 2 Service Package Capabilities and Interfaces on page 448. For more information about voice services, see Configuring Services Interfaces for Voice Services on page 522.

NOTE: The ml- interface type is used to configure interfaces on the Multilink Services PIC and does not support class-of-service (CoS) features. The lsinterface type is used for limited CoS configurations on the Link Services PIC (except on J Series Services Routers), and the lsq- interface type is used for full CoS configurations on the Adaptive Services and MultiServices PICs. For link services IQ (lsq) interfaces, Junos OS CoS components are fully supported and are handled normally on M Series and T Series routers, as described in the Junos OS Class of Service Configuration Guide. There are some restrictions on J Series Services Routers; for more information on link services IQ configuration, see Layer 2 Service Package Capabilities and Interfaces on page 448.

The Link Services and Multilink Services PICs support the following MP encapsulation types:

Multilink Point-to-Point Protocol (MLPPP) Multilink Frame Relay (MLFR)

Copyright 2011, Juniper Networks, Inc.

1229

Junos 11.4 Services Interfaces Configuration Guide

MLPPP enables you to bundle multiple PPP links into a single logical link. MLFR enables you to bundle multiple Frame Relay data-link connection identifiers (DLCIs) into a single logical link. MLPPP and MLFR provide service option granularity between low-speed T1 and E1 services and higher-speed T3 and E3 services. You use MLPPP and MLFR to increase bandwidth in smaller, more cost-effective increments. In addition to providing incremental bandwidth, bundling multiple links can add a level of fault tolerance to your dedicated access service, because you can implement bundling across multiple PICs, protecting against the failure of any single PIC.

NOTE: Even if the PIC can support up to 4xDS3 total throughput, each aggregate can only run a volume of traffic equal to one DS3 in bandwidth. Aggregating DS3 links is not supported.

At the logical unit level, the Multilink Services and Link Services PICs support the MLPPP and MLFR Frame Relay Forum (FRF) 15 encapsulation types. At the physical interface level, the Link Services PIC also supports the MLFR FRF.16 encapsulation type. MLPPP and MLFR FRF.15 are supported on interface types ml-fpc/pic/port, ls-fpc/pic/port, and lsq-fpc/pic/port. For MLFR FRF.15, multiple permanent virtual circuits (PVCs) are combined into one aggregated virtual circuit (AVC). This provides fragmentation over multiple PVCs on one end and reassembly of the AVC on the other end. MLFR FRF.16 is supported on a channelized interface, ls-fpc/pic/port:channel, which denotes a single MLFR FRF.16 bundle. For MLFR FRF.16, multiple links are combined to form one logical link. Packet fragmentation and reassembly occur on a per-VC basis. Each bundle can support multiple VCs. Link Services PICs can support up to 256 DLCIs per MLFR FRF.16 bundle. The physical connections must be E1, T1, channelized DS3-to-DS1, channelized DS3-to-DS0, channelized E1, channelized STM1, or channelized IQ interfaces. When you bundle channelized interfaces using the link services interface, the channelized interfaces require M Series Enhanced Flexible PIC Concentrators (FPCs).

1230

Copyright 2011, Juniper Networks, Inc.

Chapter 58: Link and Multilink Services Overview

NOTE: When running MLPPP or MLFR on a non-QPP interface, you cannot mix logical units that are members of an aggregate with logical units configured using other families, such as inet. For example, the following configuration is not valid:
interface e3-0/0/0 { encapsulation frame-relay; unit 99 { dlci 99; family mlfr-end-to-end { bundle ls-0/0/0.1; } } unit 100 { ## mixes mlfr with family inet dlci 100; family inet { address 192.168.164.53/30; } } }

The standards for MLPPP, MLFR FRF.15, and MLFR FRF.16 are defined in the following specifications:

RFC 1990, The PPP Multilink Protocol (MP) FRF.15, End-to-End Multilink Frame Relay Implementation Agreement FRF.16.1, Multilink Frame Relay UNI/NNI Implementation Agreement

NOTE: Endpoint Discriminator Class compatibility checking is enabled on MLPPP interfaces. Prior to Junos OS Release 8.0, when a Juniper Networks router received an unsupported Endpoint Discriminator Class message from an MLPPP session peer, it returned an ACK response.

Copyright 2011, Juniper Networks, Inc.

1231

Junos 11.4 Services Interfaces Configuration Guide

1232

Copyright 2011, Juniper Networks, Inc.

CHAPTER 59

Link and Multilink Services Configuration Guidelines

To configure multilink and link services logical interfaces, include the following statements.
(ml-fpc/pic/port | ls-fpc/pic/port) { unit logical-unit-number { dlci dlci-identifier; drop-timeout milliseconds; encapsulation type; fragment-threshold bytes; interleave-fragments; minimum-links number; mrru bytes; multicast-dlci dlci-identifier; short-sequence; family family { address address { destination address; } bundle (ml-fpc/pic/port | ls-fpc/pic/port); } } }

You can include these statements at the following hierarchy levels:

[edit interfaces] [edit logical-systems logical-system-name interfaces]

To configure link services physical interfaces, include the mlfr-uni-nni-bundle-options statement at the [edit interfaces ls-fpc/pic/port:channel] hierarchy level:
[edit interfaces ls-fpc/pic/port:channel] encapsulation type; mlfr-uni-nni-bundle-options { acknowledge-retries number; acknowledge-timer milliseconds; action-red-differential-delay (disable-tx | remove-link); drop-timeout milliseconds; fragment-threshold bytes; hello-timer milliseconds;

Copyright 2011, Juniper Networks, Inc.

1233

Junos 11.4 Services Interfaces Configuration Guide

lmi-type (ansi | itu); minimum-links number; mrru bytes; n391 number; n392 number; n393 number; red-differential-delay milliseconds; t391 number; t392 number; yellow-differential-delay milliseconds; }

This chapter contains the following sections:

Multilink and Link Services PICs Overview on page 1234 Configuring the Number of Bundles on Link Services PICs on page 1235 Configuring the Links in a Multilink or Link Services Bundle on page 1236 Multilink and Link Services Logical Interface Configuration Overview on page 1237 Configuring Encapsulation for Multilink and Link Services Logical Interfaces on page 1239 Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces on page 1240 Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces on page 1241 Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces on page 1242 Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242 Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces on page 1243 Configuring DLCIs on Link Services Logical Interfaces on page 1244 Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245 Configuring Link Services Physical Interfaces on page 1248 Configuring CoS on Link Services Interfaces on page 1252 Examples: Configuring Multilink Interfaces on page 1257 Examples: Configuring Link Interfaces on page 1260

Multilink and Link Services PICs Overview

Each Multilink Services or Link Services PIC can support a number of bundles. A bundle can contain up to eight individual links. For Multilink Services PICs, the links can be T1, E1, or DS0 physical interfaces, and each link is associated with a logical unit number that you configure. For Link Services PICs, the links can be E1, T1, channelized DS3-to-DS1, channelized DS3-to-DS0, channelized E1, channelized STM1 interfaces, or channelized IQ interfaces. For MLFR FRF.16 bundles, each link is associated with a channel number that you configure.

1234

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

You must configure a link before it can join a bundle. Each bundle should consist solely of one type of link; the mixing of physical interfaces of differing speeds within a bundle is not supported.

NOTE: On both Juniper Networks J Series Services Routers and M Series Multiservice Edge Routers, only one DS3 link is allowed in an MLFR bundle. MLPPP bundles can include two DS3 links.

Three versions of Multilink Services and three versions of Link Services PICs are available, as shown in Table 18 on page 1235. The PIC hardware is identical, except for different faceplates that enable you to identify which version you are installing. The software limits the unit numbers and maximum number of physical interfaces you assign to the PIC.

Table 18: Multilink and Link Services PIC Capacities

PIC Capacity
4-bundle PIC 32-bundle PIC 128-bundle PIC

Unit Numbers
0 through 3 0 through 31 0 through 127

Maximum Number of T1/DS0 Interfaces

32 links 256 links 292 links

Maximum Number of E1 Interfaces

32 links 219 links 219 links

A single PIC can support an aggregate bandwidth of 450 megabits per second (Mbps). You can configure a larger number of links, but the Multilink Services and Link Services PICs can reliably process only 450 Mbps of traffic. A higher rate of traffic might degrade performance.

NOTE: In Junos OS releases 9.0 and above you are not allowed to configure a unit number greater than the maximum unit number available on your link services PIC. Attempting to do so will cause an error message.

For configuration information, see the following sections:

Configuring the Number of Bundles on Link Services PICs on page 1235 Configuring the Links in a Multilink or Link Services Bundle on page 1236

Configuring the Number of Bundles on Link Services PICs

You can combine MLFR FRF.16, MLPPP, and MLFR FRF.15 bundles on a single Link Services PIC. For a sample configuration, see Example: Configuring a Link Services Interface with Two Links on page 1261. To configure the number of bundles on a Link Services PIC, include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

1235

Junos 11.4 Services Interfaces Configuration Guide

mlfr-uni-nni-bundles number;

Each Link Services PIC can accommodate a maximum of 256 MLFR UNI NNI bundles. For more information, see the Junos OS System Basics Configuration Guide. A link can associate with one link services bundle only. All Link Services PICs support up to 256 single-link bundles and up to 256 DLCIs. For an example configuration, see the configuration examples.

NOTE: When one or more links in a bundle are put in loopback, reassembly buffering and hence processing are reduced so as to not affect other bundles. This prevents packet loss on other bundles, while reducing the reassembly buffers available for the bundle with looped links.

Related Documentation

Example: Configuring a Link Services Interface with Two Links on page 1261 Example: Configuring a Link Services Interface with MLPPP on page 1262 Example: Configuring a Link Services Interface with MLFR FRF.15 on page 1263 Example: Configuring a Link Services PIC with MLFR FRF.16 on page 1263 Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types on page 1264

Configuring the Links in a Multilink or Link Services Bundle

To complete a multilink or link services interface configuration, you need to configure both the physical interface and the multilink or link services bundle. For multilink interfaces, you configure the link bundle on the logical unit. For link services interfaces, you configure the link bundle as a channel (see Figure 19 on page 1236). The physical interface is usually connected to networks capable of supporting MLPPP or MLFR (FRF.15 or FRF.16).

Figure 19: Multilink Interface Configuration

The following sample configuration refers to the topology in Figure 19 on page 1236 and configures a multilink or link services bundle over a T1 connection (for which the T1 physical interface is already configured).
1.

To configure a physical T1 link for MLPPP, include the following statements at the [edit interfaces t1-fpc/pic/port] hierarchy level:
unit 0 { family mlppp {

1236

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

bundle (ml-fpc/pic/port | ls-fpc/pic/port); } }

You do not need to configure an IP address on this link. To configure a physical T1 link for MLFR FRF.16, include the following statements at the [edit interfaces t1-fpc/pic/port] hierarchy level:
encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-fpc/pic/port:channel; } }

You do not need to configure an IP address or a DLCI on this link.

2. To configure the logical address for the MLPPP, MLFR FRF.15, or MLFR FRF.16 bundle,

include the address and destination statements:

address address { destination address; }

You can include these statements at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number family inet] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet]

When you add statements such as mrru to the configuration and commit, the T1 interface becomes part of the multilink bundle.

NOTE: For MLPPP and MLFR (FRF.15 and FRF.16) links, you must specify the subnet address as /32 or /30. Any other subnet designation is treated as a mismatch.

Multilink and Link Services Logical Interface Configuration Overview

You configure multilink and link services interface properties at the logical unit level. Default settings for multilink and link services logical interface properties are described in Default Settings for Multilink and Link Services Logical Interfaces on page 1238. For general information about logical unit properties or family inet properties, see the Junos OS Network Interfaces Configuration Guide. For information about multilink and link services properties you configure at the family inet hierarchy level, see Configuring the Links in a Multilink or Link Services Bundle on page 1236.

Copyright 2011, Juniper Networks, Inc.

1237

Junos 11.4 Services Interfaces Configuration Guide

NOTE: On DS0, E1, or T1 interfaces in LSQ bundles, you can configure the bandwidth statement, but the router does not use the bandwidth value if the interfaces are included in an MLPPP or MLFR bundle. The bandwidth is calculated internally according to the time slots, framing, and byte-encoding of the interface. For more information about logical interface properties, see the Junos OS Network Interfaces Configuration Guide.

Default Settings for Multilink and Link Services Logical Interfaces

Table 19 on page 1238 lists the default settings for multilink and link services statements, together with the other permitted values or value ranges.

Table 19: Multilink and Link Services Logical Interface Statements

Option
DLCI Drop timeout period

Default Value
None 500 ms for bundles greater than or equal to the T1 bandwidth value and 1500 ms for other bundles. For multilink interfaces, multilink-ppp. For link services interfaces,
multilink-frame-relay-end-to-end.

Possible Values
16 through 1022 0 through 2000 milliseconds

Encapsulation

multilink-frame-relay-end-to-end, multilink-ppp

Fragmentation threshold

0 bytes

128 through 16,320 bytes (Nx64) enabled, disabled 1 through 8 links 1500 through 4500 bytes

Interleave fragments Minimum links Maximum received reconstructed unit (MRRU) Sequence ID format for MLPPP Sequence ID format for MLFR FRF.15 and FRF.16

disabled 1 link 1504 bytes

24 bits

12 or 24 bits

12 bits

12 bits

See Default Settings for Link Services Interfaces on page 1248 for statements that apply to link services physical interfaces only. Related Documentation

Configuring Encapsulation for Multilink and Link Services Logical Interfaces on page 1239 Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces on page 1240

1238

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces on page 1241 Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces on page 1242 Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242 Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces on page 1243 Configuring DLCIs on Link Services Logical Interfaces on page 1244 Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245

Configuring Encapsulation for Multilink and Link Services Logical Interfaces

Multilink and link services interfaces support the following logical interface encapsulation types:

MLPPP MLFR end-to-end

By default, the logical interface encapsulation type on multilink interfaces is MLPPP. The default logical interface encapsulation type on link services interfaces is MLFR end-to-end. For general information on encapsulation, see the Junos OS Network Interfaces Configuration Guide. You can also configure physical interface encapsulation on link services interfaces. For more information, see Configuring Encapsulation for Link Services Physical Interfaces on page 1249. To configure multilink or link services encapsulation, include the encapsulation statement:
encapsulation type;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

You must also configure the T1, E1, or DS0 physical interface with the same encapsulation type.

CAUTION: When you configure the first MLFR encapsulated unit or delete the last MLFR encapsulated unit on a port, it triggers an interface encapsulation change on the port, which causes an interface flap on the other units within the port that are configured with generic Frame Relay.

Copyright 2011, Juniper Networks, Inc.

1239

Junos 11.4 Services Interfaces Configuration Guide

Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces
By default, the drop timeout parameter is disabled. You can configure a drop timeout value to provide a recovery mechanism if individual links in the multilink or link services bundle drop one or more packets. Drop timeout is not a differential delay tolerance setting, and does not limit the overall latency. However, you need to make sure the value you set is larger than the expected differential delay across the links, so that the timeout period does not elapse under normal jitter conditions, but only when there is actual packet loss. You can configure differential delay tolerance for link services interfaces only. For more information, see Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 on page 1250. To configure the drop timeout value, include the drop-timeout statement:
drop-timeout milliseconds;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For link services interfaces, you also can configure the drop timeout value at the physical interface level by including the drop-timeout statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
drop-timeout milliseconds;

By default, the drop timer has a value of 500 ms for bundles greater than or equal to the T1 bandwidth value, and 1500 ms for other bundles. Any CLI-configured value overrides these defaults. Values can range from 1 through 2000 milliseconds. Values less than 5 milliseconds are not recommended, and a configured value of 0 reverts to the default value of 2000 milliseconds.

NOTE: For multilink or link services interfaces, if a packet or fragment encounters an error condition and is destined for a disabled bundle or link, it does not contribute to the dropped packet and frame counts in the per-bundle statistics. The packet is counted under the global error statistics and is not included in the global output bytes and output packet counts. This unusual accounting happens only if the error conditions are generated inside the multilink interface, not if the packet encounters errors on the wire or elsewhere in the network.

If you configure the drop-timeout statement with a value of 0, it disables any resequencing by the PIC for the specified class of MLPPP traffic. Packets are forwarded with the assumption that they arrived in sequence, and forwarding of fragmented packets is disabled for all classes. Fragments dropped as a result of this setting will increment the counter at the class level.

1240

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

Alternatively, you can configure the drop-timeout statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class] hierarchy level. The behavior and the default and range values are identical, but the setting applies only to the specified forwarding class. Configuration at the bundle level overrides configuration at the class-of-service level. By default, compression of the inner PPP header in the MLPPP payload is enabled. To disable compression, include the disable-mlppp-inner-ppp-pfc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. For example:
interfaces lsq-1/2/0 { unit 0 { encapsulation multilink-ppp; disable-mlppp-inner-ppp-pfc; multilink-max-classes 4; family inet { address 10.50.1.2/30; } } }

For more information about CoS configuration, see the Junos OS Class of Service Configuration Guide. You can view the configured drop-timeout value and the status of inner PPP header compression by issuing the show interfaces interface-name extensive command.

Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces
For multilink and link services logical interfaces with MLPPP encapsulation only, you can configure a fragmentation threshold to limit the size of packet payloads transmitted across the individual links within the multilink circuit. The software splits any incoming packet that exceeds the fragmentation threshold into smaller units suitable for the circuit size; it reassembles the fragments at the other end, but does not affect the output traffic stream. The threshold value affects the payload only; it does not affect the MLPPP header. By default, the fragmentation threshold parameter is disabled.

NOTE: To ensure proper load balancing:

For Link Services MLFR (FRF.15 and FRF.16) interfaces, do not include the fragment-threshold statement in the configuration. For MLPPP interfaces, do not include both the fragment-threshold statement and the short-sequence statement in the configuration. For MLFR (FRF.15 and FRF.16) and MLPPP interfaces, if the MTU of links in a bundle is less than the bundle MTU plus encapsulation overhead, then fragmentation is automatically enabled. You should avoid this situation for MLFR (FRF.15 and FRF.16) interfaces and for MLPPP interfaces on which short-sequencing is enabled.

To configure a fragmentation threshold value, include the fragment-threshold statement:

Copyright 2011, Juniper Networks, Inc.

1241

Junos 11.4 Services Interfaces Configuration Guide

fragment-threshold bytes;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For link services interfaces, you also can configure a fragmentation threshold value at the physical interface level by including the fragment-threshold statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
fragment-threshold bytes;

The maximum fragment size can be from 128 through 16,320 bytes. The Junos OS automatically subdivides packet payloads that exceed this value. Any value you set must be a multiple of 64 bytes (Nx64). The default value, 0, results in no fragmentation.

Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces
You can set the minimum number of links that must be up for the multilink bundle as a whole to be labeled up. By default, only one link must be up for the bundle to be labeled up. A member link is considered up when the PPP Link Control Protocol (LCP) phase transitions to open state. The minimum-links value should be identical on both ends of the bundle. To set the minimum number, include the minimum-links statement:
minimum-links number;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For link services interfaces, you also can configure the minimum number of links at the physical interface level by including the minimum-links statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
minimum-links number;

The number can be from 1 through 8. The maximum number of links supported in a bundle is 8. When 8 is specified, all configured links of a bundle must be up.

Configuring MRRU on Multilink and Link Services Logical Interfaces

The maximum received reconstructed unit (MRRU) is similar to a maximum transmission unit (MTU), but applies only to multilink bundles; it is the maximum packet size that the multilink interface can process. By default, the MRRU is set to 1500 bytes; you can configure a different MRRU value if the peer equipment allows this. The MRRU accounts

1242

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

for the original payload, for example the Layer 3 protocol payload, but does not include the 2-byte PPP header or the additional MLPPP or MLFR header applied while the individual multilink packets are traversing separate links in the bundle. To configure a different MRRU value, include the mrru statement:
mrru bytes;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For link services interfaces, you also can configure a different MRRU at the physical interface level by including the mrru statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
mrru bytes;

The MRRU size can range from 1500 through 4500 bytes.

NOTE: If you set the MRRU on a bundle to a value larger than the MTU of the individual links within it, you must enable a fragmentation threshold for that bundle. Set the threshold to a value no larger than the smallest MTU of any link included in the bundle. Determine the appropriate MTU size for the bundle by ensuring that the MTU size does not exceed the sum of the encapsulation overhead and the MTU sizes for the links in the bundle.

You can configure separate family mtu values on the following protocol families under bundle interfaces: inet, inet6, iso, and mpls. If not configured, the default value of 1500 is used on all except for mpls configurations, in which the value 1488 is used.

NOTE: The effective family MTU might be different from the MTU value specified for MLPPP configurations, because it is adjusted downward by the remote MRRUs constraints. The remote MRRU configuration is not supported on M120 routers.

Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces
For MLPPP, the sequence header format is set to 24 bits by default. You can configure an alternative value of 12 bits, but 24 bits is considered the more robust value for most networks. To configure a different sequence header value, include the short-sequence statement:

Copyright 2011, Juniper Networks, Inc.

1243

Junos 11.4 Services Interfaces Configuration Guide

short-sequence;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For MLFR FRF.15, the sequence header format is set to 24 bits by default. This is the only valid option.

Configuring DLCIs on Link Services Logical Interfaces

For link services interfaces only, you can configure multiple DLCIs for MLFR FRF.16 or MLPPP bundles. DLCIs are not supported on multilink interfaces.

Configuring Point-to-Point DLCIs for MLFR FRF.16 and MLPPP Bundles

For link services interfaces only, you can configure multiple point-to-point DLCIs for each MLFR FRF.16 or MLPPP bundle. A channelized interface, such as ls-1/1/1:0, denotes a single MLFR FRF.16 bundle. To configure a DLCI, include the dlci statement:
dlci dlci-identifier;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

The DLCI identifier is a value from 16 through 1022. Numbers 1 through 15 are reserved for future use. When you configure point-to-point connections, the maximum transmission unit (MTU) sizes on both sides of the connection must be the same.

Configuring Multicast-Capable DLCIs for MLFR FRF.16 Bundles

For link services interfaces only, you can configure multiple multicast-capable DLCIs for each MLFR FRF.16 bundle. A channelized interface, such as ls-1/1/1:0, denotes a single MLFR FRF.16 bundle. By default, Frame Relay connections assume unicast traffic. If your Frame Relay switch performs multicast replication, you can configure the link services connection to support multicast traffic by including the multicast-dlci statement:
multicast-dlci dlci-identifier;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

1244

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

The DLCI identifier is a value from 16 through 1022 that defines the Frame Relay DLCI over which the switch expects to receive multicast packets for replication. You can configure multicast support only on point-to-multipoint link services connections. Multicast-capable DLCIs are not supported on multilink interfaces. If keepalives are enabled, causing the interface to send Local Management Interface (LMI) messages during idle times, the number of possible DLCI configurations is limited by the MTU selected for the interface. For more information, see Configuring Keepalives on Link Services Physical Interfaces on page 1251.

Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces

For link services FRF.15 and MLPPP interfaces only, you can configure link fragment interleaving (LFI). LFI reduces excessive delays of Frame Relay packets by fragmenting long packets into smaller packets and interleaving them with real-time frames. This allows real-time and non-real-time data frames to be carried together on lower-speed links without causing excessive delays to the real-time traffic. When the peer interface receives the smaller fragments, it reassembles the fragments into their original packet. For example, short delay-sensitive packets, such as packetized voice, can race ahead of larger delay-insensitive packets, such as common data packets.

NOTE: All Link Services PICs (4-multilink bundle, 32-multilink bundle, and 128-multilink bundle) support up to 256 link services interfaces with LFI enabled, if those link services interfaces contain only one constituent link each. For the Link Services PIC, multiple-link LFI bundles are simply multilink bundles, and are limited based on the type of PIC (4-multilink bundle, 32-multilink bundle, and 128-multilink bundle). In addition, the multilink bundles you configure subtract from the total of 256 possible LFI-enabled link services interfaces. For example, if a 32-multilink bundle Link Services PIC has 24 multilink bundles configured and active, then you can configure 256 24 = 232 LFI-enabled link services interfaces, each with a single constituent link. For link services IQ interfaces (lsq), the interleave-fragments statement is not valid. Instead, you can enable LFI by configuring fragmentation maps. For more information, see Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465.

You can configure multiple links in a bundle and configure packet interleaving. However, if you use packet interleaving, high-priority, nonmultilink-encapsulated packets use a hash-based algorithm to choose a single link. For detailed information about link services CoS, see Configuring CoS on Link Services Interfaces on page 1252.

Copyright 2011, Juniper Networks, Inc.

1245

Junos 11.4 Services Interfaces Configuration Guide

Per-bundle CoS queuing is supported on link services IQ interfaces (lsq). For more information about link services IQ interfaces, see Layer 2 Service Package Capabilities and Interfaces on page 448. The Junos OS supports end-to-end fragmentation in compliance with the FRF.12 Frame Relay Fragmentation Implementation Agreement standard. Unlike user-to-network interface (UNI) and network-to-network (NNI) fragmentation, end-to-end supports fragmentation only at the endpoints. By default, packet interleaving is disabled. To enable packet interleaving, include the interleave-fragments statement:
interleave-fragments;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Configuring LFI with DLCI Scheduling

For Link Services and Channelized DS3 IQ PICs, you can configure LFI and DLCI scheduling. For channelized DS3 interfaces, LFI is supported with FRF.15 only, and on M10i and M20 platforms only. Configuring LFI with DLCI scheduling enables packets entering the Link Services PIC to be fragmented before being transmitted to the Channelized DS3 IQ PIC. Once the fragmented packets enter the Channelized DS3 IQ PIC, they are scheduled at the DLCI level, to allow priority transmission for real-time applications. For more information about associating a scheduler with a DLCI, see the Junos OS Class of Service Configuration Guide.

Example: Configuring LFI with DLCI Scheduling

Configure packets entering the Link Services PIC to be fragmented before being transmitted to the Channelized DS3 IQ PIC. Once the fragmented packets enter the Channelized DS3 IQ PIC, they are scheduled at the DLCI level, to allow priority transmission for real-time applications.
[edit interfaces] ls-1/0/0 { unit 1 { encapsulation multilink-frame-relay-end-to-end; interleave-fragments; family inet { address 192.168.5.2/32 { destination 192.168.5.3; } } } t3-1/0/0:1 {

1246

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

per-unit-scheduler; unit 0 { dlci 16; encapsulation multilink-frame-relay-end-to-end; family mlfr-end-to-end { bundle ls-1/0/0.1; } } } [edit class-of-service] interfaces { t3-1/0/0:1 { unit 0 { scheduler-map sched-map-logical-0; shaping-rate 10m; } unit 1 { scheduler-map sched-map-logical-1; shaping-rate 20m; } } } scheduler-maps { sched-map-logical-0 { forwarding-class best-effort scheduler sched-best-effort-0; forwarding-class assured-forwarding scheduler sched-bronze-0; forwarding-class expedited-forwarding scheduler sched-silver-0; forwarding-class network-control scheduler sched-gold-0; } sched-map-logical-1 { forwarding-class best-effort scheduler sched-best-effort-1; forwarding-class assured-forwarding scheduler sched-bronze-1; forwarding-class expedited-forwarding scheduler sched-silver-1; forwarding-class network-control scheduler sched-gold-1; } schedulers { sched-best-effort-0 { transmit-rate 4m; } sched-bronze-0 { transmit-rate 3m; } sched-silver-0 { transmit-rate 2m; } sched-gold-0 { transmit-rate 1m; } sched-best-effort-1 { transmit-rate 8m; } sched-bronze-1 { transmit-rate 6m; } sched-silver-1 { transmit-rate 4m;

Copyright 2011, Juniper Networks, Inc.

1247

Junos 11.4 Services Interfaces Configuration Guide

} sched-gold-1 { transmit-rate 2m; } } } }

Configuring Link Services Physical Interfaces

You configure link services interface properties at the logical unit and physical interface level. Default settings for link services physical interface properties are described in Default Settings for Link Services Interfaces on page 1248. The following sections explain how to configure link services physical interfaces:

Default Settings for Link Services Interfaces on page 1248 Configuring Encapsulation for Link Services Physical Interfaces on page 1249 Configuring Acknowledgment Timers on Link Services Physical Interfaces on page 1249 Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 on page 1250 Configuring Keepalives on Link Services Physical Interfaces on page 1251

For information about link services physical interface properties that can also be configured at the logical unit level, see Multilink and Link Services Logical Interface Configuration Overview on page 1237.

Default Settings for Link Services Interfaces

Table 20 on page 1248 lists the default settings for link services statements, together with the other permitted values or value ranges.

Table 20: Link Services Physical Interface Statements for MLFR FRF.16
Option
Action red differential delay Red differential delay Yellow differential delay Drop timeout period Encapsulation Fragmentation threshold

Default Value
remove-link

Possible Values
disable-tx, remove-link

120 ms 72 ms 0 ms
multilink-frame-relay-uni-nni

1 through 2000 ms 1 through 2000 ms 0 through 2000 ms

multilink-frame-relay-uni-nni

0 bytes

128 through 16,320 bytes (Nx64) ansi, itu 1 through 8 links

LMI type Minimum links

itu 1 link

1248

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

Table 20: Link Services Physical Interface Statements for MLFR FRF.16 (continued)
Option
MRRU n391 (full status polling counter) n392 (LMI error threshold) n393 (LMI monitored event count) t391 (link integrity verify polling timer) t392 (polling verification timer) Sequence ID format for MLFR

Default Value
1504 bytes 6 3 4 10 15 12 bits

Possible Values
1500 through 4500 bytes 1 through 255 1 through 10 1 through 10 5 through 30 5 through 30 12 bits

Configuring Encapsulation for Link Services Physical Interfaces

Link services interfaces support the physical interface encapsulation MLFR UNI NNI. By default, the physical interface encapsulation on link services interfaces is MLFR UNI NNI. Multilink interfaces do not support physical interface encapsulation. For more information, see the Junos OS Network Interfaces Configuration Guide. You can also configure logical interface encapsulation on multilink and link services interfaces. For more information, see Configuring Encapsulation for Multilink and Link Services Logical Interfaces on page 1239. To explicitly configure link services physical interface encapsulation, include the encapsulation statement at the [edit interfaces ls-fpc/pic/port:channel] hierarchy level:
encapsulation type;

You must also configure the T1, E1, or DS0 physical and physical interface with the same encapsulation type.

Configuring Acknowledgment Timers on Link Services Physical Interfaces

For link services interfaces configured with MLFR FRF.16, each link end point in a bundle initiates a request for bundle operation with its peer by transmitting an add link message. A hello message notifies the peer end point that the local end point is up. Both ends of a link generate a hello message periodically, or as configured with the hello timer. A remove link message notifies the peer that the local end management is removing the link from bundle operation. End points respond to add link, remove link, and hello messages by sending acknowledgment messages. You can configure the maximum period to wait for an add link acknowledgment, hello acknowledgment, or remove link acknowledgment by including the acknowledge-timer

Copyright 2011, Juniper Networks, Inc.

1249

Junos 11.4 Services Interfaces Configuration Guide

statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:

acknowledge-timer milliseconds;

The acknowledgment timer can be from 1 through 10 milliseconds. The default is 4 milliseconds. For link services interfaces, you can configure the number of retransmission attempts to be made for consecutive hello or remove link messages after the expiration of the acknowledgment timer by including the acknowledge-retries statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
acknowledge-retries number; acknowledgment-retries can be a value from 1 through 5. The default is 2.

You can configure the rate at which hello messages are sent by including the hello-timer statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
hello-timer milliseconds;

A hello message is transmitted after the specified period (in milliseconds) has elapsed. The hello timer can be from 1 through 180 milliseconds; the default is 10 milliseconds. When the hello timer expires, a link end point generates an add-link message.

Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16
For link services interfaces configured with MLFR FRF.16, the differential delay between links in a bundle is measured and warning is given when a link has a substantially greater differential delay than other links in the same bundle. The implementing endpoint can determine if the differential delay is in an acceptable range and decide to remove the link from the bundle, or to stop transmission on the link. You can configure the yellow differential delay for links in a bundle by including the yellow-differential-delay statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
yellow-differential-delay milliseconds;

The yellow differential delay can be from 1 through 2000 milliseconds. The default is 72 milliseconds. You can configure the red differential delay for links in a bundle to give warning by including the red-differential-delay statements at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
red-differential-delay milliseconds;

The red differential delay can be from 1 through 2000 milliseconds. The default is 120 milliseconds.

1250

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

You can configure the action to be taken when differential delay exceeds the red limit by including the action-red-differential-delay red statements at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
action-red-differential-delay (disable-tx | remove-link);

The disable-tx option disables transmission on the link. The remove-link option removes the link from the bundle. The default action is remove-link. You can view these settings in the output of the show interfaces extensive lsq-fpc/pic/port:channel command.

Configuring Keepalives on Link Services Physical Interfaces

You can tune the keepalive settings on the physical link-services interface. By default, the Junos OS uses ITU Q.933 Annex A LMIs for FRF.16. To instead use ITU Annex A LMIs (ANSI), include the lmi-type ansi statement at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level. LMI type ANSI is used in the following example:
lmi-type ansi;

To configure Frame Relay keepalive parameters on a link services interface, include the n391, n392, n393, t391 and t392 statements at the [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
[edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] n391 number; n392 number; n393 number; t391 number; t392 number;

The statements determine the indicated keepalive settings:

n391Full status polling interval. The data terminal equipment (DTE) sends a status

inquiry to the data communication equipment (DCE) at the interval specified by the t391 statement. This statements sets the frequency at which the DTE requests full status report; for example, the value 10 means that the DTE requests full status report in every tenth inquiry. The intermediate inquiries request a keepalive response only. The range is 1 through 255, with a default of 6.

n392Error threshold, which is the maximum number of errors that can occur during

the number of events set by the n393 statement before the link is marked inoperative. The range is 1 through 10, with a default of 3.

n393Monitored event count. The range is 1 through 10, with a default of 4. t391The interval at which the DTE requests a keepalive response from the DCE and

updates status, depending on the error threshold value. The range is 5 through 30 seconds, with a default of 10 seconds.

t392The period during which the DCE checks for keepalive responses from the DTE

and updates status, depending on the DCE error threshold value. The range is from 5 through 30 seconds, with a default of 15 seconds.

Copyright 2011, Juniper Networks, Inc.

1251

Junos 11.4 Services Interfaces Configuration Guide

NOTE: For the LMI to work properly, you must configure one side of a link services bundle to be a DCE.

Configuring CoS on Link Services Interfaces

For link services IQ (lsq-) interfaces, Junos class of service (CoS) is fully supported and functions as described in the Junos OS Class of Service Configuration Guide. For more information and detailed configuration examples, see Layer 2 Service Package Capabilities and Interfaces on page 448. On SRX Series and J Series devices, the lsq- interface is an internal interface, which is not associated with a physical interface. For information about link services on SRX Series and J Series devices, see the Junos OS Interfaces Configuration Guide for Security Devices. For information about CoS functions and link services on M Series or T Series routers, see the following sections:

CoS for Link Services Interfaces on M Series and T Series Routers on page 1252 Example: Configuring CoS on Link Services Interfaces on page 1253

CoS for Link Services Interfaces on M Series and T Series Routers

For Link Services PIC interfaces (ls) on M Series and T Series routers, queue 0 is the only queue that you should configure to receive fragmented packets. Configure all other queues to be higher-priority queues. Table 21 on page 1252 summarizes how CoS queues work on link services (ls) interfaces.

Table 21: Link Services CoS Queues

Supported Bundling Type
Hash-based load balancing MLFR FRF.15 MLFR FRF.16 MLPPP

Queue 0
No Yes Yes Yes

Higher-Priority Queues
Yes No No No

For M Series and T Series routers, CoS on link services (ls) interfaces works as follows:

On all platforms, the Link Services PIC currently supports up to four queues: 0, 1, 2, and 3. Queue 0 uses MLFR FRF.15, MLFR FRF.16, or MLPPP to bundle packets. Higher-priority queues (1, 2, and 3) use hash-based load balancing to bundle packets. IP and MPLS header information is included in the hash.

1252

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

MLPPP packets traversing link services interfaces using queue 0 are fragmented and distributed across the constituent links. Queue 0 packets are sent on the least utilized link, proportional to its bandwidth. The queue 0 load balancer attempts to maintain even distribution of all traffic across all constituent links. In situations with a small number of high-priority traffic flows (queues 1, 2, and 3), queue 0 traffic might be unevenly distributed. For the MLFR FRF.16 protocol, only queue 0 works. If you configure a bundled interface to use MLFR FRF.16 with queue 0, then you must ensure the classifier does not send any traffic to queues 1, 2, and 3 on that interface. To carry high-priority traffic correctly on MLFR FRF.16 interfaces, you must configure an output firewall filter that forces all traffic into queue 0 on the ls-fpc/pic/port.channel interface. MLFR FRF.15 and MLPPP interfaces support CoS through packet interleaving. The MLFR FRF.16 standard does not support packet interleaving, so all packets destined for an FRF.16 PVC interface must egress from the same queue. For constituent link interfaces of Link Services PICs, you can configure standard scheduler maps. For input packets and fragments received from constituent links, you can use regular input firewall filters and standard CoS classifiers on the link services interface. For packets that pass through a link services interface and are destined for a constituent link interface, all traffic using queue 0 is fragmented. Traffic using higher-priority queues (1, 2, and 3) is not fragmented. For MLFR FRF.15 and MLPPP, routing protocol packets smaller than 128 bytes are sent to queue 3; routing protocol packets that exceed 128 bytes are sent to queue 0 and fragmented accordingly. For MLFR FRF.16, queue 0 is used for all packet sizes. You must configure output firewall classification for egress traffic on the link services interface, not directly on the constituent link interface directly. Inverse multiplexing for ATM (IMA) is not supported on link services interfaces.

For more information, see Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245 and the Junos OS Routing Policy Configuration Guide.

Example: Configuring CoS on Link Services Interfaces

Configure CoS on a link services interface and its constituent link interfaces.

NOTE: This example applies to M Series and T Series routers. For examples that apply to SRX Series and J Series devices, see the Junos OS Interfaces Configuration Guide for Security Devices.

Packets that do not match the firewall filters are sent to a queue that performs load balancing by sending fragments to all constituent links.

Copyright 2011, Juniper Networks, Inc.

1253

Junos 11.4 Services Interfaces Configuration Guide

Packets that match the firewall filters are sent to a queue that does not support packet fragmentation and reassembly; instead, this traffic is load-balanced by sending each packet flow to a different constituent link. Each packet that matches a firewall filter is subjected to a hash on the IP source address and the IP destination address to determine the packet flow to which each packet belongs. When you configure the MLPPP encapsulation type or the multilink FRF.15 Frame Relay end-to-end encapsulation type, routing protocol packets smaller than 128 bytes are sent to the network-control queue on the constituent link interface. This keeps routing protocols operating normally, even when low-speed links are congested by regular packets.
[edit interfaces] ls-7/0/0 { unit 0 { encapsulation multilink-ppp; interleave-fragments; family inet { filter { output lfi_ls_filter; } address 10.54.0.2/32 { destination 10.54.0.1; } } } } ge-7/2/0 { unit 0 { family inet { address 192.168.1.1/24; } } } ce1-7/3/6 { no-partition interface-type e1; } e1-7/3/6 { encapsulation ppp; unit 0 { family mlppp { bundle ls-7/0/0.0; } } } ce1-7/3/7 { no-partition interface-type e1; } e1-7/3/7 { encapsulation ppp; unit 0 { family mlppp { bundle ls-7/0/0.0; } } }

1254

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

[edit class-of-service] classifiers { dscp dscp_default { import default; } inet-precedence inet-precedence_default { import default; } } code-point-aliases { dscp { af11 001010; af12 001100; af13 001110; af21 010010; af22 010100; af23 010110; af31 011010; af32 011100; af33 011110; af41 100010; af42 100100; af43 100110; be 000000; cs1 001000; cs2 010000; cs3 011000; cs4 100000; cs5 101000; cs6 110000; cs7 111000; ef 101110; } inet-precedence { af11 001; af21 010; af31 011; af41 100; be 000; cs6 110; cs7 111; ef 101; nc1 110; nc2 111; } } forwarding-classes { queue 0 be; queue 1 ef; queue 2 af; queue 3 nc; } interfaces { ge-7/2/0 { scheduler-map sched-map; unit 0 {

Copyright 2011, Juniper Networks, Inc.

1255

Junos 11.4 Services Interfaces Configuration Guide

classifiers { dscp dscp_default; } } } e1-7/3/6 { scheduler-map sched-map; } e1-7/3/7 { scheduler-map sched-map; } ls-7/0/0 { scheduler-map sched-map; unit 0 { classifiers { inet-precedence inet-precedence_default; } } } } scheduler-maps { sched-map { forwarding-class af scheduler af-scheduler; forwarding-class be scheduler be-scheduler; forwarding-class ef scheduler ef-scheduler; forwarding-class nc scheduler nc-scheduler; } } schedulers { af-scheduler { transmit-rate percent 25; buffer-size percent 25; } be-scheduler { transmit-rate percent 25; buffer-size percent 25; } ef-scheduler { transmit-rate percent 25; buffer-size percent 25; } nc-scheduler { transmit-rate percent 25; buffer-size percent 25; } } [edit firewall] filter lfi_ls_filter { term term0 { from { destination-address { 192.168.1.3/32; } precedence 5; } then {

1256

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

count count-192-168-1-3; forwarding-class af; accept; } } term default { then { log; forwarding-class best effort; accept; } } }

Examples: Configuring Multilink Interfaces

The examples in this section include only the configuration of multilink interfaces. For information about configuring the constituent interfaces, see the Junos OS Network Interfaces Configuration Guide. The examples in this section show the following configurations:

Example: Configuring a Multilink Interface with MLPPP on page 1257 Example: Configuring a Multilink Interface with MLPPP over ATM 2 Interfaces on page 1258 Example: Configuring a Multilink Interface with MLFR FRF.15 on page 1259

Example: Configuring a Multilink Interface with MLPPP

[edit interfaces] ml-1/0/0 { unit 1 { fragment-threshold 128; family inet { address 192.168.5.1/32 { destination 192.168.200.200; } } } unit 10 { family inet { address 10.1.1.3/32 { destination 10.1.1.2; } } } } t1-5/1/0 { unit 0 { family mlppp { bundle ml-1/0/0.1; } } } t1-5/1/1 {

Copyright 2011, Juniper Networks, Inc.

1257

Junos 11.4 Services Interfaces Configuration Guide

unit 0 { family mlppp { bundle ml-1/0/0.1; } } } t1-5/1/2 { unit 0 { family mlppp { bundle ml-1/0/0.1; } } }

Example: Configuring a Multilink Interface with MLPPP over ATM 2 Interfaces

[edit interfaces] at-0/0/0 { atm-options { pic-type atm2; vpi 10; } unit 0 { encapsulation atm-mlppp-llc; ppp-options { chap { access-profile pe-B-ppp-clients; local-name pe-A-at-0/0/0; } } keepalive interval 5 up-count 6 down-count 4; vci 10.120; family mlppp { bundle ls-0/3/0.0; } } } at-0/0/1 { atm-options { pic-type atm2; vpi 11; } unit 1 { encapsulation atm-mlppp-llc; ppp-options { chap { access-profile pe-B-ppp-clients; local-name pe-A-at-0/0/0; } } keepalive interval 5 up-count 6 down-count 4; vci 11.120; family mlppp { bundle ls-0/3/0.0; } }

1258

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

} at-1/2/3 { atm-options { pic-type atm2; vpi 12; } unit 2 { encapsulation atm-mlppp-llc; ppp-options { chap { access-profile pe-B-ppp-clients; local-name pe-A-at-0/0/0; } } keepalive interval 5 up-count 6 down-count 4; vci 12.120; family mlppp { bundle ls-0/3/0.0; } } } ... ls-0/3/0 { encapsulation multilink-ppp; interleave-fragments; keepalive; unit 0 { mrru 4500; short-sequence; fragment-threshold 16320; drop-timeout 2000; encapsulation multilink-ppp; interleave-fragments; minimum-links 8; family inet { address 10.10.0.1/32 { destination 10.10.0.2; } } family iso; family inet6 { address 2001:DB8:0:1/32 { destination 2001:DB8:0:2; } } } ... }

Example: Configuring a Multilink Interface with MLFR FRF.15

[edit interfaces] ml-1/0/0 { unit 1 { encapsulation multilink-frame-relay-end-to-end; family inet {

Copyright 2011, Juniper Networks, Inc.

1259

Junos 11.4 Services Interfaces Configuration Guide

address 192.168.5.2/32 { destination 192.168.5.3; } } } unit 10 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.1.1.3/32 { destination 10.1.1.2; } } } } t1-5/1/0 { unit 0 { dlci 16; encapsulation multilink-frame-relay-end-to-end; family mlfr-end-to-end { bundle ml-1/0/0.1; } } } t1-5/1/1 { unit 0 { dlci 17; encapsulation multilink-frame-relay-end-to-end; family mlfr-end-to-end { bundle ml-1/0/0.10; } } } t1-5/1/2 { unit 0 { dlci 26; encapsulation multilink-frame-relay-end-to-end; family mlfr-end-to-end { bundle ml-1/0/0.10; } } }

Examples: Configuring Link Interfaces

The examples in this section include only the configuration of link interfaces. For information about configuring the constituent interfaces, see the Junos OS Network
Interfaces Configuration Guide

Example: Configuring a Link Services Interface with Two Links on page 1261 Example: Configuring a Link Services Interface with MLPPP on page 1262 Example: Configuring a Link Services Interface with MLFR FRF.15 on page 1263

1260

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

Example: Configuring a Link Services PIC with MLFR FRF.16 on page 1263 Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types on page 1264

Example: Configuring a Link Services Interface with Two Links

This example uses the MLFR UNI NNI protocol between Router A and Router B and logically connects link services bundles ls-1/1/0.3 and ls-0/0/0.10, as specified in Table 22 on page 1261.

Table 22: Link Services Bundle

Router A
t1-0/1/0 (ls-1/1/0:3) t1-0/1/1 (ls-1/1/0:3)

Router B
t1-0/3/0 (ls-0/0/0:10) t1-0/3/1 (ls-0/0/0:10)

For LMI to work properly, you must configure one router to be a DCE. Configuration on Router A
[edit interfaces] ls-1/1/0:3 { dce; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 16; family inet { address 10.3.3.1/32 { destination 10.3.3.2; } } } } t1-0/1/0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/1/0:3; } } } t1-0/1/1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/1/0:3; } } } [edit interfaces] ls-0/0/0:10 { encapsulation multilink-frame-relay-uni-nni; unit 0 {

Configuration on Router B

Copyright 2011, Juniper Networks, Inc.

1261

Junos 11.4 Services Interfaces Configuration Guide

dlci 16; family inet { address 10.3.3.2/32 { destination 10.3.3.1; } } } } t1-0/3/0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-0/0/0:10; } } } t1-0/3/1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-0/0/0:10; } } }

Example: Configuring a Link Services Interface with MLPPP

[edit interfaces] t1-0/0/0 { encapsulation ppp; unit 0 { family mlppp { bundle ls-0/3/0.0; } } } t1-0/0/1 { encapsulation ppp; unit 0 { family mlppp { bundle ls-0/3/0.0; } } } ls-0/3/0 { unit 0 { encapsulation multilink-ppp; family inet { address 10.16.1.2/32 { destination 10.16.1.1; } } family iso; family inet6 { address 2001:DB8:1:2/126;

1262

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

} } }

Example: Configuring a Link Services Interface with MLFR FRF.15

[edit interfaces] t1-0/0/0 { encapsulation frame-relay; unit 0 { dlci 16; family mlfr-end-to-end { bundle ls-0/3/0.0; } } } t1-0/0/1 { encapsulation frame-relay; unit 0 { dlci 16; family mlfr-end-to-end { bundle ls-0/3/0.0; } } } ls-0/3/0 { unit 0 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.16.1.2/32 { destination 10.16.1.1; } } family iso; family inet6 { address 2001:DB8:1:2/12; } } }

Example: Configuring a Link Services PIC with MLFR FRF.16

[edit chassis] fpc 1 { pic 2 { mlfr-uni-nni-bundles 5; } } [edit interfaces] t1-0/0/0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/2/0:0; } }

Copyright 2011, Juniper Networks, Inc.

1263

Junos 11.4 Services Interfaces Configuration Guide

} t1-0/0/1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/2/0:0; } } } ls-1/2/0:0 { dce; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 26; family inet { address 10.26.1.1/32 { destination 10.26.1.2; } } } }

Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types
[edit chassis] fpc 1 { pic 3 { mlfr-uni-nni-bundles 4; } } [edit interfaces] t1-0/2/0:0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/3/0:0; } } } t1-0/2/0:1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/3/0:0; } } } t1-0/2/0:5 { unit 0 { family mlppp { bundle ls-1/3/0.2; } } } t1-0/2/0:6 { unit 0 {

1264

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

family mlppp { bundle ls-1/3/0.2; } } } t1-0/2/0:7 { encapsulation frame-relay; unit 0 { dlci 20; family mlfr-end-to-end { bundle ls-1/3/0.1; } } } t1-0/2/0:8 { encapsulation frame-relay; unit 0 { dlci 20; family mlfr-end-to-end { bundle ls-1/3/0.1; } } } t1-0/2/0:10 { no-keepalives; encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/1/0.0; } } } t3-1/0/0 { no-keepalives; encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/1/0.2; } } } lsq-1/1/0 { unit 0 { encapsulation multilink-ppp; compression { rtp { f-max-period 100; queues [ q1 q2 ]; port minimum 2000 maximum 6000; } } family inet { address 10.5.5.5/24; } } unit 1 {

Copyright 2011, Juniper Networks, Inc.

1265

Junos 11.4 Services Interfaces Configuration Guide

encapsulation multilink-ppp; compression { rtp { port minimum 2000 maximum 6000; } } family inet { address 10.6.6.1/24; } } unit 2 { encapsulation multilink-ppp; compression { rtp { port minimum 2000 maximum 6000; } } family inet { address 10.9.9.1/24; } } } t1-1/2/0 { no-keepalives; unit 0 { family mlppp { bundle lsq-1/1/0.1; } } } ls-1/3/0 { unit 1 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.1.4.1/24; } } unit 2 { encapsulation multilink-ppp; family inet { address 10.7.4.1/24; } } } ls-1/3/0:0 { encapsulation multilink-frame-relay-uni-nni; mlfr-uni-nni-bundle-options { debug-flags 15; } unit 0 { dlci 20; family inet { address 10.5.4.1/24; } } }

1266

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

[edit routing-options] static { route 10.12.12.0/24 next-hop 10.1.1.9; }

On Router B:
[edit chassis] fpc 1 { pic 3 { mlfr-uni-nni-bundles 4; } } [edit interfaces] ge-0/0/0 { unit 0 { family inet { address 10.1.1.1/24; } } } so-0/1/1 { encapsulation ppp; unit 0 { family inet { address 10.7.7.7/24; } } } t1-0/2/0:0 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/3/0:0; } } } t1-0/2/0:1 { encapsulation multilink-frame-relay-uni-nni; unit 0 { family mlfr-uni-nni { bundle ls-1/3/0:0; } } } t1-0/2/0:5 { no-keepalives; unit 0 { family mlppp { bundle ls-1/3/0.2; } } } t1-0/2/0:6 { no-keepalives; unit 0 {

Copyright 2011, Juniper Networks, Inc.

1267

Junos 11.4 Services Interfaces Configuration Guide

family mlppp { bundle ls-1/3/0.2; } } } t1-0/2/0:7 { dce; encapsulation frame-relay; unit 0 { dlci 20; family mlfr-end-to-end { bundle ls-1/3/0.1; } } } t1-0/2/0:8 { dce; encapsulation frame-relay; unit 0 { dlci 20; family mlfr-end-to-end { bundle ls-1/3/0.1; } } } t1-0/2/0:10 { no-keepalives; encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/1/0.0; } } } t3-0/3/0 { no-keepalives; encapsulation ppp; unit 0 { family mlppp { bundle lsq-1/1/0.2; } } } ge-1/0/0 { unit 0 { family inet { address 10.2.2.1/24; } } } lsq-1/1/0 { unit 0 { compression { rtp { port minimum 2000 maximum 6000; }

1268

Copyright 2011, Juniper Networks, Inc.

Chapter 59: Link and Multilink Services Configuration Guidelines

} family inet { address 10.5.5.1/24; } } unit 1 { encapsulation multilink-ppp; compression { rtp { port minimum 16384 maximum 20102; } } family inet { address 10.3.4.1/24; } } unit 2 { encapsulation multilink-ppp; compression { rtp { port minimum 2000 maximum 6000; } } family inet { address 10.9.9.9/24; } } } t1-1/2/2 { no-keepalives; unit 0 { family mlppp { bundle ls-1/3/0.1; } } } t1-1/2/3 { no-keepalives; unit 0 { family mlppp { bundle lsq-1/1/0.1; } } } ls-1/3/0 { unit 1 { encapsulation multilink-frame-relay-end-to-end; family inet { address 10.1.4.4/24; } family iso; } unit 2 { encapsulation multilink-ppp; family inet { address 10.7.4.4/24;

Copyright 2011, Juniper Networks, Inc.

1269

Junos 11.4 Services Interfaces Configuration Guide

} } } ls-1/3/0:0 { dce; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 20; family inet { address 10.5.4.4/24; } } } [edit routing-options] static { route 10.12.12.0/24 next-hop 10.3.4.4; }

1270

Copyright 2011, Juniper Networks, Inc.

CHAPTER 60

Summary of Multilink and Link Services Configuration Statements

The following sections explain each of the multilink and link services statements. The statements are organized alphabetically.

acknowledge-retries
Syntax Hierarchy Level Release Information Description
acknowledge-retries number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the number of retransmission attempts to be made for consecutive hello or remove link messages following the expiration of the acknowledgment timer.
numberNumber of retransmission attempts to be made following the expiration of the

Options

acknowledgment timer. Range: 1 through 5 Default: 2 Usage Guidelines See Configuring Acknowledgment Timers on Link Services Physical Interfaces on page 1249. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

action-red-differential-delay on page 1273, hello-timer on page 1282

Copyright 2011, Juniper Networks, Inc.

1271

Junos 11.4 Services Interfaces Configuration Guide

acknowledge-timer
Syntax Hierarchy Level Release Information Description
acknowledge-timer milliseconds; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the maximum time, in milliseconds, to wait for an add link acknowledgment, hello acknowledgment, or remove link acknowledgment message.
millisecondsTime to wait for an add link acknowledgment, hello acknowledgment, or

Options

remove link acknowledgment message. Range: 1 through 10 milliseconds Default: 4 milliseconds Usage Guidelines See Configuring Acknowledgment Timers on Link Services Physical Interfaces on page 1249. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

address on page 1274, hello-timer on page 1282

1272

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

action-red-differential-delay
Syntax Hierarchy Level Release Information Description
action-red-differential-delay (disable-tx | remove-link); [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the action to be taken when the differential delay exceeds the red limit.
disable-txDisable transmission on the bundle link. remove-linkRemove the bundle link from service.

Options

Default: remove-link Usage Guidelines See Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 on page 1250. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

yellow-differential-delay on page 1293

Copyright 2011, Juniper Networks, Inc.

1273

Junos 11.4 Services Interfaces Configuration Guide

address
Syntax
address address { destination address; } [edit interfaces interface-name unit logical-unit-number family inet], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure the interface address.
addressAddress of the interface.

The remaining statements are explained separately. Usage Guidelines See Configuring the Links in a Multilink or Link Services Bundle on page 1236; for a general discussion of address statement options, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

bundle
Syntax Hierarchy Level
bundle (ml-fpc/pic/port | ls-fpc/pic/port); [edit interfaces interface-name unit logical-unit-number family mlfr-end-to-end], [edit interfaces interface-name unit logical-unit-number family mlfr-uni-nni]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Associate the multilink interface with the logical interface it is joining.
ml-fpc/pic/portName of the multilink interface you are linking. ls-fpc/pic/portName of the link services interface you are linking.

Usage Guidelines Required Privilege Level

See Configuring the Links in a Multilink or Link Services Bundle on page 1236. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1274

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

destination
Syntax Hierarchy Level
destination destination-address; [edit interfaces interface-name unit logical-unit-number family family address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family address address]

Release Information Description

Statement introduced before Junos OS Release 7.4. For point-to-point interfaces only, specify the address of the interface at the remote end of the connection.
destination-addressAddress of the remote side of the connection.

Options Usage Guidelines Required Privilege Level

See Multilink and Link Services Logical Interface Configuration Overview on page 1237. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

disable-mlppp-inner-ppp-pfc
Syntax Hierarchy Level
disable-mlppp-inner-ppp-pfc; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced in Junos OS Release 8.2. For MLPPP interfaces only, disable compression of the inner PPP header in the MLPPP payload. By default, compression is enabled. See Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces on page 1240. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1275

Junos 11.4 Services Interfaces Configuration Guide

dlci
Syntax Hierarchy Level
dlci dlci-identifier; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For Frame Relay and Multilink Frame Relay user-to-network interface (UNI) network-to-network interface (NNI) encapsulation only, and for link services and point-to-point interfaces only, configure the data-link connection identifier (DLCI) for a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). To configure a DLCI for a point-to-multipoint interface, use the multipoint-destination statement to specify the DLCI.

Options

dlci-identifierData-link connection identifier.

Range: 16 through 1022 Usage Guidelines See Configuring DLCIs on Link Services Logical Interfaces on page 1244; for general information about Frame Relay DLCIs, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1276

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

drop-timeout
Syntax Hierarchy Level
drop-timeout milliseconds; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit interfaces (ls-fpc/pic/port | ml-fpc/pic/port) unit logical-unit-number], [edit logical-systems logical-system-name interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit logical-systems logical-system-name interfaces (ls-fpc/pic/port| ml-fpc/pic/port) unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For multilink and link services interfaces only, configure the drop timeout period, in milliseconds.
millisecondsDrop timeout period.

Options

Range: 1 through 2000 milliseconds Default: 500 ms for bundles greater than or equal to the T1 bandwidth value, and 1500 ms for other bundles. Any CLI-configured value overrides these defaults. Setting a value of 0 reverts to the default. Usage Guidelines See Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces on page 1240. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1277

Junos 11.4 Services Interfaces Configuration Guide

encapsulation
See the following sections:

encapsulation (Logical Interface) on page 1278 encapsulation (Physical Interface) on page 1279

encapsulation (Logical Interface)

Syntax Hierarchy Level
encapsulation (atm-mlppp-llc | multilink-frame-relay-end-to-end | multilink-ppp | ... ); [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Logical link-layer encapsulation type.
atm-mlppp-llcFor ATM 2 interfaces, use Multilink Point-to-Point Protocol (MLPPP)

over ATM Adaptation Layer 5 (AAL5) logical link control (LLC) encapsulation, as described in RFC 2364, PPP over AAL5.
multilink-frame-relay-end-to-endUse Multilink Frame Relay (MLFR) FRF.15

encapsulation. This encapsulation is usedon multilink link services interfaces and their constituent T1 or E1 interfaces, and is supported on LSQ and redundant LSQ interfaces.
multilink-pppUse MLPPP encapsulation. This encapsulation is used only on multilink

and link services interfaces and their constituent T1 or E1 interfaces. Usage Guidelines See Configuring Encapsulation for Multilink and Link Services Logical Interfaces on page 1239; for information about encapsulation statement options used with other interface types, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1278

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

encapsulation (Physical Interface)

Syntax Hierarchy Level
encapsulation (multilink-frame-relay-uni-nni | ... ); [edit interfaces interface-name], [edit interfaces rlsqnumber:number]

Release Information Description Default Options

Statement introduced before Junos OS Release 7.4. Physical link-layer encapsulation type. MLFR UNI NNI encapsulation (on link services interfaces).
multilink-frame-relay-uni-nniUse MLFR UNI NNI encapsulation. This encapsulation is

used only on link services interfaces functioning as FRF.16 bundles and their constituent T1 or E1 interfaces, and is supported on LSQ and redundant LSQ interfaces. Usage Guidelines See Configuring Encapsulation for Link Services Physical Interfaces on page 1249; for information about encapsulation statement options used with other interface types, see the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1279

Junos 11.4 Services Interfaces Configuration Guide

family
Syntax
family family { address address { destination address; } } [edit interfaces interface-name unit logical-unit-number]

Hierarchy Level Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure protocol family information for the logical interface.
familyProtocol family:

cccCircuit cross-connect protocol suite inetIP version 4 (IPv4) inet6IP version 6 (IPv6) isoOpen Systems Interconnection (OSI) International Organization for Standardization

(ISO) protocol suite

mlfr-end-to-endMultilink Frame Relay FRF.15 mlfr-uni-nniMultilink Frame Relay FRF.16 multilink-pppMultilink Point-to-Point Protocol mplsMPLS tccTranslational cross-connect protocol suite tnpTrivial Network Protocol vplsVirtual private LAN service

The remaining statements are explained separately. Usage Guidelines See the topics in Link and Multilink Properties; for a general discussion of family statement options, see the Junos OS Network Interfaces Configuration Guide . interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

1280

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

fragment-threshold
Syntax Hierarchy Level
fragment-threshold bytes; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit interfaces (ls-fpc/pic/port| ml-fpc/pic/port) unit logical-unit-number], [edit logical-systems logical-system-name interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit logical-systems logical-system-name interfaces (ls-fpc/pic/port| ml-fpc/pic/port) unit logical-unit-number]

Release Information Description Options

Statement introduced before Junos OS Release 7.4. For multilink and link services interfaces only, set the fragmentation threshold, in bytes.
bytesMaximum size, in bytes, for multilink packet fragments. Any nonzero value must

be a multiple of 64 bytes. Range: 128 through 16,320 bytes Default: 0 bytes (no fragmentation) Usage Guidelines See Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces on page 1241. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1281

Junos 11.4 Services Interfaces Configuration Guide

hello-timer
Syntax Hierarchy Level Release Information Description
hello-timer milliseconds; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the rate at which hello messages are sent. A hello message is transmitted after a period defined in milliseconds has elapsed.
millisecondsThe rate at which hello messages are sent.

Options

Range: 1 through 180 milliseconds Default: 10 milliseconds Usage Guidelines See Configuring Acknowledgment Timers on Link Services Physical Interfaces on page 1249. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

address on page 1274, acknowledge-timer on page 1272

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. See the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

1282

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

interleave-fragments
Syntax Hierarchy Level
interleave-fragments; [edit interfaces ls-fpc/pic/port:channel unit logical-unit-number], [edit logical-systems logical-system-name interfaces ls-fpc/pic/port unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For link services and voice services interfaces only, interleave long packets with high-priority packets. Allows small delay-sensitive packets, such as voice over IP (VoIP) packets, to interleave with long fragmented packets. This minimizes the latency of delay-sensitive packets.

Usage Guidelines

See Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces on page 1245. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

lmi-type
Syntax Hierarchy Level Release Information Description Options
lmi-type (ansi | itu); [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. Set the Frame Relay Local Management Interface (LMI) type.
ansiUse American National Standards Institute (ANSI) T1.167 Annex D LMIs. ituUse ITU Q933 Annex A LMIs.

Default: itu Usage Guidelines Required Privilege Level See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1283

Junos 11.4 Services Interfaces Configuration Guide

minimum-links
Syntax Hierarchy Level
minimum-links number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit interfaces (ls-fpc/pic/port | ml-fpc/pic/port) unit logical-unit-number], [edit logical-systems logical-system-name interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit logical-systems logical-system-name interfaces (ls-fpc/pic/port | ml-fpc/pic/port) unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For multilink or link services interfaces only, set the minimum number of links that must be up for the bundle to be labeled up. A member link is considered up when the PPP Link Control Protocol (LCP) phase transitions to open state. The minimum-links value should be identical on both ends of the bundle.

Options

numberNumber of links.

Range: 1 through 8 Default: 1 Usage Guidelines See Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces on page 1242. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1284

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

mlfr-uni-nni-bundle-options
Syntax
mlfr-uni-nni-bundle-options { acknowledge-retries number; acknowledge-timer milliseconds; action-red-differential-delay (disable-tx | remove-link); cisco-interoperability send-lip-remove-link-for-link-reject; drop-timeout milliseconds; fragment-threshold bytes; hello-timer milliseconds; lmi-type (ansi | itu | c-lmi); minimum-links number; mrru bytes; n391 number; n392 number; n393 number; red-differential-delay milliseconds; t391 number; t392 number; yellow-differential-delay milliseconds; } [edit interfaces ls-fpc/pic/port :channel]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure link services interface management properties. The statements are explained separately.

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Encapsulation for Link Services Physical Interfaces on page 1249. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring Encapsulation for Link Services Physical Interfaces on page 1249

Copyright 2011, Juniper Networks, Inc.

1285

Junos 11.4 Services Interfaces Configuration Guide

mrru
Syntax Hierarchy Level
mrru bytes; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit interfaces (ml-fpc/pic/port| ls-fpc/pic/port) unit logical-unit-number], [edit logical-systems logical-system-name interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options], [edit logical-systems logical-system-name interfaces (ml-fpc/pic/port| ls-fpc/pic/port) unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For multilink or link services interfaces only, set the maximum received reconstructed unit (MRRU). The MRRU is similar to the maximum transmission unit (MTU), but is specific to multilink interfaces.
bytesMRRU size.

Options

Range: 1500 through 4500 bytes Default: 1500 bytes Usage Guidelines Required Privilege Level See Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1286

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

mtu
Syntax Hierarchy Level
mtu bytes; [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Release Information Description

Statement introduced before Junos OS Release 7.4. Maximum transmission unit (MTU) size for the media or protocol. The default MTU size depends on the device type. Not all devices allow you to set an MTU value, and some devices have restrictions on the range of allowable MTU values.
bytesMTU size.

Options

Range: 0 through 5012 bytes Default: 1500 bytes (inet, inet6, and iso families), 1448 bytes (mpls) Usage Guidelines Required Privilege Level Related Documentation See Configuring MRRU on Multilink and Link Services Logical Interfaces on page 1242. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide

multicast-dlci
Syntax Hierarchy Level
multicast-dlci dlci-identifier; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For point-to-multipoint link services interfaces only, enable multicast support on the interface. You can configure multicast support on the interface if the Frame Relay switch performs multicast replication.
dlci-identifierDLCI identifier, a number from 16 through 1022 that defines the Frame

Options

Relay DLCI over which the switch expects to receive multicast packets for replication. Usage Guidelines Required Privilege Level See Configuring Multicast-Capable DLCIs for MLFR FRF.16 Bundles on page 1244. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1287

Junos 11.4 Services Interfaces Configuration Guide

n391
Syntax Hierarchy Level Release Information Description Options
n391 number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, set the Frame Relay full status polling interval.
numberPolling interval.

Range: 1 through 255 Default: 6 Usage Guidelines Required Privilege Level Related Documentation See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

n392 on page 1288, n393 on page 1289, t391 on page 1290, and t392 on page 1291

n392
Syntax Hierarchy Level Release Information Description Options
n392 number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, set the Frame Relay error threshold, in number of errors.
numberError threshold.

Range: 1 through 10 Default: 3 Usage Guidelines Required Privilege Level Related Documentation See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

n391 on page 1288, n393 on page 1289, t391 on page 1290, and t392 on page 1291

1288

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

n393
Syntax Hierarchy Level Release Information Description Options
n393 number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, set the Frame Relay monitored event count.
numberEvent count.

Range: 1 through 10 Default: 4 Usage Guidelines Required Privilege Level Related Documentation See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

n391 on page 1288, n392 on page 1288, t391 on page 1290, and t392 on page 1291

red-differential-delay
Syntax Hierarchy Level Release Information Description
red-differential-delay milliseconds; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the red differential delay among bundle links to give warning when a link has a differential delay that exceeds the configured threshold.
millisecondsRed differential delay threshold.

Options

Range: 1 through 2000 milliseconds Default: 120 milliseconds Usage Guidelines See Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 on page 1250. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

action-red-differential-delay on page 1273, yellow-differential-delay on page 1293

Copyright 2011, Juniper Networks, Inc.

1289

Junos 11.4 Services Interfaces Configuration Guide

short-sequence
Syntax Hierarchy Level
short-sequence; [edit interfaces (ls-fpc/pic/port | ml-fpc/pic/port) unit logical-unit-number], [edit logical-systems logical-system-name interfaces (ls-fpc/pic/port | ml-fpc/pic/port) unit logical-unit-number]

Release Information Description

Statement introduced before Junos OS Release 7.4. For multilink interfaces only, set the length of the packet sequence identification number to 12 bits. If not included in the configuration, the length is set to 24 bits. See Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces on page 1243. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Usage Guidelines

Required Privilege Level

t391
Syntax Hierarchy Level Release Information Description Options
t391 number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, set the Frame Relay link integrity polling interval.
numberLink integrity polling interval.

Range: 5 through 30 seconds Default: 10 seconds Usage Guidelines Required Privilege Level Related Documentation See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

n391 on page 1288, n392 on page 1288, n393 on page 1289, and t392 on page 1291

1290

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

t392
Syntax Hierarchy Level Release Information Description Options
t392 number; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, set the Frame Relay polling verification interval.
numberPolling verification interval.

Range: 5 through 30 seconds Default: 15 seconds Usage Guidelines Required Privilege Level Related Documentation See Configuring Keepalives on Link Services Physical Interfaces on page 1251. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

n391 on page 1288, n392 on page 1288, n393 on page 1289, and t391 on page 1290

Copyright 2011, Juniper Networks, Inc.

1291

Junos 11.4 Services Interfaces Configuration Guide

unit
Syntax
unit logical-unit-number { disable-mlppp-inner-ppp-pfc; dlci dlci-identifier; drop-timeout milliseconds; encapsulation type; fragment-threshold bytes; interleave-fragments; minimum-links number; mrru bytes; multicast-dlci dlci-identifier; short-sequence; family family { address address { destination address; } bundle (ml-fpc/pic/port | ls-fpc/pic/port); } } [edit interfaces interface-name]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines See Link and Multilink Properties; for a general discussion of logical interface properties, see the Junos OS Network Interfaces Configuration Guide . interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

1292

Copyright 2011, Juniper Networks, Inc.

Chapter 60: Summary of Multilink and Link Services Configuration Statements

yellow-differential-delay
Syntax Hierarchy Level Release Information Description
yellow-differential-delay milliseconds; [edit interfaces ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options]

Statement introduced before Junos OS Release 7.4. For link services interfaces only, configure the yellow differential delay among bundle links to give warning when a link has a differential delay that exceeds the configured threshold.
millisecondsYellow differential delay threshold.

Options

Range: 1 through 2000 milliseconds Default: 72 milliseconds Usage Guidelines See Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF.16 on page 1250. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

action-red-differential-delay on page 1273, red-differential-delay on page 1289

Copyright 2011, Juniper Networks, Inc.

1293

Junos 11.4 Services Interfaces Configuration Guide

1294

Copyright 2011, Juniper Networks, Inc.

PART 7

Real-Time Performance Monitoring Services

Real-Time Performance Monitoring Services Overview on page 1297 Real-Time Performance Monitoring Configuration Guidelines on page 1299 Summary of Real-Time Performance Monitoring Configuration Statements on page 1319

Copyright 2011, Juniper Networks, Inc.

1295

Junos 11.4 Services Interfaces Configuration Guide

1296

Copyright 2011, Juniper Networks, Inc.

CHAPTER 61

Real-Time Performance Monitoring Services Overview

This chapter discusses the following topics:

Real-Time Performance Monitoring Services Overview on page 1297

Real-Time Performance Monitoring Services Overview

Real-Time Performance Monitoring (RPM) enables you to configure active probes to track and monitor traffic. Probes collect packets per destination and per application, including PING Internet Control Message Protocol (ICMP) packets, User Datagram Protocol and Transmission Control Protocol (UDP/TCP) packets with user-configured ports, user-configured Differentiated Services code point (DSCP) type-of-service (ToS) packets, and Hypertext Transfer Protocol (HTTP) packets. RPM provides Management Information Base (MIB) support with extensions for RFC 2925, Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup Operations. You can also configure RPM services to determine automatically whether a path exists between a host router and its configured BGP neighbors. You can view the results of the discovery using an SNMP client. Results are stored in pingResultsTable, jnxPingResultsTable, jnxPingProbeHistoryTable, and pingProbeHistoryTable. Probe configuration and probe results are supported by the command-line interface (CLI) and SNMP. The following probe types are supported with DSCP marking:

ICMP echo ICMP timestamp HTTP get (not available for BGP RPM services) UDP echo TCP connection UDP timestamp

With probes, you can monitor the following:

Copyright 2011, Juniper Networks, Inc.

1297

Junos 11.4 Services Interfaces Configuration Guide

Minimum round-trip time Maximum round-trip time Average round-trip time Standard deviation of the round-trip time Jitter of the round-trip timeThe difference between the minimum and maximum round-trip time

One-way measurements for ICMP timestamp probes include the following:

Minimum, maximum, standard deviation, and jitter measurements for egress and ingress times Number of probes sent Number of probe responses received Percentage of lost probes

You can configure the following RPM thresholds:

Round-trip time Ingress/egress delay Standard deviation Jitter Successive lost probes Total lost probes (per test)

Support is also implemented for user-configured CoS classifiers and for prioritization of RPM packets over regular data packets received on an input interface.

1298

Copyright 2011, Juniper Networks, Inc.

CHAPTER 62

Real-Time Performance Monitoring Configuration Guidelines

To configure Real-Time Performance Monitoring (RPM) services, include the rpm statement at the [edit services] hierarchy level:
[edit services] rpm { bgp { data-fill data; data-size size; destination-port port; history-size size; logical-system logical-system-name [routing-instances routing-instance-name]; moving-average-size number; probe-count count; probe-interval seconds; probe-type type; routing-instances instance-name; test-interval interval; } probe owner { test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url url | address address); test-interval interval; thresholds thresholds; traps traps; }

Copyright 2011, Juniper Networks, Inc.

1299

Junos 11.4 Services Interfaces Configuration Guide

} probe-server { tcp { destination-interface interface-name; port number; } udp { destination-interface interface-name; port number; } } probe-limit limit; twamp { server { authentication-mode (authenticated | encrypted | none); client-list list-name { [ address address ]; } inactivity-timeout seconds; maximum-connections-duration hours; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number; server-inactivity-timeout minutes; } } }

NOTE: RPM does not require an Adaptive Services (AS) or Multiservices PIC or Multiservices Dense Port Concentrator (DPC) unless you are configuring RPM timestamping as described in Configuring RPM Timestamping on page 1307.

This chapter includes the following sections:

Configuring BGP Neighbor Discovery Through RPM on page 1300 Configuring Real-Time Performance Monitoring on page 1302 Enabling RPM for the Services SDK on page 1312 Examples: Configuring BGP Neighbor Discovery Through RPM on page 1313 Examples: Configuring Real-Time Performance Monitoring on page 1314

Configuring BGP Neighbor Discovery Through RPM

BGP neighbors can be configured at the following hierarchy levels:

1300

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

[edit protocols bgp group group-name]Default logical system and default routing

instance.

[edit routing-instances instance-name protocols bgp group group-name]Default logical

system with a specified routing instance.

[edit logical-systems logical-system-name protocols bgp group group-name]Configured

logical system and default routing instance.

[edit logical-systems logical-system-name routing-instances instance-name protocols bgp group group-name]Configured logical system with a specified routing instance.

When you configure BGP neighbor discovery through RPM, if you do not specify a logical system, the RPM probe applies to configured BGP neighbors for all logical systems. If you do not specify a routing instance, the RPM probe applies to configured BGP neighbors in all routing instances. You can explicitly configure RPM probes to apply only to the default logical system, the default routing instance, or to a particular logical system or routing instance. To configure BGP neighbor discovery through RPM, configure the probe properties at the [edit services rpm bgp] hierarchy:
data-fill data; data-size size; destination-port port; history-size size; logical-system logical-system-name [routing-instances routing-instance-name]; moving-average-size number; probe-count count; probe-interval seconds; probe-type type; routing-instances instance-name; test-interval interval;

To specify the contents of the data portion of Internet Control Message Protocol (ICMP) probes, include the data-fill statement at the [edit services rpm bgp] hierarchy level. The value can be a hexadecimal value. To specify the size of the data portion of ICMP probes, include the data-size statement at the [edit services rpm bgp] hierarchy level. The size can be from 0 through 65507 and the default size is 0. To specify the User Datagram Protocol (UDP) port or Transmission Control Protocol (TCP) port to which the probe is sent, include the destination-port statement at the [edit services rpm bgp] hierarchy level. The destination-port statement is used only for the UDP and TCP probe types. The value can be 7 or from 49160 through 65535. To specify the number of stored history entries, include the history-size statement at the [edit services rpm bgp] hierarchy level. Specify a value from 0 to 255. The default is 50. To specify the logical system used by ICMP probes, include the logical-system logical-system-name statement at the [edit services rpm bgp] hierarchy level. If you do not specify a logical system, the RPM probe applies to configured BGP neighbors for

Copyright 2011, Juniper Networks, Inc.

1301

Junos 11.4 Services Interfaces Configuration Guide

all logical systems. To apply the probe to only the default logical system, you must set the value of logical-system-name to null.

To specify a number of samples for making statistical calculations, include the moving-average-size statement at the [edit services rpm bgp] hierarchy level. Specify a value from 0 through 255. To specify the number of probes within a test, include the probe-count statement at the [edit services rpm bgp] hierarchy level. Specify a value from 1 through 15. To specify the time to wait between sending packets, include the probe-interval statement at the [edit services rpm bgp] hierarchy level. Specify a value from 1 through 255 seconds. To specify the packet and protocol contents of the probe, include the probe-type statement at the [edit services rpm bgp] hierarchy level. The following probe types are supported:

icmp-pingSends ICMP echo requests to a target address. icmp-ping-timestampSends ICMP timestamp requests to a target address. tcp-pingSends TCP packets to a target. udp-pingSends UDP packets to a target. udp-ping-timestampSends UDP timestamp requests to a target address.

NOTE: Some probe types require additional parameters to be configured. For example, when you specify the tcp-ping or udp-ping option, you must configure the destination port using the destination-port port statement. The udp-ping-timestamp option requires a minimum data size of 12; any smaller data size results in a commit error. The minimum data size for TCP probe packets is 1.

To specify the routing instance used by ICMP probes, include the routing-instances statement at the [edit services rpm bgp] hierarchy level. The default routing instance is Internet routing table inet.0. If you do not specify a routing instance, the RPM probe applies to configured BGP neighbors in all routing instances. To apply the RPM probe to only the default routing instance, you must explicitly set the value of instance-name to default. To specify the time to wait between tests, include the test-interval statement at the [edit services bgp probe] hierarchy level. Specify a value from 0 through 86400 seconds.

Configuring Real-Time Performance Monitoring

This section describes the following tasks for configuring RPM:

Configuring RPM Probes on page 1303 Configuring RPM Receiver Servers on page 1307

1302

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

Limiting the Number of Concurrent RPM Probes on page 1307 Configuring RPM Timestamping on page 1307 Configuring TWAMP on page 1310

Configuring RPM Probes

The owner name and test name identifiers of an RPM probe together represent a single RPM configuration instance. When you specify the test name, you also can configure the test parameters. To configure the probe owner, test name, and test parameters, include the probe statement at the [edit services rpm] hierarchy level:
probe owner { test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url url | address address); test-interval interval; thresholds thresholds; traps traps; } }

To specify a probe owner, include the probe statement at the [edit services rpm] hierarchy level. The probe owner identifier can be up to 32 characters in length. To specify a test name, include the test statement at the [edit services rpm probe owner] hierarchy level. The test name identifier can be up to 32 characters in length. A test represents the range of probes over which the standard deviation, average, and jitter are calculated. To specify the contents of the data portion of Internet Control Message Protocol (ICMP) probes, include the data-fill statement at the [edit services rpm probe owner] hierarchy level. The value can be a hexadecimal value. The data-fill statement is not valid with the http-get or http-metadata-get probe types. To specify the size of the data portion of ICMP probes, include the data-size statement at the [edit services rpm probe owner] hierarchy level. The size can be from 0 through 65507 and the default size is 0. The data-size statement is not valid with the http-get or http-metadata-get probe types.

Copyright 2011, Juniper Networks, Inc.

1303

Junos 11.4 Services Interfaces Configuration Guide

NOTE: If you configure the hardware timestamp feature (see Configuring RPM Timestamping on page 1307), the data-size default value is 32 bytes and 32 is the minimum value for explicit configuration. The UDP timestamp probe type is an exception; it requires a minimum data size of 52 bytes.

On M Series and T Series routers, you configure the destination-interface statement to enable hardware timestamping of RPM probe packets. You specify an sp- interface to have the AS or Multiservices PIC add the hardware timestamps; for more information, see Configuring RPM Timestamping on page 1307. You can also include the one-way-hardware-timestamp statement to enable one-way delay and jitter measurements. To specify the User Datagram Protocol (UDP) port or Transmission Control Protocol (TCP) port to which the probe is sent, include the destination-port statement at the [edit services rpm probe owner test test-name] hierarchy level. The destination-port statement is used only for the UDP and TCP probe types. The value can be 7 or from 49160 through 65535. To specify the value of the Differentiated Services (DiffServ) field within the IP header, include the dscp-code-point statement at the [edit services rpm probe owner test test-name] hierarchy level. The DiffServ code point (DSCP) bits value can be set to a valid 6-bit pattern; for example, 001111. It also can be set using an alias configured at the [edit class-of-service code-point-aliases dscp] hierarchy level. The default is 000000. To specify the number of stored history entries, include the history-size statement at the [edit services rpm probe owner test test-name] hierarchy level. Specify a value from 0 to 255. The default is 50. To specify a number of samples for making statistical calculations, include the moving-average-size statement at the [edit services rpm probe owner test test-name] hierarchy level. Specify a value from 0 through 255. To specify the number of probes within a test, include the probe-count statement at the [edit services rpm probe owner test test-name] hierarchy level. Specify a value from 1 through 15. To specify the time to wait between sending packets, include the probe-interval statement at the [edit services rpm probe owner test test-name] hierarchy level. Specify a value from 1 through 255 seconds. To specify the packet and protocol contents of the probe, include the probe-type statement at the [edit services rpm probe owner test test-name] hierarchy level. The following probe types are supported:

http-getSends a Hypertext Transfer Protocol (HTTP) get request to a target URL. http-metadata-getSends an HTTP get request for metadata to a target URL. icmp-pingSends ICMP echo requests to a target address. icmp-ping-timestampSends ICMP timestamp requests to a target address.

1304

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

tcp-pingSends TCP packets to a target. udp-pingSends UDP packets to a target. udp-ping-timestampSends UDP timestamp requests to a target address.

The following probe types support hardware timestamping of probe packets: icmp-ping, icmp-ping-timestamp, udp-ping, udp-ping-timestamp.

NOTE: Some probe types require additional parameters to be configured. For example, when you specify the tcp-ping or udp-ping option, you must configure the destination port using the destination-port statement. The udp-ping-timestamp option requires a minimum data size of 12; any smaller data size results in a commit error. The minimum data size for TCP probe packets is 1.

To specify the routing instance used by ICMP probes, include the routing-instance statement at the [edit services rpm probe owner test test-name] hierarchy level. The default routing instance is Internet routing table inet.0. To specify the source IP address used for ICMP probes, include the source-address statement at the [edit services rpm probe owner test test-name] hierarchy level. If the source IP address is not one of the routers assigned addresses, the packet will use the outgoing interfaces address as its source. To specify the destination address used for the probes, include the target statement at the [edit services rpm probe owner test test-name] hierarchy level.

For HTTP probe types, specify a fully formed URL that includes http:// in the URL address. For all other probe types, specify an IP version 4 (IPv4) address for the target host.

To specify the time to wait between tests, include the test-interval statement at the [edit services rpm probe owner test test-name] hierarchy level. Specify a value from 0 through 86400 seconds. To specify thresholds used for the probes, include the thresholds statement at the [edit services rpm probe owner test test-name] hierarchy level. A system log message is generated when the configured threshold is exceeded. Likewise, an SNMP trap (if configured) is generated when a threshold is exceeded. The following options are supported:

egress-timeMeasures maximum source-to-destination time per probe. ingress-timeMeasures maximum destination-to-source time per probe. jitter-egressMeasures maximum source-to-destination jitter per test. jitter-ingressMeasures maximum destination-to-source jitter per test. jitter-rttMeasures maximum jitter per test, from 0 through 60000000

microseconds.

Copyright 2011, Juniper Networks, Inc.

1305

Junos 11.4 Services Interfaces Configuration Guide

rttMeasures maximum round-trip time per probe, in microseconds. std-dev-egressMeasures maximum source-to-destination standard deviation per

test.

std-dev-ingressMeasures maximum destination-to-source standard deviation per

test.

std-dev-rttMeasures maximum standard deviation per test, in microseconds. successive-lossMeasures successive probe loss count, indicating probe failure. total-lossMeasures total probe loss count indicating test failure, from 0 through

15.

Traps are sent if the configured threshold is met or exceeded. To set the trap bit to generate traps, include the traps statement at the [edit services rpm probe owner test test-name] hierarchy level. The following options are supported:

egress-jitter-exceededGenerates traps when the jitter in egress time threshold is

met or exceeded.

egress-std-dev-exceededGenerates traps when the egress time standard deviation

threshold is met or exceeded.

egress-time-exceededGenerates traps when the maximum egress time threshold

is met or exceeded.

ingress-jitter-exceededGenerates traps when the jitter in ingress time threshold is

met or exceeded.

ingress-std-dev-exceededGenerates traps when the ingress time standard deviation

threshold is met or exceeded.

ingress-time-exceededGenerates traps when the maximum ingress time threshold

is met or exceeded.

jitter-exceededGenerates traps when the jitter in round-trip time threshold is met

or exceeded.

probe-failureGenerates traps for successive probe loss thresholds crossed. rtt-exceededGenerates traps when the maximum round-trip time threshold is met

or exceeded.

std-dev-exceededGenerates traps when the round-trip time standard deviation

threshold is met or exceeded.

test-completionGenerates traps when a test is completed. test-failureGenerates traps when the total probe loss threshold is met or exceeded.

1306

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

Configuring RPM Receiver Servers

The RPM TCP and UDP probes are proprietary to Juniper Networks and require a receiver to receive the probes. To configure a server to receive the probes, include the probe-server statement at the [edit services rpm] hierarchy level:
[edit services rpm] probe-server { tcp { destination-interface interface-name; port number; } udp { port number; } }

The port number specified for the UDP and TCP server can be 7 or from 49160 through 65535.

Limiting the Number of Concurrent RPM Probes

To configure the maximum number of concurrent probes allowed, include the probe-limit statement at the [edit services rpm] hierarchy level:
probe-limit limit;

Specify a limit from 1 through 500. The default maximum number is 100.

Configuring RPM Timestamping

To account for latency in the communication of probe messages, you can enable timestamping of the probe packets. You can timestamp the following RPM probe types: icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp. On M Series and T Series routers with an Adaptive Services (AS) or Multiservices PIC, on MX Series routers with a Multiservices DPC and on EX Series switches, you can enable hardware timestamping of RPM probe messages. The timestamp is applied on both the RPM client (the router or switch that originates the RPM probes) and the RPM probe server and applies only to IPv4 traffic. It is supported in the Layer 2 service package on all Multiservices PICs and DPCs and in the Layer 3 service package on AS and Multiservices PICs and Multiservices DPCs. To configure two-way timestamping on M Series and T Series routers, include the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:
destination-interface sp-fpc/pic/port.logical-unit-number;

Specify the RPM client router and the RPM server router on the adaptive services logical interface by including the rpm statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
rpm (client | server);

Copyright 2011, Juniper Networks, Inc.

1307

Junos 11.4 Services Interfaces Configuration Guide

The logical interface must be dedicated to the RPM task. It requires configuration of the family inet statement and a /32 address, as shown in the example. This configuration is also needed for other services such as NAT and stateful firewall. You cannot configure RPM service on unit 0 because RPM requires a dedicated logical interface; the same unit cannot support both RPM and other services. Because active flow monitoring requires unit 0, but RPM can function on any logical interface, a constraint check prevents you from committing an RPM configuration there.

NOTE: If you configure RPM timestamping on an AS PIC, you cannot configure the source-address statement at the [edit services rpm probe probe-name test test-name] hierarchy level.

On MX Series routers and EX Series switches, you include the hardware-timestamp statement at the [edit services rpm probe probe-name test test-name] hierarchy level to specify that the probes are to be timestamped in the Packet Forwarding Engine host processor:
hardware-timestamp;

On the client side, these probes are timestamped in the Packet Forwarding Engine host processor on the egress DPC on the MX Series router or EX Series switch originating the RPM probes (RPM client). On the responder side (RPM server), the RPM probes to be timestamped are handled by Packet Forwarding Engine host processor, which generates the response instead of the RPM process. The RPM probes are timestamped only on the router that originates them (RPM client). As a result, only round-trip time is measured for these probes.

NOTE: The Packet Forwarding Engine based RPM feature does not support any stateful firewall configurations. If you need to combine RPM timestamping with stateful firewall, you should use the interface-based RPM timestamping service described earlier in this section. Multiservices DPCs support stateful firewall processing as well as RPM timestamping.

To configure one-way timestamping, you must also include the one-way-hardware-timestamp statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:
one-way-hardware-timestamp;

1308

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

NOTE: If you configure RPM probes for a services interface (sp-), you need to announce local routes in a specific way for the following routing protocols:

For OSPF, you can announce the local route by including the services interface in the OSPF area. To configure this setting, include the interface sp-fpc/pic/port statement at the [edit protocols ospf area area-number] hierarchy level. For BGP and IS-IS, you must export interface routes and create a policy that accepts the services interface local route. To export interface routes, include the point-to-point and lan statements at the [edit routing-options interface-routes family inet export] hierarchy level. To configure an export policy that accepts the services interface local route, include the protocol local, rib inet.0, and route-filter sp-interface-ip-address/32 exact statements at the [edit policy-options policy-statement policy-name term term-name from] hierarchy level and the accept action at the [edit policy-options policy-statement policy-name term term-name then] hierarchy level. For the export policy to take effect, apply the policy to BGP or IS-IS with the export policy-name statement at the [edit protocols protocol-name] hierarchy level.

For more information about these configurations, see the Junos OS Routing Policy Configuration Guide or the Junos OS Routing Protocols Configuration Guide.

Example: Configuring RPM Timestamping

Routing the probe packets through the AS or Multiservices PIC also enables you to filter the probe packets to particular queues. The following example shows the RPM configuration and the filter that specifies queuing:
services rpm { probe p1 { test t1 { probe-type icmp-ping; target address 10.8.4.1; probe-count 10; probe-interval 10; test-interval 10; dscp-code-points af11; data-size 100; destination-interface sp-1/2/0.0; } } } firewall { filter f1 { term t1 { from { dscp af11; } then { forwarding-class assured-forwarding; } } }

Copyright 2011, Juniper Networks, Inc.

1309

Junos 11.4 Services Interfaces Configuration Guide

} interfaces sp-1/2/0 { unit 2 { rpm client; family inet { address 10.8.4.2/32; filter { input f1; } } } } interfaces sp-1/2/1 { unit 2 { rpm server; family inet { address 10.8.3.2/32; filter { input f1; } } } }

For more information about firewall filters, see the Junos OS Routing Policy Configuration Guide; for more information about queuing, see the Junos OS Class of Service Configuration Guide.

Configuring TWAMP
You can configure the Two-Way Active Measurement Protocol (TWAMP) on on all M Series and T Series routers that support Multiservices PICs (running in either Layer 2 or Layer 3 mode), and on MX Series routers with or without a Multiservices DPC. Only the responder (server) side of TWAMP is supported. For more information on TWAMP, see RFC 5357, A Two-Way Active Measurement Protocol (TWAMP). To configure TWAMP properties, include the twamp statement at the [edit services rpm] hierarchy level:
[edit services rpm] twamp { server { client-list list-name { [ address address ]; } authentication-mode mode; inactivity-timeout seconds; max-connection-duration hours; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number;

1310

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

server-inactivity-timeout minutes; } }

The TWAMP configuration process includes the following tasks:

Configuring TWAMP Interfaces on page 1311 Configuring TWAMP Servers on page 1311

Configuring TWAMP Interfaces

To specify the service PIC logical interface that provides the TWAMP service, include the twamp-server statement at the [edit interfaces sp-fpc/pic/port unit logical-unit-number hierarchy level:
twamp-server;

NOTE: On MX Series routers that do not include a Multiservices DPC, you can configure TWAMP properties, but you can omit specifying the twamp-server statement.

Configuring TWAMP Servers

You can specify a number of TWAMP server properties, some of which are optional, by including the server statement at the [edit services rpm twamp] hierarchy level:
[edit services rpm twamp] server { client-list list-name { [ address address ]; } authentication-mode mode; inactivity-timeout seconds; max-connection-duration hours; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number; server-inactivity-timeout minutes; }

To specify the list of allowed control client hosts that can connect to this server, include the client-list statement at the [edit services rpm twamp server] hierarchy level. Each value you include must be a Classless Interdomain Routing (CIDR) address (IP address plus mask) that represents a network of allowed hosts. You can include multiple client lists, each of which can contain a maximum of 64 entries. You must configure at least one client address to enable TWAMP. You must specify the authentication mode by including the authentication-mode statement at the [edit services rpm twamp server] hierarchy level. There is no default value. You can configure authenticated or encrypted mode, based on RFC 4656; if there

Copyright 2011, Juniper Networks, Inc.

1311

Junos 11.4 Services Interfaces Configuration Guide

is no authentication or encryptions mode specified, you should set the value to none. This statement is required in the TWAMP configuration.

To specify the inactivity timeout period in seconds, include the inactivity-timeout statement at the [edit services rpm twamp server] hierarchy level. By default, the value is 1800; the range is 0 through 3600 seconds. To specify the maximum number of concurrent connections the server can have to client hosts, include the maximum-connections statement at the [edit services rpm twamp server] hierarchy level. The allowed range of values is 1 through 2048 and the default value is 64. You can also limit the number of connections the server can make to a particular client host by including the maximum-connections-per-client statement. To specify the maximum number of sessions the server can have running at one time, include the maximum-sessions statement at the [edit services rpm twamp server] hierarchy level. The allowed range of values is 1 through 2048 and the default value is 64. You can also limit the number of sessions the server can have on a single connection by including the maximum-sessions-per-connection statement. To specify the TWAMP server listening port, include the port statement at the [edit services rpm twamp server] hierarchy level. The range is 1 through 65,535. This statement is mandatory.

For examples of TWAMP configuration, see Examples: Configuring Real-Time Performance Monitoring on page 1314.

Enabling RPM for the Services SDK

Real-time performance monitoring (RPM), which has been supported on the adaptive services interface, is now supported by the Services SDK. RPM is supported on all platforms and service PICs that support the Services SDK. To enable RPM for the Services SDK on the adaptive services interface, configure the object-cache-size, policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the Services SDK, package-name in the package package-name statement is jservices-rpm. For more information about the Services SDK, see the SDK Applications Configuration Guide and Command Reference. The following example shows how to enable RPM for the Services SDK on the adaptive services interface:
chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 1; object-cache-size 512; policy-db-size 64;

1312

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

package jservices-rpm; syslog daemon any; } } } } }

Related Documentation

Examples: Configuring Real-Time Performance Monitoring on page 1314 destination-interface on page 1323

Examples: Configuring BGP Neighbor Discovery Through RPM

Configure BGP neighbor discovery through RPM for all logical systems and all routing instances:
[edit services rpm] bgp { probe-type icmp-ping; probe-count 5; probe-interval 1; test-interval 60; history-size 10; data-size 255; data-fill 0123456789; }

Configure BGP neighbor discovery through RPM for only the following logical systems and routing instances: LS1/RI1, LS1/RI2, LS2, and RI3:
[edit services rpm] bgp { probe-type icmp-ping; probe-count 5; probe-interval 1; test-interval 60; history-size 10; data-size 255; data-fill 0123456789; logical-system { LS1 { routing-instances { RI1; RI2; } } LS2; } routing-instance { RI3; } }

Copyright 2011, Juniper Networks, Inc.

1313

Junos 11.4 Services Interfaces Configuration Guide

Configure BGP neighbor discovery through RPM for only the default logical system and default routing instance:
[edit services rpm] bgp { probe-type icmp-ping; probe-count 5; probe-interval 1; test-interval 60; history-size 10; data-size 255; data-fill 0123456789; logical-system { null { routing-instances { default; } } } }

Examples: Configuring Real-Time Performance Monitoring

Configure an RPM instance identified by the probe name probe1 and the test name test1:
[edit services rpm] probe probe1{ test test1 { dscp-code-points 001111; probe-interval 1; probe-type icmp-ping; target address 172.17.20.182; test-interval 20; thresholds rtt 10; traps rtt-exceeded; } } probe-server { tcp { destination-interface lt-0/0/0.0 port 50000; } udp { destination-interface lt-0/0/0.0 port 50001; } } probe-limit 200;

Configure packet classification, using lt- interfaces to send the probe packets to a logical tunnel input interface. By sending the packet to the logical tunnel interface, you can configure regular and multifield classifiers, firewall filters, and header rewriting for the probe packets. To use the existing tunnel framework, the dlci and encapsulation statements must be configured.
[edit services rpm]

1314

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

probe p1 { test t1 { probe-type icmp-ping; target address 10.8.4.1; probe-count 10; probe-interval 10; test-interval 10; source-address 10.8.4.2; dscp-code-points ef; data-size 100; destination-interface lt-0/0/0.0; } } [edit interfaces] lt-0/0/0 { unit 0 { encapsulation frame-relay; dlci 10; peer-unit 1; family inet; } unit 1 { encapsulation frame-relay; dlci 10; peer-unit 0; family inet; } } [edit class-of-service] interfaces { lt-0/0/0 { unit 1 { classifiers { dscp default; } } } }

Configure an input filter on the interface on which the RPM probes are received. This filter enables prioritization of the received RPM packets, separating them from the regular data packets received on the same interface.
[edit firewall] filter recos { term recos { from { source-address { 10.8.4.1/32; } destination-address { 10.8.4.2/32; } } then { loss-priority high;

Copyright 2011, Juniper Networks, Inc.

1315

Junos 11.4 Services Interfaces Configuration Guide

forwarding-class network-control; } } } [edit interfaces] fe-5/0/0 { unit 0 { family inet { filter { input recos; } address 10.8.4.2/24; } } }

Configure an RPM instance and enable RPM for the Services SDK on the adaptive services interface:
[edit services rpm] probe probe1{ test test1 { data-size 1024; data-fill 0; destination-interface ms-1/2/0.10; dscp-code-points 001111; probe-count 10; probe-interval 1; probe-type icmp-ping; target address 172.17.20.182; test-interval 20; thresholds rtt 10; traps rtt-exceeded; } } [edit interfaces] ms-1/2/0 { unit 0 { family inet; } unit 10 { rpm client; family inet { address 1.1.1.1/32; } } [edit chassis] fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 1; object-cache-size 512; policy-db-size 64;

1316

Copyright 2011, Juniper Networks, Inc.

Chapter 62: Real-Time Performance Monitoring Configuration Guidelines

package jservices-rpm; syslog { daemon any; } } } } } }

Configure the minimum statements necessary to enable TWAMP:

[edit services] rpm { twamp { server { authentication-mode none; port 10000; # Twamp server's listening port client-list LIST-1 { # LIST-1 is the name of the client-list. Multiple lists can be configured. address { 20.0.0.2/30; # IP address of the control client. } } } } [edit interfaces sp-5/0/0] unit 0 { family inet; } unit 10 { rpm { twamp-server; # You must configure a separate logical interface on the service PIC interface for the TWAMP server. } family inet { address 50.50.50.50/32; # This address must be a host address with a 32-bit mask. } } [edit chassis] fpc 5 { pic 0 { adaptive-services { service-package layer-2; # Configure the service PIC to run in Layer 2 mode. } } }

Configure additional TWAMP settings:

[edit services] rpm { twamp { server { inactivity-timeout 20; maximum-sessions 5; maximum-sessions-per-connection 2;

Copyright 2011, Juniper Networks, Inc.

1317

Junos 11.4 Services Interfaces Configuration Guide

maximum-connections 3; maximum-connections-per-client 1; port 10000; client-list LIST-1 { address { 20.0.0.2/30; } } } } }

1318

Copyright 2011, Juniper Networks, Inc.

CHAPTER 63

Summary of Real-Time Performance Monitoring Configuration Statements

The following sections explain each of the Real-Time Performance Monitoring (RPM) statements. The statements are organized alphabetically.

authentication-mode
Syntax Hierarchy Level Release Information Description
authentication-mode (authenticated | control-only-encrypted | encrypted | none); [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.5. Specify the authentication or encryption mode support for the TWAMP test protocol. This statement is required in the configuration; if no authentication or encryption is specified, you should set the value to none.
authenticatedData packets are authenticated. control-only-encryptedTWAMP control packets are encrypted. TWAMP data packets

Options

are in plain text format.

encryptedData packets are encrypted. noneNo authentication or encryption.

Usage Guidelines Required Privilege Level

See Configuring TWAMP on page 1310. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1319

Junos 11.4 Services Interfaces Configuration Guide

bgp
Syntax
bgp { data-fill data; data-size size; destination-port port; history-size size; logical-system logical-system-name <routing-instances routing-instance-name>; moving-average-size size; probe-count count; probe-interval seconds; probe-type type; routing-instances instance-name; test-interval interval; } [edit services rpm bgp] [edit protocols bgp group group-name] [edit routing-instances instance-name protocols bgp group group-name] [edit logical-system logical-system-name protocols bgp group group-name] [edit logical-system logical-system-name routing-instances instance-name protocols bgp group group-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure BGP neighbor discovery through Real-Time Performance Monitoring (RPM).
bgpDefine properties for configuring BGP neighbor discovery.

The remaining statements are explained separately.

NOTE: On MX Series routers, you can configure all the statements. On M Series and T Series routers, you can configure only the logical-system and routing-instances statements.

Usage Guidelines Required Privilege Level

See Configuring BGP Neighbor Discovery Through RPM on page 1300. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1320

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

client-list
Syntax
client-list list-name { address address; } [edit services rpm twamp server]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. List of allowed control client hosts that can connect to this server. Each entry is a Classless Interdomain Routing (CIDR) address (IP address plus mask) that represents a network of allowed hosts. You can configure more than one list, but you must configure at least one client address to enable TWAMP. Each list can contain up to 64 entries.
list-nameName of client address list. addressAddress and mask for an allowed client.

Options

Usage Guidelines Required Privilege Level

See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

data-fill
Syntax Hierarchy Level
data-fill data; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the contents of the data portion of Internet Control Message Protocol (ICMP) probes.
dataA hexadecimal value; for example, 0-9, A-F.

Description

Options Usage Guidelines

The data-fill statement is not valid with the http-get or http-metadata-get probe types. See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1321

Junos 11.4 Services Interfaces Configuration Guide

data-size
Syntax Hierarchy Level
data-size size; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the size of the data portion of ICMP probes.
dataThe size can be from 0 through 65507

Description Options

Default: 0

NOTE: If you configure the hardware timestamp feature (see Configuring RPM Timestamping on page 1307), the data-size default value is 32 bytes and 32 is the minimum value for explicit configuration. The UDP timestamp probe type is an exception; it requires a minimum data size of 52 bytes.

Usage Guidelines

The data-size statement is not valid with the http-get or http-metadata-get probe type. See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1322

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

destination-interface
Syntax Hierarchy Level
destination-interface interface-name; [edit services rpm probe owner test test-name], [edit services rpm probe-server (tcp | udp)]

Release Information Description

Statement introduced in Junos OS Release 7.5. On M Series and T Series routers, specify a services (sp-) interface that adds a timestamp to RPM probe messages. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. You must also configure the rpm statement on the sp- interface and include the unit 0 family inet statement with a /32 address. On M Series, MX Series, and T Series routers, specify a multiservices (ms-) interface that adds a timestamp to RPM probe messages. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. You must also configure the rpm statement on the ms- interface and include the unit 0 family inet statement with a /32 address. To enable RPM for the Services SDK on the adaptive services interface, configure the object-cache-size, policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the Services SDK, package-name in the package package-name statement is jservices-rpm.

Options Usage Guidelines

interface-nameName of the adaptive services interface.

See Configuring RPM Probes on page 1303, Configuring RPM Receiver Servers on page 1307, or Configuring RPM Timestamping on page 1307. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level Related Documentation

hardware-timestamp on page 1326 rpm Enabling RPM for the Services SDK on page 1312

Copyright 2011, Juniper Networks, Inc.

1323

Junos 11.4 Services Interfaces Configuration Guide

destination-port
Syntax Hierarchy Level
destination-port port; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) port to which a probe is sent. This statement is used only for TCP or UDP probe types.
portThe port number can be 7 or from 49,160 to 65,535.

Description

Options Usage Guidelines

See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1324

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

dscp-code-point
Syntax Hierarchy Level Release Information
dscp-code-point dscp-bits; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the value of the Differentiated Services (DiffServ) field within the IP header. The DiffServ code point (DSCP) bits value must be set to a valid 6-bit pattern.
dscp-bitsA valid 6-bit pattern; for example, 001111, or one of the following configured

Description

Options

DSCP aliases:

af11Default: 001010 af12Default: 001100 af13Default: 001110 af21Default: 010010 af22Default: 010100 af23 Default: 010110 af31 Default: 011010 af32 Default: 011100 af33 Default: 011110 af41 Default: 100010 af42 Default:100100 af43 Default:100110 beDefault: 000000 cs1Default: 001000 cs2Default: 010000 cs3Default: 011000 cs4Default: 100000 cs5Default: 101000 cs6Default: 110000 cs7Default: 111000 efDefault: 101110 nc1Default: 110000 nc2Default: 111000

Copyright 2011, Juniper Networks, Inc.

1325

Junos 11.4 Services Interfaces Configuration Guide

Usage Guidelines Required Privilege Level

See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

hardware-timestamp
Syntax Hierarchy Level Release Information
hardware-timestamp; [edit services rpm probe owner test test-name]

Statement introduced in Junos OS Release 8.1. Statement applied to MX Series routers in Junos OS Release 10.0. Statement introduced in Junos OS Release 10.3 for EX Series switches. On MX Series routers and EX Series switches only, enable timestamping of RPM probe messages in the Packet Forwarding Engine host processor. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. See Configuring RPM Timestamping on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description

Usage Guidelines Required Privilege Level

history-size
Syntax Hierarchy Level
history-size size; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the number of stored history entries.
sizeA value from 0 to 255.

Description Options

Default: 50 Usage Guidelines See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1326

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

inactivity-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-timeout seconds; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. Inactivity timeout period, in seconds.

secondsLength of time the session is inactive before it times out.

Default: 1800 seconds Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

logical-system
Syntax
logical-system logical-system-name { [ routing-instances instance-name ]; } [edit services rpm bgp]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 7.6. Specify the logical system used by the probes. The remaining statements are explained separately.

Options Usage Guidelines Required Privilege Level

logical-system-nameLogical system name.

See Configuring BGP Neighbor Discovery Through RPM on page 1300. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1327

Junos 11.4 Services Interfaces Configuration Guide

max-connection-duration
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation
max-connection-duration hours; [edit services rpm twamp server]

Statement introduced in Junos OS Release 11.1. Specify the maximum time a connection can exist between a client and the server.
hoursNumber of hours a connection can exist between a client and the server.

interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Configuring TWAMP on page 1310

maximum-connections
Syntax Hierarchy Level Release Information Description Options
maximum-connections count; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. Maximum number of allowed connections between the server and all control client hosts.
countMaximum number of connections.

Range: 1 through 2048 Default: 64 Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1328

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

maximum-connections-per-client
Syntax Hierarchy Level Release Information Description
maximum-connections-per-client count; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. Maximum number of allowed connections between the server and a single control client host.
countMaximum number of connections.

Options

Default: 64 Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

maximum-sessions
Syntax Hierarchy Level Release Information Description Options
maximum-sessions count; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. Maximum number of allowed test sessions the server can have running at one time.
countMaximum number of sessions.

Range: 1 through 2048 Default: 64 Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1329

Junos 11.4 Services Interfaces Configuration Guide

maximum-sessions-per-connection
Syntax Hierarchy Level Release Information Description Options
maximum-sessions-per-connection count; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. Maximum number of allowed sessions the server can open on a single client connection.
countMaximum number of sessions.

Default: 64 Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

moving-average-size
Syntax Hierarchy Level
moving-average-size number; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.3 for EX Series switches. Enable statistical calculation operations to be performed across a configurable number of the most recent samples.
numberNumber of samples to be used in calculations.

Description

Options

Range: 0 through 255 Usage Guidelines Required Privilege Level See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1330

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

one-way-hardware-timestamp
Syntax Hierarchy Level Release Information
one-way-hardware-timestamp; [edit services rpm probe owner test test-name]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.3 for EX Series switches. Enable timestamping of RPM probe messages for one-way delay and jitter measurements. You must configure this statement along with the destination-interface statement to invoke timestamping. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. See Configuring RPM Timestamping on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Description

Usage Guidelines Required Privilege Level Related Documentation

destination-interface on page 1323, hardware-timestamp on page 1326

Copyright 2011, Juniper Networks, Inc.

1331

Junos 11.4 Services Interfaces Configuration Guide

port
See the following sections:

port (RPM) on page 1332 port (TWAMP) on page 1332

port (RPM)
Syntax Hierarchy Level Release Information
port number; [edit services rpm probe-server (tcp | udp)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port number for the probe server.
numberPort number for the probe server. The value can be 7 or 49,160 through 65,535.

Description Options Usage Guidelines Required Privilege Level

See Configuring RPM Receiver Servers on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

port (TWAMP)
Syntax Hierarchy Level Release Information Description Options
port number; [edit services rpm twamp server]

Statement introduced in Junos OS Release 9.3. TWAMP server listening port. You must configure this statement to enable TWAMP.
numberPort number.

Range: 1 through 65,535 Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1332

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

probe
Syntax
probe owner { test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url | address); test-interval interval; thresholds thresholds; traps traps; } } [edit services rpm]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify an owner name. The owner name combined with the test name represent a single RPM configuration instance.
ownerSpecify an owner name up to 32 characters in length.

Description

Options

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring RPM Probes on page 1303. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1333

Junos 11.4 Services Interfaces Configuration Guide

probe-count
Syntax Hierarchy Level
probe-count count; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the number of probes within a test.
countA value from 1 through 15.

Description Options Usage Guidelines

See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

probe-interval
Syntax Hierarchy Level
probe-interval interval; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the time to wait between sending packets, in seconds.
intervalNumber of seconds, from 1 through 255.

Description Options Usage Guidelines

See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1334

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

probe-limit
Syntax Hierarchy Level Release Information
probe-limit limit; [edit services rpm]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the maximum number of concurrent probes allowed.
limitA value from 1 through 500.

Description Options

Default: 100. Usage Guidelines Required Privilege Level See Limiting the Number of Concurrent RPM Probes on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

probe-server
Syntax
probe-server { tcp { destination-interface interface-name; port number; } udp { destination-interface interface-name; port number; } } [edit services rpm]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the server to act as a receiver for the probes. The remaining statements are explained separately.

Description

Usage Guidelines Required Privilege Level

See Configuring RPM Receiver Servers on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1335

Junos 11.4 Services Interfaces Configuration Guide

probe-type
Syntax Hierarchy Level
probe-type type; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the packet and protocol contents of a probe.
typeSpecify one of the following probe type values:

Description Options

http-get(Not available at the [edit services rpm bgp] hierarchy level.) Sends a

Hypertext Transfer Protocol (HTTP) get request to a target URL.

http-metadata-get(Not available at the [edit services rpm bgp] hierarchy level.)

Sends an HTTP get request for metadata to a target URL.

icmp-pingSends ICMP echo requests to a target address. icmp-ping-timestampSends ICMP timestamp requests to a target address. tcp-pingSends TCP packets to a target. udp-pingSends UDP packets to a target. udp-ping-timestampSends UDP timestamp requests to a target address.

Usage Guidelines

See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

1336

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

routing-instance
Syntax Hierarchy Level Release Information
routing-instance instance-name; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the routing instance used by the probes.
instance-nameA routing instance configured at the [edit routing-instance] hierarchy level.

Description Options

Default: Internet routing table inet.0. Usage Guidelines Required Privilege Level See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

routing-instances
Syntax Hierarchy Level
routing-instances instance-name; [edit services rpm bgp], [edit services rpm bgp logical-system logical-system-name]

Release Information

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the routing instance used by the probes.
instance-nameA routing instance configured at the [edit routing-instances] hierarchy

Description Options

level. Default: Internet routing table inet.0. Usage Guidelines Required Privilege Level See Configuring BGP Neighbor Discovery Through RPM on page 1300. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1337

Junos 11.4 Services Interfaces Configuration Guide

rpm
Syntax
rpm { bgp { data-fill data; data-size size; destination-port port; history-size size; logical-system logical-system-name <routing-instances routing-instance-name>; moving-average-size number; probe-count count; probe-interval seconds; probe-type type; routing-instances instance-name; test-interval interval; } [edit services]

Hierarchy Level Release Information Description

Statement introduced before Junos OS Release 7.4. Configure BGP neighbor discovery through RPM. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level

See Configuring BGP Neighbor Discovery Through RPM on page 1300. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1338

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

server
Syntax
server { client-list list-name { [ address address ]; } inactivity-timeout seconds; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number; } [edit services rpm twamp]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced in Junos OS Release 9.3. TWAMP server configuration settings. The remaining statements are described separately. See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

server-inactivity-timeout
Syntax Hierarchy Level Release Information Description
server-inactivity-timeout minutes; [edit services rpm twamp server]

Statement introduced in Junos OS Release 11.1. The maximum time the Two-Way Active Measurement Protocol (TWAMP) server has to finish the TWAMP control protocol negotiation.
minutesNumber of minutes the TWAMP server has to finish the TWAMP control protocol

Options

negotiation. Default: 15 minutes Range: 1-30 minutes Usage Guidelines Required Privilege Level See Configuring TWAMP on page 1310. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1339

Junos 11.4 Services Interfaces Configuration Guide

services
Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level
services rpm { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the service rules to be applied to traffic.
rpmIdentifies the RPM set of rules statements.

See Real-Time Performance Monitoring Services. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-address
Syntax Hierarchy Level Release Information
source-address address; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the source IP address used for probes. If the source IP address is not one of the routers or switchs assigned addresses, the packet will use the outgoing interfaces address as its source.
addressValid IP address.

Description

Options Usage Guidelines Required Privilege Level

See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1340

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

target
Syntax Hierarchy Level Release Information
target (url url | address address); [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the destination address used for the probes.
url urlFor HTTP probe types, specify a fully formed URL that includes http:// in the URL

Description Options

address.
address addressFor all other probe types, specify an IPv4 address for the target host.

Usage Guidelines Required Privilege Level

See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

tcp
Syntax
tcp { destination-interface interface-name; port port; } [edit services rpm probe-server]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port information for the TCP server. The remaining statements are explained separately.

Description

Usage Guidelines Required Privilege Level

See Configuring RPM Receiver Servers on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1341

Junos 11.4 Services Interfaces Configuration Guide

test
Syntax
test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url url | address address); test-interval interval; thresholds thresholds; traps traps; } [edit services rpm probe owner]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the range of probes over which the standard deviation, average, and jitter are calculated. The test name combined with the owner name represent a single RPM configuration instance.
test-nameSpecify a test name. The name can be up to 32 characters in length.

Description

Options

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1342

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

test-interval
Syntax Hierarchy Level
test-interval frequency; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the time to wait between tests, in seconds.
frequencyNumber of seconds, from 0 through 86400.

Description Options Usage Guidelines

See Configuring BGP Neighbor Discovery Through RPM on page 1300 or Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1343

Junos 11.4 Services Interfaces Configuration Guide

thresholds
Syntax Hierarchy Level Release Information
thresholds thresholds; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify thresholds used for the probes. A system log message is generated when the configured threshold is exceeded. Likewise, an SNMP trap (if configured) is generated when a threshold is exceeded.
thresholdsSpecify one or more threshold measurements. The following options are

Description

Options

supported:

egress-timeMeasures maximum source-to-destination time per probe. ingress-timeMeasures maximum destination-to-source time per probe. jitter-egressMeasures maximum source-to-destination jitter per test. jitter-ingressMeasures maximum destination-to- source jitter per test. jitter-rttMeasures maximum jitter per test, from 0 through 60,000,000 microseconds. rttMeasures maximum round-trip time per probe, in microseconds. std-dev-egressMeasures maximum source-to-destination standard deviation per

test.

std-dev-ingressMeasures maximum destination-to-source standard deviation per

test.

std-dev-rttMeasures maximum standard deviation per test, in microseconds. successive-lossMeasures successive probe loss count, indicating probe failure. total-lossMeasures total probe loss count indicating test failure, from 0 through 15.

Usage Guidelines Required Privilege Level

See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1344

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

traps
Syntax Hierarchy Level Release Information
traps traps; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Set the trap bit to generate traps for probes. Traps are sent if the configured threshold is met or exceeded.
trapsSpecify one or more traps. The following options are supported:

Description

Options

egress-jitter-exceededGenerates traps when the jitter in egress time threshold is met

or exceeded.

egress-std-dev-exceededGenerates traps when the egress time standard deviation

threshold is met or exceeded.

egress-time-exceededGenerates traps when the maximum egress time threshold is

met or exceeded.

ingress-jitter-exceededGenerates traps when the jitter in ingress time threshold is

met or exceeded.

ingress-std-dev-exceededGenerates traps when the ingress time standard deviation

threshold is met or exceeded.

ingress-time-exceededGenerates traps when the maximum ingress time threshold

is met or exceeded.

jitter-exceededGenerates traps when the jitter in round-trip time threshold is met or

exceeded.

probe-failureGenerates traps for successive probe loss thresholds crossed. rtt-exceededGenerates traps when the maximum round-trip time threshold is met

or exceeded.

std-dev-exceededGenerates traps when the round-trip time standard deviation

threshold is met or exceeded.

test-completionGenerates traps when a test is completed. test-failureGenerates traps when the total probe loss threshold is met or exceeded.

Usage Guidelines Required Privilege Level

See Configuring RPM Probes on page 1303. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1345

Junos 11.4 Services Interfaces Configuration Guide

twamp
Syntax
twamp { server { authentication-mode mode; client-list list-name { [ address address ]; } inactivity-timeout seconds; max-connection-duration hours; maximum-connections count; maximum-connections-per-client count; maximum-sessions count; maximum-sessions-per-connection count; port number; server-inactivity-timeout minutes; } } [edit services rpm]

Hierarchy Level Release Information Description

Statement introduced in Junos OS Release 9.3. Two-Way Active Measurement Protocol (TWAMP) configuration settings. The remaining statements are described separately.

Usage Guidelines Required Privilege Level

See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

twamp-server
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
twamp-server; [edit interfaces sp-fpc/pic/port unit logical-unit-number]

Statement introduced in Junos OS Release 9.3. Specify the service PIC logical interface to provide the TWAMP service. See Configuring TWAMP on page 1310. systemTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1346

Copyright 2011, Juniper Networks, Inc.

Chapter 63: Summary of Real-Time Performance Monitoring Configuration Statements

udp
Syntax
udp { destination-interface interface-name; port port; } [edit services rpm probe-server]

Hierarchy Level Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port information for the UDP server. The remaining statements are explained separately.

Description

Usage Guidelines Required Privilege Level

See Configuring RPM Receiver Servers on page 1307. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1347

Junos 11.4 Services Interfaces Configuration Guide

1348

Copyright 2011, Juniper Networks, Inc.

PART 8

Tunnel Services

Tunnel Services Overview on page 1351 Tunnel Interfaces Configuration Guidelines on page 1355 Summary of Tunnel Services Configuration Statements on page 1375

Copyright 2011, Juniper Networks, Inc.

1349

Junos 11.4 Services Interfaces Configuration Guide

1350

Copyright 2011, Juniper Networks, Inc.

CHAPTER 64

Tunnel Services Overview

This chapter discusses the following topics:

Tunnel Services Overview on page 1351 GRE Keepalive Time Overview on page 1353

Tunnel Services Overview

By encapsulating arbitrary packets inside a transport protocol, tunneling provides a private, secure path through an otherwise public network. Tunnels connect discontinuous subnetworks and enable encryption interfaces, virtual private networks (VPNs), and MPLS. If you have a Tunnel Physical Interface Card (PIC) installed in your M Series or T Series router, you can configure unicast, multicast, and logical tunnels. You can configure two types of tunnels for VPNs: one to facilitate routing table lookups and another to facilitate VPN routing and forwarding instance (VRF) table lookups. For information about encryption interfaces, see Configuring Encryption Interfaces on page 995 and the Junos OS System Basics Configuration Guide. For information about VPNs, see the Junos OS VPNs Configuration Guide. For information about MPLS, see the Junos OS MPLS Applications Configuration Guide. On SRX Series and J Series devices, Generic Routing Encapsulation (GRE) and IP-IP tunnels use internal interfaces, gr-0/0/0 and ip-0/0/0, respectively. The Junos OS creates these interfaces at system bootup; they are not associated with physical interfaces. The Juniper Networks Junos OS supports the tunnel types shown in Table 23 on page 1351.

Table 23: Tunnel Interface Types

Interface
gr-0/0/0

Description
Configurable generic routing encapsulation (GRE) interface. GRE allows the encapsulation of one routing protocol over another routing protocol. Within a router, packets are routed to this internal interface, where they are first encapsulated with a GRE packet and then re-encapsulated with another protocol packet to complete the GRE. The GRE interface is an internal interface only and is not associated with a physical interface. You must configure the interface for it to perform GRE.

Copyright 2011, Juniper Networks, Inc.

1351

Junos 11.4 Services Interfaces Configuration Guide

Table 23: Tunnel Interface Types (continued)

Interface
gre

Description
Internally generated GRE interface. This interface is generated by the Junos OS to handle GRE. You cannot configure this interface. Configurable IP-over-IP encapsulation (also called IP tunneling) interface. IP tunneling allows the encapsulation of one IP packet over another IP packet. Packets are routed to an internal interface where they are encapsulated with an IP packet and then forwarded to the encapsulating packet's destination address. The IP-IP interface is an internal interface only and is not associated with a physical interface. You must configure the interface for it to perform IP tunneling.

ip-0/0/0

ipip

Internally generated IP-over-IP interface. This interface is generated by the Junos OS to handle IP-over-IP encapsulation. It is not a configurable interface. The lt interface on M Series and T Series routers supports configuration of logical systemsthe capability to partition a single physical router into multiple logical devices that perform independent routing tasks. On SRX Series devices, the lt interface is a configurable logical tunnel interface that interconnects logical systems. See the Junos OS Logical Systems Configuration Guide for Security Devices. On J Series devices, the lt interface is used to provide class-of-service (CoS) support for real-time performance monitoring (RPM) probe packets. Packets are routed to this internal interface for services. The lt interface is an internal interface only; it is not associated with a physical interface. You must configure the interface for it to perform CoS for RPM services. See the Junos OS Class of Service Configuration Guide for Security Devices.

lt-0/0/0

mt-0/0/0

Internally generated multicast tunnel interface. Multicast tunnels filter all unicast packets; if an incoming packet is not destined for a 224/8-or-greater prefix, the packet is dropped and a counter is incremented. Within a router, packets are routed to this internal interface for multicast filtering. The multicast tunnel interface is an internal interface only and is not associated with a physical interface. If your router has a Tunnel Services PIC, the Junos OS automatically configures one multicast tunnel interface (mt-) for each virtual private network (VPN) you configure. You do not need to configure multicast tunnel interfaces. However, you can configure properties on mt- interfaces, such as the multicast-only statement.

mtun

Internally generated multicast tunnel interface. This interface is generated by the Junos OS to handle multicast tunnel services. It is not a configurable interface.

1352

Copyright 2011, Juniper Networks, Inc.

Chapter 64: Tunnel Services Overview

Table 23: Tunnel Interface Types (continued)

Interface
pd-0/0/0

Description
Configurable Protocol Independent Multicast (PIM) de-encapsulation interface. In PIM sparse mode, the first-hop router encapsulates packets destined for the rendezvous point router. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvous point. The rendezvous point then de-encapsulates the packets and transmits them through its multicast tree. Within a router, packets are routed to this internal interface for de-encapsulation. The PIM de-encapsulation interface is an internal interface only and is not associated with a physical interface. You must configure the interface for it to perform PIM de-encapsulation. NOTE: On SRX Series devices, this interface type is ppd0.

pe-0/0/0

Configurable PIM encapsulation interface. In PIM sparse mode, the first-hop router encapsulates packets destined for the rendezvous point router. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvous point. The rendezvous point then de-encapsulates the packets and transmits them through its multicast tree. Within a router, packets are routed to this internal interface for encapsulation. The PIM encapsulation interface is an internal interface only and is not associated with a physical interface. You must configure the interface for it to perform PIM encapsulation. NOTE: On SRX Series devices, this interface type is ppe0.

pimd

Internally generated PIM de-encapsulation interface. This interface is generated by the Junos OS to handle PIM de-encapsulation. It is not a configurable interface. Internally generated PIM encapsulation interface. This interface is generated by the Junos OS to handle PIM encapsulation. It is not a configurable interface. Configurable virtual loopback tunnel interface. Facilitates VRF table lookup based on MPLS labels. This interface type is supported on M Series and T Series routers, but not on SRX Series or J Series devices. To configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels, you specify a virtual loopback tunnel interface name and associate it with a routing instance that belongs to a particular routing table. The packet loops back through the virtual loopback tunnel for route lookup.

pime

vt-0/0/0

GRE Keepalive Time Overview

Generic routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. You can enable keepalive messages to serve as the detection mechanism. Keepalives can be configured on the physical or on the logical interface. If configured on the physical interface, keepalives are sent on all logical interfaces that are part of the physical interface. If configured on a individual logical interface, keepalives are only sent

Copyright 2011, Juniper Networks, Inc.

1353

Junos 11.4 Services Interfaces Configuration Guide

to that logical interface. In addition to configuring a keepalive, you must configure the hold time. Related Documentation

Configuring GRE Keepalive Time on page 1360 Example: Configuring Keepalive for a GRE Interface on page 1374 keepalive-time on page 1381 hold-time on page 1380

1354

Copyright 2011, Juniper Networks, Inc.

CHAPTER 65

Tunnel Interfaces Configuration Guidelines

This chapter includes the following tunnel interface configuration tasks and examples:

Configuring Unicast Tunnels on page 1355 Configuring GRE Keepalive Time on page 1360 Restricting Tunnels to Multicast Traffic on page 1362 Configuring Logical Tunnel Interfaces on page 1362 Configuring Tunnel Interfaces for Routing Table Lookup on page 1364 Configuring Virtual Loopback Tunnels for VRF Table Lookup on page 1364 Configuring PIM Tunnels on page 1366 Configuring IPv6-over-IPv4 Tunnels on page 1366 Configuring IPv4-over-IPv6 Tunnels on page 1367 Configuring Dynamic Tunnels on page 1367 Configuring Tunnel Interfaces on MX Series Routers on page 1368 Examples: Configuring Unicast Tunnels on page 1369 Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup on page 1370 Example: Configuring an IPv6-over-IPv4 Tunnel on page 1370 Example: Configuring an IPv4-over-IPv6 Tunnel on page 1371 Example: Configuring Logical Tunnels on page 1373 Example: Configuring Keepalive for a GRE Interface on page 1374

Configuring Unicast Tunnels

To configure a unicast tunnel, you configure a gr- interface (to use GRE encapsulation) or an ip- interface (to use IP-IP encapsulation) and include the tunnel and family statements:
gr-fpc/pic/port or ip-fpc/pic/port { unit logical-unit-number { copy-tos-to-outer-ip-header; reassemble-packets; tunnel { allow-fragmentation; backup-destination address;

Copyright 2011, Juniper Networks, Inc.

1355

Junos 11.4 Services Interfaces Configuration Guide

destination destination-address; do-not-fragment; key number; routing-instance { destination routing-instance-name; } source address; ttl number; } family family { address address { destination address; } } } }

You can configure these statements at the following hierarchy levels:

[edit interfaces] [edit logical-systems logical-system-name interfaces]

You can configure multiple logical units for each GRE or IP-IP interface, and you can configure only one tunnel per unit. Each tunnel interface must be a point-to-point interface. Point to point is the default interface connection type, so you do not need to include the point-to-point statement in the logical interface configuration. You must specify the tunnels destination and source addresses. The remaining statements are optional.

NOTE: For transit packets exiting the tunnel, forwarding path features, such as reverse path forwarding (RPF), forwarding table filtering, source class usage, destination class usage, and stateless firewall filtering, are not supported on the interfaces you configure as tunnel sources, but are supported on tunnel-pic interfaces. However, class-of-service (CoS) information obtained from the GRE or IP-IP header is carried over the tunnel and is used by the re-entering packets. For more information, see the Junos OS Class of Service Configuration Guide. To prevent an invalid configuration, the Junos OS disallows setting the address specified by the source or destination statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel] hierarchy level to be the same as the interfaces own subnet address, specified by the address statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number family family-name] hierarchy level.

To set the time-to-live (TTL) field that is included in the encapsulating header, include the ttl statement. If you explicitly configure a TTL value for the tunnel, you must configure

1356

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

it to be one larger than the number of hops in the tunnel. For example, if the tunnel has seven hops, you must configure a TTL value of 8. You must configure at least one family on the logical interface. To enable MPLS over GRE tunnel interfaces, you must include the family mpls statement in the GRE interface configuration. In addition, you must include the appropriate statements at the [edit protocols] hierarchy level to enable Resource Reservation Protocol (RSVP), MPLS, and label-switched paths (LSPs) over GRE tunnels. Unicast tunnels are bidirectional. A configured tunnel cannot go through Network Address Translation (NAT) at any point along the way to the destination. For more information, see Examples: Configuring Unicast Tunnels on page 1369 and the Junos OS MPLS Applications Configuration Guide. For a GRE tunnel, the default is to set the ToS bits in the outer IP header to all zeros. To have the Routing Engine copy the ToS bits from the inner IP header to the outer, include the copy-tos-bits-to-outer-ip-header statement. (This inner-to-outer ToS bits copying is already the default behavior for IP-IP tunnels.) For GRE tunnel interfaces on Adaptive Services or Multiservices interfaces, you can configure additional tunnel attributes, as described in the following sections:

Configuring a Key Number on GRE Tunnels on page 1357 Enabling Fragmentation on GRE Tunnels on page 1358 Specifying an MTU Setting for the Tunnel on page 1359 Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header on page 1359 Configuring Packet Reassembly on page 1359

Configuring a Key Number on GRE Tunnels

For Adaptive Services and Multiservices interfaces on M Series and T Series routers, you can assign a key value to identify an individual traffic flow within a GRE tunnel, as defined in RFC 2890, Key and Sequence Number Extensions to GRE. However, only one key is allowed for each tunnel source and destination pair. Each IP version 4 (IPv4) packet entering the tunnel is encapsulated with the GRE tunnel key value. Each IPv4 packet exiting the tunnel is verified by the GRE tunnel key value and de-encapsulated. The Adaptive Services or Multiservices PIC drops packets that do not match the configured key value. To assign a key value to a GRE tunnel interface, include the key statement:
key number;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number tunnel] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

The key number can be 0 through 4,294,967,295. You must configure the same GRE tunnel key value on tunnel endpoints.

Copyright 2011, Juniper Networks, Inc.

1357

Junos 11.4 Services Interfaces Configuration Guide

The following example illustrates the use of the key statement in a GRE tunnel configuration:
interfaces { gr-1/2/0 { unit 0 { tunnel { source 10.58.255.193; destination 10.58.255.195; key 1234; } ... family inet { mtu 1500; address 10.200.0.1/30; ... } } } }

Enabling Fragmentation on GRE Tunnels

For GRE tunnel interfaces on Adaptive Services and Multiservices interfaces only, you can enable fragmentation of IPv4 packets in GRE tunnels. By default, IPv4 traffic transmitted over GRE tunnels is not fragmented. To enable fragmentation of IPv4 packets in GRE tunnels, include the clear-dont-fragment-bit statement:
clear-dont-fragment-bit;

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

When you include the clear-dont-fragment-bit statement in the configuration, the dont-fragment (DF) bit is cleared on all packets, even packets that do not exceed the tunnel maximum transmission unit (MTU). If the packets size exceeds the tunnels MTU value, the packet is fragmented before encapsulation. If the packets size does not exceed the tunnels MTU value, the packet is not fragmented.

NOTE: The Packet Forwarding Engine updates the IP identification field in the outer IP header of GRE-encapsulated packets, so that reassembly of the packets is possible after fragmentation. The previous CLI constraint check that required you to configure either the clear-dont-fragment-bit statement or a tunnel key with the allow-fragmentation statement is no longer enforced.

You can also clear the DF bit in packets transmitted over IP Security (IPsec) tunnels. For more information, see Enabling IPsec Packet Fragmentation on page 350.

1358

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Specifying an MTU Setting for the Tunnel

To enable key numbers and fragmentation on GRE tunnels (as described in Configuring a Key Number on GRE Tunnels on page 1357 and Enabling Fragmentation on GRE Tunnels on page 1358), you must also specify an MTU setting for the tunnel. To specify an MTU setting for the tunnel, include the mtu statement:
mtu bytes;

You can include this statement at the following hierarchy levels:

[edit interfaces gr-fpc/pic/port unit logical-unit-number family inet] [edit logical-system logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number family inet]

For more information about MTU settings, see the Junos OS Network Interfaces Configuration Guide.

Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header

Unlike IP-IP tunnels, GRE tunnels do not copy the ToS bits to the outer IP header by default. To have the Routing Engine copy the inner ToS bits to the outer IP header (which is required for some tunneled routing protocols) on packets sent by the Routing Engine, include the copy-tos-to-outer-ip-header statement at the logical unit hierarchy level of a GRE interface. This example copies the inner ToS bits to the outer IP header on a GRE tunnel:
[edit interfaces] gr-0/0/0 { unit 0 { copy-tos-to-outer-ip-header; family inet; } }

Configuring Packet Reassembly

On GRE tunnel interfaces only, you can enable reassembly of fragmented tunnel packets. To activate this capability, include the reassemble-packets statement:
reassemble-packets;

You can configure this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

For each tunnel you configure on the interface, you can enable or disable fragmentation of GRE packets by including the allow-fragmentation or do-not-fragment statement:
allow-fragmentation;

Copyright 2011, Juniper Networks, Inc.

1359

Junos 11.4 Services Interfaces Configuration Guide

do-not-fragment;

You can configure these statements at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number tunnel] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

If you configure allow-fragmentation on a tunnel, it clears the DF bit in the outer IP header, enabling post fragmentation of GRE-encapsulated packets if the packet size exceeds the maximum transmission unit (MTU) value for the egress interface. By default, packets that exceed the MTU size are dropped and post fragmentation of GRE packets is disabled.

NOTE: Whenever you configure allow-fragmentation on a tunnel, you must also include either the tunnel key or the clear-dont-fragment-bit statement. This configuration enables the router to send affected packets to the PIC so that the correct IP header can be placed in the fragments. Otherwise, on the reassembly side some packets might be lost when fragments arrive in the PIC out of sequence at high speeds.

Configuring GRE Keepalive Time

You can configure the keepalives on a GRE tunnel interface by including both the keepalive-time statement and the hold-time statement at the [edit protocols oam gre-tunnel interface interface-name] hierarchy level.

NOTE: For proper operation of keepalives on a GRE interface, you must also include the family inet statement at the [edit interfaces interface-name unit unit] hierarchy level. If you do not include this statement, the interface is marked as down.

To configure keepalive time for a GRE tunnel interface:

1.

At the [edit interfaces interface-name unit unit-number] hierarchy level, set the family as inet.
user@host# set interfaces interface-name unit unit-number family family-name

2. Configure the Operation, Administration, and Maintenance (OAM) protocol:

[edit] user@host# edit protocols oam

3. Configure the GRE tunnel interface:

[edit protocols oam] user@host# edit gre-tunnel interface interface-name

4. Configure the keepalive time:

[edit protocols oam gre-tunnel interface interface-name]

1360

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

user@host# set keepalive-time seconds

5. Configure the hold time, which must be at least twice the keepalive time.

[edit protocols oam gre-tunnel interface interface-name] user@host# set hold-time seconds

When the keepalive hold time expires, the GRE tunnel will stay up even though the interface cannot send or receive traffic. To verify the GRE tunnel state, check the output for the following commands:
user@host> show interfaces gr-3/3/0.3 terse Interface gr-3/3/0.3 Admin Link Proto up up inet mpls Local 200.1.3.1/24 Remote

user@host> show interfaces gr-3/3/0.3 extensive Logical interface gr-3/3/0.3 (Index 73) (SNMP ifIndex 594) (Generation 900) Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 10.1.19.11:10.1.19.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL Gre keepalives configured: On, Gre keepalives adjacency state: down ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Traffic statistics: Input bytes : 15629992 Output bytes : 15912273 Input packets: 243813 Output packets: 179476 Local statistics: Input bytes : 15322586 Output bytes : 15621359 Input packets: 238890 Output packets: 174767 Transit statistics: Input bytes : 307406 0 bps Output bytes : 290914 0 bps Input packets: 4923 0 pps Output packets: 4709 0 pps Protocol inet, MTU: 1476, Generation: 1564, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Destination: 200.1.3/24, Local: 200.1.3.1, Broadcast: 200.1.3.255, Generation: 1366 Protocol mpls, MTU: 1464, Maximum labels: 3, Generation: 1565, Route table: 0

NOTE: When the keepalive hold time has expired, the Link status will be Up and the Gre keepalives adjacency state will be Down.

Related Documentation

GRE Keepalive Time Overview on page 1353 Example: Configuring Keepalive for a GRE Interface on page 1374 keepalive-time on page 1381 hold-time on page 1380

Copyright 2011, Juniper Networks, Inc.

1361

Junos 11.4 Services Interfaces Configuration Guide

Restricting Tunnels to Multicast Traffic

For interfaces that carry IPv4 or IP version 6 (IPv6) traffic, you can configure a tunnel interface to allow multicast traffic only. To configure a multicast-only tunnel, include the multicast-only statement:
multicast-only;

You can configure this statement at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number family family] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Multicast tunnels filter all unicast packets; if an incoming packet is not destined for a 224/8 or greater prefix, the packet is dropped and a counter is incremented. You can configure this property on GRE, IP-IP, PIM, and multicast tunnel (mt) interfaces only.

NOTE: If your router has a Tunnel Services PIC, the Junos OS automatically configures one multicast tunnel interface (mt) for each virtual private network (VPN) you configure. You do not need to configure multicast tunnel interfaces.

Configuring Logical Tunnel Interfaces

Logical tunnel (lt-) interfaces provide quite different services depending on the host router:

On M Series, MX Series, and T Series routers, logical tunnel interfaces allow you to connect logical systems, virtual routers, or VPN instances. M Series and T Series routers must be equipped with a Tunnel Services PIC or an Adaptive Services Module (only available on M7i routers). MX Series routers must be equipped with a Trio MPC/MIC module. For more information about connecting these applications, see the Junos OS VPNs Configuration Guide. On SRX Series Services Gateways, the logical tunnel interface is used to interconnect logical systems. See the Junos OS Logical Systems Configuration Guide for Security Devices. On J Series Services Routers, the logical tunnel interface is used to provide class-of-service (CoS) support for real-time performance monitoring (RPM) probe packets. Packets are routed to this internal interface for services. See the Junos OS Class of Service Configuration Guide for Security Devices.

For M Series, MX Series, and T Series routers, see the following section:

Connecting Logical Systems on page 1363

1362

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Connecting Logical Systems

To connect two logical systems, you configure a logical tunnel interface on both logical systems. Then you configure a peer relationship between the logical tunnel interfaces, thus creating a point-to-point connection. To configure a point-to-point connection between two logical systems, configure the logical tunnel interface by including the lt-fpc/pic/port statement:
lt-fpc/pic/port { unit logical-unit-number { encapsulation encapsulation; peer-unit unit-number; # peering logical system unit number dlci dlci-number; family (inet | inet6 | iso | mpls); } }

You can include this statement at the following hierarchy levels:

[edit interfaces] [edit logical-systems logical-system-name interfaces]

When configuring logical tunnel interfaces, note the following:

You can configure each logical tunnel interface with one of the following encapsulation types: Ethernet, Ethernet circuit cross-connect (CCC), Ethernet VPLS, Frame Relay, Frame Relay CCC, VLAN, VLAN CCC, or VLAN VPLS. You can configure the IP, IPv6, International Organization for Standardization (ISO), or MPLS protocol family. The peering logical interfaces must belong to the same logical tunnel interface derived from the Tunnel Services PIC or Adaptive Services Module. You can configure only one peer unit for each logical interface. For example, unit 0 cannot peer with both unit 1 and unit 2. To enable the logical tunnel interface, you must configure at least one physical interface statement. Logical tunnels are not supported with Adaptive Services, Multiservices, or Link Services PICs (but they are supported on the Adaptive Services Module on M7i routers, as noted above). On M Series routers other than the M40e router, logical tunnel interfaces require an Enhanced Flexible PIC Concentrator (FPC). On MX Series routers, logical tunnel interfaces require Trio MPC/MIC modules. They do not require a Tunnel Services PIC in the same system.

For more information about configuring logical systems, see the Junos OS Routing Protocols Configuration Guide.

Copyright 2011, Juniper Networks, Inc.

1363

Junos 11.4 Services Interfaces Configuration Guide

Configuring Tunnel Interfaces for Routing Table Lookup

To configure tunnel interfaces to facilitate routing table lookups for VPNs, you specify a tunnels endpoint IP addresses and associate them with a routing instance that belongs to a particular routing table. This enables the Junos OS to search in the appropriate routing table for the route prefix, because the same prefix can appear in multiple routing tables. To configure the destination VPN, include the routing-instance statement:
routing-instance { destination routing-instance-name; }

You can include this statement at the following hierarchy levels:

[edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel] [edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number tunnel]

This configuration indicates that the tunnels destination address is in routing instance routing-instance-name. By default, the tunnel route prefixes are assumed to be in the default Internet routing table inet.0.

NOTE: If you configure a virtual loopback tunnel interface and the vrf-table-label statement on the same routing instance, the vrf-table-label statement takes precedence over the virtual loopback tunnel interface. For more information, see Configuring Virtual Loopback Tunnels for VRF Table Lookup on page 1364.

For more information about VPNs, see the Junos OS VPNs Configuration Guide.

Configuring Virtual Loopback Tunnels for VRF Table Lookup

To enable egress filtering, you can either configure filtering based on the IP header, or you can configure a virtual loopback tunnel on routers equipped with a Tunnel PIC. Table 24 on page 1364 describes each method.

Table 24: Methods for Configuring Egress Filtering

Method
Filter traffic based on the IP header

Interface Type
Nonchannelized Point-to-Point Protocol / High Level Data Link Control (PPP/HDLC) core-facing SONET/SDH interfaces

Configuration Guidelines
Include the vrf-table-label statement at the [edit
routing-instances instance-name] hierarchy

Comments
There is no restriction on customer-edge (CE) router-to-provider edge (PE) router interfaces.

level. For more information, see the Junos OS VPNs Configuration Guide.

1364

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Table 24: Methods for Configuring Egress Filtering (continued)

Method
Configure a virtual loopback tunnel on routers equipped with a Tunnel PIC

Interface Type
All interfaces

Configuration Guidelines
See the guidelines in this section.

Comments
Router must be equipped with a Tunnel PIC. There is no restriction on the type of core-facing interface used or CE router-to-PE router interface used. You cannot configure a virtual loopback tunnel and the vrf-table-label statement at the same time.

You can configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels. You might want to enable this functionality so you can do either of the following:

Forward traffic on a PE router to CE device interface, in a shared medium, where the CE device is a Layer 2 switch without IP capabilities (for example, a metro Ethernet switch). The first lookup is done based on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium.

Perform egress filtering at the egress PE router. The first lookup on the VPN label is done to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to filter and forward packets. You can enable this functionality by configuring output filters on the VRF interfaces.

To configure a virtual loopback tunnel to facilitate VRF table lookup based on MPLS labels, you specify a virtual loopback tunnel interface name and associate it with a routing instance that belongs to a particular routing table. The packet loops back through the virtual loopback tunnel for route lookup. To specify a virtual loopback tunnel interface name, you configure the virtual loopback tunnel interface at the [edit interfaces] hierarchy level and include the family inet and family mpls statements:
vt-fpc/pic/port { unit 0 { family inet; family mpls; } unit 1 { family inet; } }

To associate the virtual loopback tunnel with a routing instance, include the virtual loopback tunnel interface name at the [edit routing-instances] hierarchy level:

Copyright 2011, Juniper Networks, Inc.

1365

Junos 11.4 Services Interfaces Configuration Guide

interface vt-fpc/pic/port;

NOTE: For the virtual loopback tunnel interface, none of the logical interface statements are valid, except for the family statement; in particular, you cannot configure IPv4 or IPv6 addresses on these interfaces. Also, virtual loopback tunnels do not support class-of-service (CoS) configurations.

Configuring PIM Tunnels

PIM tunnels are enabled automatically on routers that have a tunnel PIC and on which you enable PIM sparse mode. You do not need to configure the tunnel interface. PIM tunnels are unidirectional. In PIM sparse mode, the first-hop router encapsulates packets destined for the rendezvous point (RP) router. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the RP. The RP then de-encapsulates the packets and transmits them through its multicast tree. To perform the encapsulation and de-encapsulation, the first-hop and RP routers must be equipped with Tunnel PICs. The Junos OS creates two interfaces to handle PIM tunnels:

peEncapsulates packets destined for the RP. This interface is present on the first-hop

router.

pdDe-encapsulates packets at the RP. This interface is present on the RP.

NOTE: The pe and pd interfaces do not support class-of-service (CoS) configurations.

Configuring IPv6-over-IPv4 Tunnels

If you have a Tunnel PIC installed in your M Series or T Series router, you can configure IPv6-over-IPv4 tunnels. To define a tunnel, you configure a unicast tunnel across an existing IPv4 network infrastructure. IPv6/IPv4 packets are encapsulated in IPv4 headers and sent across the IPv4 infrastructure through the configured tunnel. You manually configure configured tunnels on each end point. On SRX Series and J Series devices, Generic Routing Encapsulation (GRE) and IP-IP tunnels use internal interfaces, gr-0/0/0 and ip-0/0/0, respectively. The Junos OS creates these interfaces at system bootup; they are not associated with a physical interface. IPv6-over-IPv4 tunnels are defined in RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers. For information about configuring a unicast tunnel, see Configuring Unicast Tunnels on page 1355. For an IPv6-over-IPv4 tunnel configuration example, see Example: Configuring an IPv6-over-IPv4 Tunnel on page 1370.

1366

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Configuring IPv4-over-IPv6 Tunnels

You can configure IPv6 IP-IP tunnels to carry IPv4 traffic across a network as specified in RFC 2473, Generic Packet Tunneling in IPv6 Specification. It is becoming common for networks to support IPv6 only. This feature provides a way to transition IPv4-based legacy networks to IPv6. An IPv6 IP-IP tunnel is a virtual link between two IPv6 routers and is used to transmit data using IPv6 addressed packets. This feature allows you to encapsulate the IPv4 traffic into an IPv6 IP-IP tunnel across an IPv6 network. The tunnel is unidirectional and unicast addressed. For bi-directional connectivity, you need to configure a pair of unidirectional tunnels. The following procedure outlines how to configure an IP-IP tunnel to carry IPv4 traffic between two IPv6 systems:
1.

Configure the family inet6 statement and the family inet statement at the [edit interfaces ip-interface-name unit number] hierarchy level.

2. Configure an IPv6 address for the source statement and the destination statement

at the [edit interfaces ip-interface-name tunnel] hierarchy level. Related Documentation

Example: Configuring an IPv4-over-IPv6 Tunnel on page 1371

Configuring Dynamic Tunnels

A VPN that travels through a non-MPLS network requires a GRE tunnel. This tunnel can be either a static tunnel or a dynamic tunnel. A static tunnel is configured manually between two PE routers. A dynamic tunnel is configured using BGP route resolution. When a router receives a VPN route that resolves over a BGP next hop that does not have an MPLS path, a GRE tunnel can be created dynamically, allowing the VPN traffic to be forwarded to that route. Only GRE IPv4 tunnels are supported. To configure a dynamic tunnel between two PE routers, include the dynamic-tunnels statement:
dynamic-tunnels tunnel-name { destination-networks prefix; source-address address; tunnel-type type-of-tunnel; }

You can configure this statement at the following hierarchy levels:

[edit routing-options] [edit routing-instances routing-instance-name routing-options]

Copyright 2011, Juniper Networks, Inc.

1367

Junos 11.4 Services Interfaces Configuration Guide

[edit logical-systems logical-system-name routing-options] [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options]

For more information about configuring routing options or BGP, see the Junos OS Routing Protocols Configuration Guide. For more information about VPNs, see the Junos OS VPNs Configuration Guide.

Configuring Tunnel Interfaces on MX Series Routers

Because the MX Series routers do not support Tunnel Services PICs, you create tunnel interfaces on MX Series routers by including the following statements at the [edit chassis] hierarchy level:
[edit chassis] fpc slot-number { pic number { tunnel-services { bandwidth (1g | 10g); } } } fpc slot-number is the slot number of the DPC, MPC, or MIC. On the MX80 router, the

range is 0 through 1.On other MX series routers, if two SCBs are installed, the range is 0 through 11. If three SCBs are installed, the range is 0 through 5 and 7 through 11. The pic number On MX80 routers, if the FPC is 0, the PIC number can only be 0. If the FPC is 1, the PIC range is 0 through 3. For all other MX series routers, the range is 0 through 3.
bandwidth (1g | 10g) is the amount of bandwidth to reserve for tunnel traffic on each

Packet Forwarding Engine.

NOTE: When you use TRIO platforms, tunnel interfaces are soft interfaces and allow as much traffic as the forwarding-path allows, so it is advantageous to setup tunnel services without artificially limiting traffic by use of the bandwidth option. However, you must specify bandwidth when configuring tunnel services for non-Trio platforms.

1g indicates that 1 Gbps of bandwidth is reserved for tunnel traffic. 10g indicates that 10 Gbps of bandwidth is reserved for tunnel traffic.

If you specify a bandwidth that is not compatible, tunnel services are not activated. For example, you cannot specify a bandwidth of 1 Gbps for a Packet Forwarding Engine on a 10-Gigabit Ethernet 4-port DPC. To verify that the tunnel interfaces have been created, issue the show interfaces terse operational mode command. For more information, see the Junos Interfaces Command Reference.

1368

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Examples: Configuring Unicast Tunnels

Configure two unnumbered IP-IP tunnels:
[edit interfaces] ip-0/3/0 { unit 0 { tunnel { source 192.168.4.18; destination 192.168.4.253; } family inet; } unit 1 { tunnel { source 192.168.4.18; destination 192.168.4.254; } family inet; } }

Configure numbered tunnel interfaces by including an address at the [edit interfaces ip-0/3/0 unit (0 | 1) family inet] hierarchy level:
[edit interfaces] ip-0/3/0 { unit 0 { tunnel { source 192.168.4.18; destination 192.168.4.253; } family inet { address 10.5.5.1/30; } } unit 1 { tunnel { source 192.168.4.18; destination 192.168.4.254; } family inet { address 10.6.6.100/30; } } }

Configure an MPLS over GRE tunnel by including the family mpls statement at the [edit interfaces gr-1/2/0 unit 0] hierarchy level:
[edit interfaces] gr-1/2/0 { unit 0 { tunnel { source 192.168.1.1;

Copyright 2011, Juniper Networks, Inc.

1369

Junos 11.4 Services Interfaces Configuration Guide

destination 192.168.1.2; } family inet { address 10.1.1.1/30; } family mpls; } }

Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup

Configure a virtual loopback tunnel for VRF table lookup:
[edit routing-instances] routing-instance-1 { instance-type vrf; interface vt-1/0/0.0; interface so-0/2/2.0; route-distinguisher 2:3; vrf-import VPN-A-import; vrf-export VPN-A-export; routing-options { static { route 10.0.0.0/8 next-hop so-0/2/2.0; } } } routing-instance-2 { instance-type vrf; interface vt-1/0/0.1; interface so-0/3/2.0; route-distinguisher 4:5; vrf-import VPN-B-import; vrf-export VPN-B-export; routing-options { static { route 10.0.0.0/8 next-hop so-0/3/2.0; } } } [edit interfaces] vt-1/0/0 { unit 0 { family inet; family mpls; } unit 1 { family inet; } }

Example: Configuring an IPv6-over-IPv4 Tunnel

Configure a tunnel on both sides of the connection.

1370

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Configuration on Router 1

[edit] interfaces { gr-1/0/0 { unit 0 { tunnel { source 10.19.2.1; destination 10.19.3.1; } family inet6 { address 2001:DB8:1:1/126; } } } } [edit] interfaces { gr-1/0/0 { unit 0 { tunnel { source 10.19.3.1; destination 10.19.2.1; } family inet6 { address 2001:DB8:2:1/126; } } } }

Configuration on Router 2

Example: Configuring an IPv4-over-IPv6 Tunnel

You can configure IPv6 IP-IP tunnels to carry IPv4 traffic across a network as specified in RFC 2473, Generic Packet Tunneling in IPv6 Specification. It is becoming common for networks to support IPv6 only. This feature provides a way to transition IPv4-based legacy networks to IPv6.

Figure 20: IPv6 Tunnel Connecting Two IPv4 Networks Across an IPv6 Network

IPv6 cloud
R1
g040878

IPv4 cloud

R2

R3

R4

IPv4 cloud

R5

The following example is based on the topology show in Figure 20 on page 1371. Routers R2, R3, and R4 represent the IPv6 network. Routers R1 and R2 and R4 and R5 represent the IPv4 networks that need to be connected by an IPv6 tunnel. Routers R2 and R4 represent the IPv6 tunnel endpoints.

Copyright 2011, Juniper Networks, Inc.

1371

Junos 11.4 Services Interfaces Configuration Guide

The following example illustrates the configuration for router R2 as shown in Figure 20 on page 1371. On router R2, you configure an IPv4 over IPv6 uni-directional IP-IP tunnel which includes the following elements:

The tunnel source IPv6 address is 2001:DB8:2::1. It could match Router R2s loopback address. The tunnel destination IPv6 address is 2001:DB8:3::1 It could match Router R4s loopback address. On Router R4, the tunnel receiving traffic from the Router R1 to R2 IPv4 network needs to have an IPv4 address in the same subnet as 1.1.1.1/30 (for example, 1.1.1.2).
[edit] interfaces { ip-1/2/0 { unit 0 { tunnel { source 2001:DB8:2::1; destination 2001:DB8:3::1; } family inet { address 1.1.1.1/30; } } } }

The output from the show interfaces ip-1/2/0 command displays the following:
user@host> show interfaces ip-1/2/0 Physical interface: ip-1/2/0, Enabled, Physical link is Up Interface index: 144, SNMP ifIndex: 521 Type: IPIP, Link-level type: IP-over-IP, MTU: Unlimited, Speed: 800mbps Device flags : Present Running Interface flags: SNMP-Traps Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Logical interface ip-1/2/0.0 (Index 74) (SNMP ifIndex 540) Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 2001:db8:2::1-2001:db8:3::1-41-64-00000000 Encapsulation: IPIP-NULL Input packets : 0 Output packets: 0 Protocol inet, MTU: Unlimited Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 1.1.1.0/30, Local: 1.1.1.1 astatti@tp9>

When attempting to configure an IPv4 over IPv6 tunnel, be aware of the following:

The IP-IP interface comes up only when the tunnel source and tunnel destination reachability information is populated in the routing table. To carry IPv6 traffic over an IPv6 IP-IP tunnel, the IP interface needs to be configured with an IPv6 address (using set interfaces ip-interface-name unit 0 family inet6 address address).

1372

Copyright 2011, Juniper Networks, Inc.

Chapter 65: Tunnel Interfaces Configuration Guidelines

Related Documentation

Configuring IPv4-over-IPv6 Tunnels Example: Configuring an IPv6-over-IPv4 Tunnel on page 1370

Example: Configuring Logical Tunnels

Configure three logical tunnels:
[edit interfaces] lt-4/2/0 { description Logical tunnel interface connects three logical systems; } [edit logical-systems] lr1 { interfaces lt-4/2/0 { unit 12 { peer-unit 21; #Peering with lr2 encapsulation frame-relay; dlci 612; family inet; } unit 13 { peer-unit 31; #Peering with lr3 encapsulation frame-relay-ccc; dlci 613; } } } lr2 { interfaces lt-4/2/0 { unit 21 { peer-unit 12; #Peering with lr1 encapsulation frame-relay-ccc; dlci 612; } unit 23 { peer-unit 32; #Peering with lr3 encapsulation frame-relay; dlci 623; } } } lr3 { interfaces lt-4/2/0 { unit 31 { peer-unit 13; #Peering with lr1 encapsulation frame-relay; dlci 613; family inet; } unit 32 { peer-unit 23; #Peering with lr2 encapsulation frame-relay-ccc; dlci 623;

Copyright 2011, Juniper Networks, Inc.

1373

Junos 11.4 Services Interfaces Configuration Guide

} } }

Example: Configuring Keepalive for a GRE Interface

The following example illustrates the minimum configuration of a GRE tunnel interface:
[edit] user@host# show interfaces gr-3/2/0 unit 0 { family inet; } [edit] user@host# show protocols { oam { gre-tunnel { interface gr-1/1/10.1 { keepalive-time 10; hold-time 30; } } } }

Related Documentation

GRE Keepalive Time Overview on page 1353 Configuring GRE Keepalive Time on page 1360 keepalive-time on page 1381

1374

Copyright 2011, Juniper Networks, Inc.

CHAPTER 66

Summary of Tunnel Services Configuration Statements

The following sections explain each of the tunnel services statements. The statements are organized alphabetically.

allow-fragmentation
Syntax Hierarchy Level
allow-fragmentation; [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number tunnel]

Release Information Description

Statement introduced in Junos OS Release 9.2. Enable fragmentation of generic routing encapsulation (GRE) encapsulated packets regardless of maximum transmission unit (MTU) value. By default, the GRE-encapsulated packets are dropped if the packet size exceeds the MTU setting of the egress interface. See Configuring Packet Reassembly on page 1359. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default

Usage Guidelines Required Privilege Level Related Documentation

reassemble-packets on page 1383

Copyright 2011, Juniper Networks, Inc.

1375

Junos 11.4 Services Interfaces Configuration Guide

backup-destination
Syntax Hierarchy Level
backup-destination destination-address; [edit interfaces interface-name unit logical-unit-number tunnel],[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

Release Information Description Options Usage Guidelines Required Privilege Level Related Documentation

Statement introduced before Junos OS Release 7.4. For tunnel interfaces, specify the remote address of the backup tunnel.
destination-addressAddress of the remote side of the connection.

See Configuring IPsec Tunnel Redundancy on page 1003. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

destination on page 1006 destination (Tunnel Remote End) on page 1377

copy-tos-to-outer-ip-header
Syntax Hierarchy Level
copy-tos-to-outer-ip-header; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description

Statement introduced in Junos OS Release 8.2. For GRE tunnel interfaces only, enable the inner IP headers ToS bits to be copied to the outer IP packet header. If you omit this statement, the ToS bits in the outer IP header are set to 0. See Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header on page 1359. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Usage Guidelines Required Privilege Level

1376

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

destination
See the following sections:

destination (Tunnel Remote End) on page 1377 destination (Routing Instance) on page 1377

destination (Tunnel Remote End)

Syntax Hierarchy Level
destination address; [edit interfaces interface-name unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

Release Information Description Options Usage Guidelines

Statement introduced before Junos OS Release 7.4. For tunnel interfaces, specify the remote address of the tunnel.
destination-addressAddress of the remote side of the connection.

See Configuring Unicast Tunnels on page 1355, Configuring Traffic Sampling on page 1024, and Configuring Flow Monitoring on page 1032. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Required Privilege Level

destination (Routing Instance)

Syntax Hierarchy Level Release Information Description
destination routing-instance-name; [edit interfaces interface-name unit logical-unit-number tunnel routing-instance]

Statement introduced before Junos OS Release 7.4. Specify the destination routing instance that points to the routing table containing the tunnel destination address. The default Internet routing table inet.0. See Configuring Tunnel Interfaces for Routing Table Lookup on page 1364. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1377

Junos 11.4 Services Interfaces Configuration Guide

destination-networks
Syntax Hierarchy Level
destination-networks prefix; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit logical-systems logical-system-name routing-options dynamic-tunnels tunnel-name], [edit routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit routing-options dynamic-tunnels tunnel-name]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Create a tunnel for routes in these destination networks.
prefixDestination prefix of network.

See Configuring Dynamic Tunnels on page 1367. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

do-not-fragment
Syntax Hierarchy Level
do-not-fragment; [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number tunnel]

Release Information Description

Statement introduced in Junos OS Release 9.2. Set the do-not-fragment (DF) bit on the packets entering the GRE tunnel so that they do not get fragmented anywhere in the path. By default, fragmentation is disabled. See Configuring Packet Reassembly on page 1359. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Usage Guidelines Required Privilege Level Related Documentation

reassemble-packets on page 1383

1378

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

dynamic-tunnels
Syntax
dynamic-tunnels tunnel-name { destination-networks prefix; source-address address; tunnel-type type-of-tunnel; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure a dynamic tunnel between two provider edge (PE) routers.
tunnel-nameName of the dynamic tunnel.

The statements are explained separately in this chapter. Usage Guidelines Required Privilege Level See Configuring Dynamic Tunnels on page 1367. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1379

Junos 11.4 Services Interfaces Configuration Guide

hold-time
Syntax Hierarchy Level
hold-time seconds; [edit protocols oam], [edit protocols oam gre-tunnel interface interface-name]

Release Information Description

Statement introduced in Junos OS Release 10.2. Length of time the originating end of a GRE tunnel waits for keepalive packets from the other end of the tunnel before marking the tunnel as operationally down.
secondsHold-time value.

Options

Default: 5 seconds Range: 5 through 250 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

GRE Keepalive Time Overview on page 1353 Configuring GRE Keepalive Time on page 1360 Example: Configuring Keepalive for a GRE Interface on page 1374 keepalive-time on page 1381

interfaces
Syntax Hierarchy Level Release Information Description Default
interfaces { ... } [edit]

Statement introduced before Junos OS Release 7.4. Configure interfaces on the router. The management and internal Ethernet interfaces are automatically configured. You must configure all other interfaces. See the Junos OS Network Interfaces Configuration Guide. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

1380

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

keepalive-time
Syntax Hierarchy Level
keepalive-time seconds; [edit protocols oam], [edit protocols oam gre-tunnel interface interface-name], [edit protocols oam gre-tunnel interface interface-name.unit-number]

Release Information Description Options

Statement introduced in Junos OS Release 10.2. Time difference between consecutive keepalive packets in a GRE tunnel.
secondsKeepalive time value.

Default: 1 second Range: 1 through 50 seconds Required Privilege Level Related Documentation interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

GRE Keepalive Time Overview on page 1353 Configuring GRE Keepalive Time on page 1360 Example: Configuring Keepalive for a GRE Interface on page 1374 hold-time on page 1380

key
Syntax Hierarchy Level
key number; [edit interfaces interface-name unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

Release Information Description

Statement introduced before Junos OS Release 7.4. For Adaptive Services and Multiservices interfaces on M Series and T Series routers, identify an individual traffic flow within a tunnel, as defined in RFC 2890, Key and Sequence Number Extensions to GRE.
numberValue of the key.

Options

Range: 0 through 4,294,967,295 Usage Guidelines Required Privilege Level See Configuring a Key Number on GRE Tunnels on page 1357. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1381

Junos 11.4 Services Interfaces Configuration Guide

multicast-only
Syntax Hierarchy Level
multicast-only; [edit interfaces interface-name unit logical-unit-number family inet], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet]

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure the unit and family so that the interface can transmit and receive multicast traffic only. You can configure this property on the IP family only. See Restricting Tunnels to Multicast Traffic on page 1362. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level Related Documentation

tunnel on page 1387

peer-unit
Syntax Hierarchy Level
peer-unit unit-number; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure a peer relationship between two logical systems.
unit-numberPeering logical system unit number.

See Configuring Logical Tunnel Interfaces on page 1362. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1382

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

reassemble-packets
Syntax Hierarchy Level
reassemble-packets; [edit interfaces gr-fpc/pic/port unit logical-unit-number], [edit logical-systems logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number]

Release Information Description

Statement introduced in Junos OS Release 9.2. Enable reassembly of fragmented tunnel packets on generic routing encapsulation (GRE) tunnel interfaces. See Configuring Packet Reassembly on page 1359. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Usage Guidelines Required Privilege Level

routing-instance
Syntax
routing-instance { destination routing-instance-name; } [edit interfaces interface-name unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Specify the destination routing instance that points to the routing table containing the tunnel destination address. The default Internet routing table inet.0. See Configuring Tunnel Interfaces for Routing Table Lookup on page 1364. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Default Usage Guidelines Required Privilege Level

Copyright 2011, Juniper Networks, Inc.

1383

Junos 11.4 Services Interfaces Configuration Guide

routing-instances
Syntax Hierarchy Level
routing-instances routing-instance-name { ... } [edit], [edit logical-systems logical-system-name]

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure an additional routing entity for a router. You can create multiple instances of BGP, IS-IS, OSPF, OSPF version 3 (OSPFv3), and RIP for a router. Routing instances are disabled for the router.
routing-instance-nameName of the routing instance, a maximum of 31 characters. The

Default Options

remaining statements are explained separately. Usage Guidelines See the Junos OS Routing Protocols Configuration Guide and the Junos OS Routing Policy Configuration Guide. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

Required Privilege Level

routing-options
Syntax Hierarchy Level
routing-options { ... } [edit], [edit logical-systems logical-system-name], [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Release Information Description Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure protocol-independent routing properties. See the Junos OS Routing Protocols Configuration Guide. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

1384

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

source
Syntax Hierarchy Level Release Information Description Default
source source-address; [edit interfaces interface-name unit logical-unit-number tunnel ]

Statement introduced before Junos OS Release 7.4. Specify the source address of the tunnel. If you do not specify a source address, the tunnel uses the units primary address as the source address of the tunnel.
source-addressAddress of the local side of the tunnel. This is the address that is placed

Options

in the outer IP headers source field. Usage Guidelines Required Privilege Level See Tunnel Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

source-address
Syntax Hierarchy Level
source-address address; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit logical-systems logical-system-name routing-options dynamic-tunnels tunnel-name], [edit routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit routing-options dynamic-tunnels tunnel-name]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure the tunnel source address.
addressName of the source address.

See Configuring Dynamic Tunnels on page 1367. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

Copyright 2011, Juniper Networks, Inc.

1385

Junos 11.4 Services Interfaces Configuration Guide

ttl
Syntax Hierarchy Level Release Information Description Options
ttl value; [edit interfaces interface-name unit number tunnel]

Statement introduced before Junos OS Release 7.4. Set the time-to-live value bit in the header of the outer IP packet.
valueTime-to-live value.

Range: 0 through 255 Default: 64 Usage Guidelines Required Privilege Level See Tunnel Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

1386

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

tunnel
Syntax
tunnel { allow-fragmentation; backup-destination address; destination destination-address; do-not-fragment; key number; routing-instance { destination routing-instance-name; } source source-address; ttl number; } [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a tunnel. You can use the tunnel for unicast and multicast traffic or just for multicast traffic. You can also use tunnels for encrypted traffic or virtual private networks (VPNs). The statements are explained separately.

Usage Guidelines Required Privilege Level Related Documentation

See Configuring Encryption Interfaces on page 995 and Tunnel Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS VPNs Configuration Guide

Copyright 2011, Juniper Networks, Inc.

1387

Junos 11.4 Services Interfaces Configuration Guide

tunnel-type
Syntax Hierarchy Level
tunnel-type type; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit logical-systems logical-system-name routing-options dynamic-tunnels tunnel-name], [edit routing-instances routing-instance-name routing-options dynamic-tunnels tunnel-name], [edit routing-options dynamic-tunnels tunnel-name]

Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Select the dynamic tunnel type.
typeTunnel type. Generic routing encapsulation (GRE) is supported.

See Configuring Dynamic Tunnels on page 1367. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.

1388

Copyright 2011, Juniper Networks, Inc.

Chapter 66: Summary of Tunnel Services Configuration Statements

unit
Syntax
unit logical-unit-number { peer-unit unit-number; reassemble-packets; tunnel { allow-fragmentation; backup-destination address; destination destination-address; do-not-fragment; key number; routing-instance { destination routing-instance-name; } source source-address; ttl number; } } [edit interfaces interface-name], [edit logical-systems logical-system-name interfaces interface-name]

Hierarchy Level

Release Information Description

Statement introduced before Junos OS Release 7.4. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Options

Range: 0 through 16,384 The remaining statements are explained separately. Usage Guidelines Required Privilege Level Related Documentation See Tunnel Properties. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.

Junos OS Network Interfaces Configuration Guide for other statements that do not affect

services interfaces.

Copyright 2011, Juniper Networks, Inc.

1389

Junos 11.4 Services Interfaces Configuration Guide

1390

Copyright 2011, Juniper Networks, Inc.

PART 9

Index

Index on page 1393 Index of Statements and Commands on page 1419

Copyright 2011, Juniper Networks, Inc.

1391

Junos 11.4 Services Interfaces Configuration Guide

1392

Copyright 2011, Juniper Networks, Inc.

Index
Symbols
#, comments in configuration statements.....................lii ( ), in syntax descriptions.......................................................lii < >, in syntax descriptions......................................................li [ ], in configuration statements...........................................lii { }, in configuration statements..........................................lii | (pipe), in syntax descriptions............................................lii

A
AACL action statements......................................................958 applications...................................................................957 best-effort application identification..................897 example configuration..............................................960 match conditions.........................................................957 rules..................................................................................959 aacl-fields statement.........................................................982 aacl-statistics-profile statement..................................983 accelerations statement....................................................763 accept action.............................................................................1024 accounting statement flow monitoring.........................................................1088 usage guidelines.........................................................1076 acknowledge-retries statement.....................................1271 usage guidelines.........................................................1249 acknowledge-timer statement......................................1272 usage guidelines.........................................................1249 action-red-differential-delay statement...................1273 usage guidelines........................................................1250 actions statement................................................................762 adaptive-services-pics statement................................585 usage guidelines.........................................................1164 address pooling napt-44............................................................................170 address statement APPID usage guidelines.................................................904 application rule............................................................920 DFC.................................................................................1209 usage guidelines.................................................1192

encryption....................................................................1005 usage guidelines.................................................995 flow monitoring.........................................................1089 usage guidelines................................................1024 interfaces........................................................................625 usage guidelines..................................................614 link services...................................................................1274 usage guidelines................................................1236 NAT...................................................................................239 usage guidelines....................................................151 voice services.................................................................531 usage guidelines..................................................522 address-allocation statement........................................240 address-pooling statement.............................................240 address-range statement NAT....................................................................................241 administrative statement BGF...................................................................................650 admission-control statement................................764, 765 aggregate-export-interval statement........................1089 usage guidelines.........................................................1076 aggregation statement.......................................................301 flow monitoring.........................................................1090 usage guidelines..............................................294, 1040 alert (system logging severity level)...........421, 579, 616 algorithm statement...........................................................652 ALGs application protocols.....................................................71 configuring.........................................................................72 definition.............................................................................71 allow-fragmentation statement...................................1375 usage guidelines.........................................................1359 allow-ip-options statement..............................................124 usage guidelines............................................................116 allow-multicast statement..............................................586 usage guidelines..........................................................580 allowed-destinations statement...................................1210 usage guidelines..........................................................1193 AMS HA..............................................................................271, 272 NAT............................................................................271, 273 analyzer-address statement............................................1171 usage guidelines...........................................................1161 analyzer-id statement........................................................1172 usage guidelines...........................................................1161 anomaly checklist..................................................................46 anti-replay-window-size statement....................377, 587 usage guidelines.................................................352, 575 any (system logging severity level).............421, 579, 616

Copyright 2011, Juniper Networks, Inc.

1393

Junos 11.4 Services Interfaces Configuration Guide

any-any match condition Ipsec.................................................................................348 APPID best-effort application identification..................897 example configuration...............................................915 application layer gateways See ALGs application protocol definition.............................................................................71 application statement......................................103, 921, 922 APPID usage guidelines.................................................903 usage guidelines.............................................................72 application-aware-access-list-fields statement..........................................................................984 application-data-inactivity-detection statement...........................................................................652 application-group statement..........................................922 APPID usage guidelines................................................908 application-group-any statement................................964 AACL usage guidelines..................................................957 PTSP................................................................................843 application-groups statement.............................923, 964 AACL usage guidelines..................................................957 APPID usage guidelines................................................908 PTSP................................................................................843 application-profile statement.........................................552 usage guidelines..........................................................546 application-protocol statement.....................................104 usage guidelines.............................................................72 application-set statement................................................105 usage guidelines..............................................................81 application-sets statement CoS....................................................................................553 usage guidelines.................................................544 IDS.....................................................................................302 usage guidelines.................................................293 NAT....................................................................................241 usage guidelines..................................................158 stateful firewall.............................................................125 usage guidelines....................................................115 application-system-cache-timeout statement...........................................................................923 APPID usage guidelines...................................................911

applications............................................................................293 example configuration................................................101 applications statement AACL................................................................................963 usage guidelines..................................................957 APPID usage guidelines................................................908 application identification.........................................924 application-level gateways.......................................125 applications hierarchy................................................105 usage guidelines.....................................................71 CoS....................................................................................553 usage guidelines.................................................544 IDS.....................................................................................302 usage guidelines.................................................293 NAT....................................................................................242 usage guidelines..................................................158 PTSP................................................................................844 stateful firewall.............................................................125 usage guidelines....................................................115 applying service set to interface....................................568 archive-sites statement.....................................................1172 usage guidelines..........................................................1163 AS PIC multicast traffic...........................................................580 redundancy.............................................424, 620, 1084 asymmetrical routing support APPID................................................................................913 attack detection...................................................................289 audit-observed-events-returns statement...............653 authentication statement.................................................378 usage guidelines..........................................................329 authentication-algorithm statement IKE......................................................................................379 usage guidelines..................................................333 IPsec.................................................................................379 usage guidelines..................................................341 authentication-method statement..............................380 usage guidelines..........................................................333 authentication-mode statement RPM..................................................................................1319 automatic statement.........................................................924 APPID usage guidelines..................................................912 autonomous-system-type statement........................1091 usage guidelines........................................................1040 auxiliary-spi statement.....................................................380 usage guidelines..........................................................329 availability-check-profiles statement..........................766

1394

Copyright 2011, Juniper Networks, Inc.

Index

B
backup AS PIC......................................................................620 backup Link Services IQ PIC.............................................453 backup-destination statement.....................................1376 usage guidelines........................................................1003 backup-interface statement.........................................1006 usage guidelines........................................................1002 backup-remote-gateway statement.............................381 usage guidelines..........................................................350 bandwidth and delay buffer allocation.....................................468 guaranteed..........................................................468, 473 base-root statement..........................................................654 basic-nat-pt option configuring......................................................................182 example...........................................................................199 basic-nat44 option configuring......................................................................162 example...........................................................................193 example, multiple prefixes and address ranges...........................................................................195 basic-nat66 option configuring......................................................................165 example...........................................................................194 best-effort application identification...........................897 bgf-core statement.............................................................655 BGP router identifier...........................................................1384 bgp statement RPM.................................................................................1320 blacklist-period statement...............................................767 braces, in configuration statements..................................lii brackets angle, in syntax descriptions.........................................li square, in configuration statements.........................lii bundle statement......................................................532, 1274 usage guidelines...............................................526, 1236 by-destination statement.................................................303 usage guidelines..........................................................294 by-pair statement................................................................304 usage guidelines..........................................................294 by-source statement..........................................................305 usage guidelines..........................................................294 bypass-traffic-on-exceeding-flow-limits statement...........................................................................588 bypass-traffic-on-pic-failure statement....................588 usage guidelines..........................................................568

C
cancel-graceful statement...............................................657 capture-group statement..................................................1211 usage guidelines..........................................................1192 cflowd statement...............................................................1092 usage guidelines........................................................1040 cgn-pic statement...............................................................626 chain-order statement nested applications....................................................925 CIR..............................................................................................473 cisco-interoperability statement...................................509 usage guidelines...........................................................451 cleanup-timeout statement............................................658 clear-dont-fragment-bit statement GRE tunnel.....................................................................626 IPsec..................................................................................381 usage guidelines.................................................349 service-set.....................................................................589 usage guidelines............................350, 576, 617, 1358 clear-ike-sas-on-pic-restart statement......................382 usage guidelines...........................................................332 clear-ipsec-sas-on-pic-restart statement.................382 usage guidelines...........................................................332 client-list statement...........................................................1321 clusters statement...............................................................768 collector statement.............................................................1173 usage guidelines..........................................................1162 collector-pic statement usage guidelines.........................................................1164 comments, in configuration statements.........................lii committed-burst-size statement..................................769 committed-information-rate statement.....................770 compression statement.....................................................532 usage guidelines.................................................523, 524 compression-device statement.....................................533 usage guidelines..........................................................526 configuration dynamic flow capture interface.............................1197 flow collector interface.............................................1164 flow-tap application.................................................1207 configuring dynamic source address and static destination address translation (IPv6 to IPV4).....................................................................................189 configuring dynamic source address and static destination address translation (IPv6-to-IPv4) example...........................................................................201 configuring NAT-PT with DNS application-level gateways..............................................................................187 example..........................................................................202

Copyright 2011, Juniper Networks, Inc.

1395

Junos 11.4 Services Interfaces Configuration Guide

content destinations DFC..................................................................................1189 flow-tap.........................................................................1202 content-destination statement......................................1212 usage guidelines..........................................................1192 context statement nested applications....................................................925 context-indications statement.......................................659 control source DFC..................................................................................1189 control-association-indications statement..............660 control-cores statement....................................................139 control-source statement................................................1213 usage guidelines..........................................................1193 controller-address statement.........................................661 controller-failure statement.............................................661 controller-port statement................................................662 conventions text and syntax...................................................................li copy-tos-to-outer-ip-header statement...................1376 usage guidelines.........................................................1359 core-dump statement......................................................1093 usage guidelines.........................................................1032 CoS action statements.......................................................545 applications...................................................................544 example configuration...............................................547 for tunnels GRE TOS bits......................................................1359 link services interfaces.........................465, 467, 1252 link services IQ interfaces.........................................447 match conditions........................................................544 rules..................................................................................548 scheduler map configuration example....................................1246 count-type statement.......................................................844 critical (system logging severity level)...................................................................421, 579, 616 curly braces, in configuration statements.......................lii customer support.....................................................................lii contacting JTAC................................................................lii

D
Data inactivity detection....................................................726 data session identification APPID..............................................................................906 data statement.....................................................................554 usage guidelines..........................................................546 data-cores statement.........................................................140

data-fill statement..............................................................1321 data-flow-affinity statement...........................................140 data-format statement.....................................................1173 usage guidelines..........................................................1162 data-inactivity-detection statement..................662, 770 data-size statement..........................................................1322 usage guidelines........................................................1303 datastore statement.............................................................771 dead peer detection (DPD) protocol...........................350 default statement................................................................663 default-media-realm statement....................................772 delay buffer calculating............................................................468, 473 shaping rate.........................................................468, 473 delay-buffer-rate statement usage guidelines..........................................................468 delivery-function statement...........................................664 demux statement................................................................845 description statement IKE.....................................................................................383 usage guidelines.................................................339 IPsec.................................................................................383 usage guidelines.......................................342, 344 destination NAT configuring.....................................................177, 179, 190 example...........................................................................199 destination statement..........................................................141 APPID usage guidelines.................................................904 application identification rule................................926 encryption....................................................................1006 usage guidelines.....................................995, 1003 flow monitoring..........................................................1094 usage guidelines................................................1024 link services...................................................................1275 usage guidelines................................................1236 tunnel..............................................................................1377 usage guidelines....................................1355, 1364 destination-address statement AACL................................................................................965 usage guidelines..................................................957 BGF...................................................................................664 CoS...................................................................................554 usage guidelines.................................................544 IDS....................................................................................306 usage guidelines.................................................293 IPsec.................................................................................383 usage guidelines.................................................348

1396

Copyright 2011, Juniper Networks, Inc.

Index

NAT....................................................................................242 usage guidelines..................................................158 stateful firewall.............................................................126 usage guidelines....................................................115 destination-address-range statement AACL................................................................................965 usage guidelines..................................................957 IDS....................................................................................306 usage guidelines.................................................293 NAT....................................................................................243 usage guidelines..................................................158 stateful firewall.............................................................126 usage guidelines....................................................115 destination-interface statement RPM.................................................................................1323 usage guidelines.............................................1303, 1307 destination-networks statement tunnel..............................................................................1378 usage guidelines.........................................................1367 destination-pool statement.............................................243 usage guidelines...........................................................159 destination-port range statement NAT...................................................................................244 destination-port statement applications....................................................................105 BGF...................................................................................665 RPM.......................................................................106, 1324 usage guidelines.....................................................77 destination-prefix statement................................244, 307 usage guidelines..........................................................294 destination-prefix-ipv6 statement................................307 usage guidelines..........................................................294 destination-prefix-list statement AACL................................................................................966 usage guidelines..................................................957 CoS...................................................................................555 IDS....................................................................................308 NAT...................................................................................245 stateful firewall..............................................................127 usage guidelines....................................................115 destinations statement flow collection..............................................................1174 usage guidelines...........................................................1161 destined-port statement NAT...................................................................................245 detect statement.................................................................665 DFC architecture...................................................................1189 capture group...............................................................1192

control source configuration..................................1193 destination configuration.........................................1192 example configuration..............................................1197 interface configuration.............................................1194 system logging.............................................................1195 threshold configuration............................................1196 dh-group statement...........................................................384 usage guidelines..........................................................334 dial-options statement......................................................627 interfaces usage guidelines..................................................422 dialogs statement.................................................................773 diffserv statement...............................................................666 direction statement.............................................................385 nested applications....................................................926 usage guidelines..........................................................328 disable statement APPID usage guidelines......................................903, 908 application......................................................................927 application group.........................................................927 flow monitoring..........................................................1094 port mapping................................................................928 traffic sampling usage guidelines...............................................1026 disable-all-instances statement flow monitoring..........................................................1095 disable-global-timeout-override statement.............928 usage guidelines..........................................................903 disable-mlppp-inner-ppp-pfc statement.................1275 usage guidelines........................................................1240 disable-session-mirroring statement..........................666 discard accounting usage guidelines.........................................................1076 disconnect statement........................................................667 dlci statement......................................................................1276 usage guidelines.........................................................1244 DLCIs multicast-capable connections...........................1244 point-to-point connections...................................1244 dnat-44 option example...........................................................................199 usage guidelines..........................................177, 179, 190 do-not-fragment statement tunnel..............................................................................1378 usage guidelines.........................................................1359 documentation comments on....................................................................lii down statement..................................................................668

Copyright 2011, Juniper Networks, Inc.

1397

Junos 11.4 Services Interfaces Configuration Guide

download statement APPID...............................................................................929 usage guidelines..................................................912 drop-member-traffic statement aggregated Multiservices..........................................277 drop-timeout statement..................................................1277 usage guidelines........................................................1240 ds-lite statement.................................................................884 usage guidelines.........................................................866 dscp statement.....................................................................555 BGF...................................................................................669 BSG....................................................................................774 usage guidelines..........................................................545 dscp-code-point statement RPM.................................................................................1325 usage guidelines........................................................1303 DTCP..............................................................................1189, 1201 duplicates-dropped-periodicity statement...............1213 usage guidelines.........................................................1196 dynamic address-only source translation configuring.......................................................................174 example...........................................................................198 dynamic authentication....................................................354 dynamic flow capture See DFC dynamic NAT configuring.......................................................................174 example...........................................................................198 dynamic route insertion.....................................................355 dynamic rules........................................................................354 dynamic security associations usage guidelines..................................................331, 332 dynamic source address and static destination address translation configuring......................................................................189 example...........................................................................201 dynamic statement.............................................................386 usage guidelines...........................................................331 Dynamic Tasking Control Protocol See DTCP dynamic tunnels destination....................................................................1378 source.............................................................................1385 dynamic-flow-capture statement................................1214 dynamic-nat44 option example...........................................................................198 usage guidelines............................................................174 dynamic-tunnels statement...........................................1379 usage guidelines.........................................................1367

E
egress-service-point statement......................................775 embedded-spdf statement..............................................776 emergency (system logging severity level)...................................................................421, 579, 616 enable flow collection mode..........................................1164 enable-asymmetic-traffic-processing statement...........................................................................930 enable-heuristics statement................................929, 930 usage guidelines...........................................................912 enable-rejoin statement aggregated Multiservices..........................................278 encapsulation statement..................................................533 link services..................................................................1278 usage guidelines.........................................................1239 voice services usage guidelines..................................................525 encoding statement...........................................................669 encrypted traffic identification APPID................................................................................912 encryption interface............................................................995 applying inbound filter.............................................1001 example configuration....................................1001 applying outbound filter........................................1000 example configuration........................999, 1000 configuring inbound filter......................................1000 example configuration....................................1001 configuring MTU..........................................................996 encryption statement.........................................................387 usage guidelines..........................................................330 encryption-algorithm statement IKE.....................................................................................388 usage guidelines.................................................334 IPsec.................................................................................388 usage guidelines..................................................342 endpoint-independent mapping napt-44............................................................................170 engine-id statement flow monitoring..........................................................1095 engine-type statement....................................................1096 error (system logging severity level)...........421, 579, 616 ES interfaces example configuration..............................................996 ES PIC apply inbound filter...................................................1001 PIC redundancy..........................................................1002 redundancy example configuration...................................1003 tunnel redundancy...................................................1003

1398

Copyright 2011, Juniper Networks, Inc.

Index

es-options statement.......................................................1007 usage guidelines........................................................1002 event policy all (tracing flag)...........................................................582 APPID.......................................................................915 configuration (tracing flag).....................................582 database (tracing flag).............................................582 events (tracing flag)...................................................582 policy (tracing flag)....................................................582 event-timestamp-notification statement..................670 export-format statement...............................................1098 usage guidelines........................................................1035 extension-provider statement..........................................142 extension-service statement.........................................1097

files logging information output file............................1029 traffic sampling output files..................................1027 var/log/sampled file.................................................1029 var/tmp/sampled.pkts file.....................................1027 files statement.....................................................................1105 usage guidelines.........................................................1027 filter statement encryption....................................................................1009 usage guidelines................................................1001 flow monitoring...........................................................1106 usage guidelines................................................1024 filtering-type statement....................................................246 filters used with services......................................................568 firewall filters actions...........................................................................1024 in traffic sampling......................................................1024 service filters..................................................................619 flag statement..............................................................675, 778 flow aggregation.................................................................1039 multiple flow servers................................................1056 flow collector analyzer configuration...............................................1161 destination configuration.........................................1161 example configuration..............................................1164 file format configuration..........................................1162 interface mapping......................................................1162 transfer log....................................................................1163 flow limiting............................................................................578 flow monitoring example configuration multiple port mirroring...................................1066 next-hop groups...............................................1066 load balancing.............................................................1073 overview.........................................................................1015 redundancy.................................................................1084 flow server replicating flows to multiple servers..................1056 flow-active-timeout statement.....................................1107 usage guidelines........................................................1035 flow-collector statement..................................................1176 usage guidelines...............................................1159, 1164 flow-control-options statement...................................1108 flow-export-destination statement.............................1109 usage guidelines........................................................1035 flow-export-rate statement flow monitoring...........................................................1108

F
f-max-period statement...................................................534 usage guidelines..........................................................523 facility-override statement...........................431, 590, 628 usage guidelines..........................................................578 failover statement................................................................672 failover-cold statement.....................................................670 failover-warm statement...................................................671 family statement aggregated Multiservices..........................................278 encryption....................................................................1008 usage guidelines.................................................995 flow monitoring.........................................................1099 usage guidelines................................................1024 interfaces........................................................................629 usage guidelines..................................................614 link services..................................................................1280 usage guidelines................................................1236 voice services................................................................535 fast-update-filters statement.........................................673 file statement.......................................................................1104 BGF....................................................................................674 border signaling gateway..........................................777 L-PDF statistics...........................................................985 traffic sampling...........................................................1104 traffic sampling output usage guidelines....................................1027, 1029 file-specification statement............................................1175 usage guidelines..........................................................1162 filename statement............................................................1105 filename-prefix statement...............................................1174 usage guidelines..........................................................1163

Copyright 2011, Juniper Networks, Inc.

1399

Junos 11.4 Services Interfaces Configuration Guide

flow-inactive-timeout statement..................................1110 usage guidelines........................................................1035 flow-monitoring statement...............................................1111 flow-server statement flow monitoring.............................................................1112 flow-tap application....................................................................1201 architecture..................................................................1202 interface........................................................................1203 permissions statement...........................................1204 RADIUS configuration..............................................1204 restrictions....................................................................1205 security..........................................................................1204 flow-tap application example configuration.............................................1207 flow-tap statement............................................................1215 flow-tap-dtcp statement................................................1204 font conventions........................................................................li force-entry statement.......................................................308 usage guidelines..........................................................294 forward-manipulation statement..................................779 forward-rule statement PTSP......................................................................846, 847 forwarding classes fragmentation..............................................................465 forwarding-class statement...................................510, 556 usage guidelines................................................465, 545 forwarding-db-size statement.........................................143 setting for stateful firewall........................................137 forwarding-options statement........................................1113 usage guidelines........................................................1020 fragment-threshold statement link services...................................................................1281 usage guidelines.................................................1241 LSQ.....................................................................................511 usage guidelines.................................................465 voice services................................................................536 usage guidelines.................................................524 fragmentation forwarding classes......................................................465 GRE tunnels.................................................................1358 multiclass MLPPP.......................................................467 fragmentation and reassembly...........................524, 1245 example configuration.............................................1246 fragmentation-map statement........................................511 usage guidelines..........................................................465 fragmentation-maps statement.....................................512 usage guidelines..........................................................465

Frame Relay connections point-to-point connections...................................1244 Frame Relay encapsulation multicast-capable connections...........................1244 framework statement........................................................780 FRF.12........................................................................................524 example configuration..............................................498 LFI.....................................................................................1245 LSQ...................................................................................495 FRF.15 and FRF.16................................................................1233 FRF.16.......................................................................................485 configuration example..............................................488 from statement AACL................................................................................966 usage guidelines.................................................956 border signaling gateway new call usage policy........................................783 new transaction policy.....................................784 service class..........................................................786 CoS...................................................................................556 usage guidelines.................................................543 IDS....................................................................................309 usage guidelines.........................................291, 293 IPsec.................................................................................389 usage guidelines.......................................346, 348 NAT....................................................................................247 usage guidelines.........................................156, 158 PTSP................................................................................848 PTSP forward rule.......................................................847 stateful firewall.............................................................128 usage guidelines............................................114, 115 ftp statement.........................................................................557 flow collection..............................................................1178 usage guidelines......................................546, 1161, 1163 FTP traffic, sampling..........................................................1031

G
g-duplicates-dropped-periodicity statement..........1216 usage guidelines.........................................................1196 g-max-duplicates statement..........................................1217 usage guidelines.........................................................1196 gateway statement BGF...................................................................................676 border signaling gateway..........................................787 gateway-address statement..........................................680 gateway-controller statement........................................681 gateway-port statement...................................................682 graceful statement..............................................................683 graceful-restart statement..............................................684

1400

Copyright 2011, Juniper Networks, Inc.

Index

GRE tunnels fragmentation.............................................................1358 key number...................................................................1357 guaranteed rate.....................................................................473 guaranteed-rate statement usage guidelines...........................................................473

I
icmp-code statement.........................................................106 usage guidelines.............................................................75 icmp-type statement...........................................................107 usage guidelines.............................................................75 icons defined, notice..................................................................l idle-timeout statement......................................................931 APPID usage guidelines.................................................903 IDS action statements.......................................................294 applications...................................................................293 example configurations.............................................297 match conditions.........................................................293 rules...................................................................................291 ids-rule-sets statement usage guidelines...........................................................572 ids-rules statement..............................................................591 usage guidelines...........................................................572 ignore-entry statement.....................................................308 usage guidelines..........................................................294 ignore-errors statement.....................................................931 usage guidelines.........................................................906 IKE.......................................................................................58, 332 authentication algorithm usage guidelines..................................................333 authentication-method statement usage guidelines..................................................333 DH (Diffie-Hellman) group usage guidelines.................................................334 dynamic SAs..................................................................332 encryption-algorithm statement usage guidelines.................................................334 lifetime usage guidelines..................................................335 mode statement usage guidelines..................................................337 policy................................................................................335 example.................................................................340 policy statement usage guidelines..................................................335 pre-shared-key statement usage guidelines.................................................338 proposals statement usage guidelines..................................................337 version statement usage guidelines..................................................337 IKE security associations clearing............................................................................332

H
H.248 properties.688, 706, 707, 708, 709, 710, 711, 712, 713, 716, 717 BFG...................................................................................666 BGF...................................................................................669 h248-options statement..................................................685 h248-profile statement.....................................................687 h248-properties statement............................................688 h248-stack statement........................................................691 h248-timers statement.....................................................692 hanging-termination-detection statement...............692 hard-limit statement..........................................................1217 usage guidelines..........................................................1192 hard-limit-target statement............................................1218 usage guidelines..........................................................1192 hardware requirements...........................................................3 hardware-timestamp statement.................................1326 hash-key statement SDK....................................................................................144 hello-interval statement L2TP.................................................................................432 usage guidelines..........................................................420 hello-timer statement link services..................................................................1282 usage guidelines.........................................................1249 heuristics support APPID................................................................................912 hide-avps statement..........................................................432 usage guidelines..........................................................420 high-availability-options statement aggregated Multiservices..........................................279 hint statement.......................................................................248 history-size statement......................................................1326 usage guidelines..............................................1301, 1303 hold-time statement GRE tunnel interface................................................1380 host statement..........................................................590, 630 L2TP.................................................................................433 usage guidelines........................................421, 578, 616 hot-standby statement......................................................512

Copyright 2011, Juniper Networks, Inc.

1401

Junos 11.4 Services Interfaces Configuration Guide

ike statement........................................................................390 usage guidelines...........................................................332 ike-access-profile statement...........................................591 usage guidelines.................................................357, 575 inactivity-delay statement...............................................693 inactivity-duration statement...............................693, 792 inactivity-non-tcp-timeout statement........................932 usage guidelines..........................................................903 inactivity-tcp-timeout statement..................................932 usage guidelines..........................................................903 inactivity-timeout statement...........................................107 BGF...................................................................................694 flow monitoring...........................................................630 RPM.................................................................................1327 usage guidelines...................................................80, 614 inactivity-timer statement...............................................695 index statement....................................................................933 APPID usage guidelines......................................903, 908 nested applications....................................................933 info (system logging severity level)..............421, 579, 617 initial-average-ack-delay statement...........................695 initiate-dead-peer-detection statement.....................391 usage guidelines...........................................................351 inline-jflow statement flow monitoring.............................................................1113 usage guidelines............................................1053, 1055 input statement flow monitoring............................................................1114 interfaces.........................................................................631 usage guidelines........................................568, 618 input-interface-index statement....................................1115 input-packet-rate-threshold statement....................1218 usage guidelines.........................................................1196 inside and outside interfaces............................................571 inside-service-interface statement usage guidelines............................................................571 instance statement port mirroring.................................................................1116 sampling..........................................................................1117 usage guidelines.........................................................1051 interchassis LSQ failover...................................................450 interface preservation........................................................455 interface statement encryption usage guidelines.................................................995 flow monitoring............................................................1119 usage guidelines................................................1061

flow-tap..........................................................................1219 usage guidelines................................................1203 service interface pool.................................................753 interface style service sets.................................................571 interface-map statement................................................1180 usage guidelines..........................................................1162 interface-service statement.............................................592 usage guidelines..........................................................568 interfaces naming..............................................................................613 interfaces statement aggregated Multiservices.........................................280 DFC...................................................................................1219 usage guidelines ................................................1194 encryption....................................................................1009 usage guidelines.................................................995 flow monitoring.............................................................1121 usage guidelines................................................1024 interfaces hierarchy.....................................................631 usage guidelines...................................................611 link services..................................................................1282 usage guidelines................................................1233 tunnel.............................................................................1380 usage guidelines................................................1355 voice services................................................................536 interim-ah-scheme statement......................................696 interleave-fragments statement..................................1283 usage guidelines.........................................................1245 Internet Key Exchange See IKE intrachassis LSQ failover...................................................452 intrusion detection example configurations.............................................297 rule set..............................................................................297 tasks.................................................................................289 IP addresses sampling traffic from single IP addresses................................................................1030 ip statement APPID usage guidelines.................................................904 application identification.........................................934 ip-flow-stop-detection statement...............................696 IPsec action statements.......................................................349 authentication statement usage guidelines.................................................329 authentication-algorithm statement usage guidelines..................................................341

1402

Copyright 2011, Juniper Networks, Inc.

Index

direction usage guidelines.................................................328 dynamic authentication...........................................354 dynamic endpoints interface configuration.............................................................357 dynamic rules................................................................354 dynamic security associations usage guidelines...................................................331 encryption usage guidelines.................................................330 encryption-algorithm statement usage guidelines..................................................342 ES PIC..............................................................................995 example configuration...............................................361 inbound traffic....................................................1001 outbound traffic.................................................999 IKE........................................................................................58 lifetime of SA.................................................................342 lifetime-seconds statement...................................342 match conditions........................................................348 minimum configurations dynamic SA ..........................................................325 manual SA ............................................................325 overview.............................................................................57 perfect-forward-secrecy statement usage guidelines.................................................344 policy overview.................................................................343 policy statement usage guidelines.................................................343 proposal statement usage guidelines..................................................341 proposals statement usage guidelines.................................................345 protocol statement (dynamic SA) usage guidelines.................................................343 protocol statement (manual SA) usage guidelines.................................................329 rule sets...........................................................................353 security associations.....................................................57 security parameter index usage guidelines.................................................329 service set dynamic endpoints configuration.............................................................357 traffic................................................................................997 IPSec Services SDK configuration........................................................360

ipsec statement.....................................................................391 usage guidelines...........................................................341 ipsec-inside-interface usage guidelines..........................................................354 ipsec-inside-interface statement..................................392 usage guidelines..........................................................348 ipsec-interface-id statement usage guidelines...........................................................357 ipsec-sa statement encryption.....................................................................1010 usage guidelines..........................................................995 ipsec-transport-security-association statement...........................................................................697 ipsec-vpn-options statement.........................................592 usage guidelines...........................................................574 ipsec-vpn-rule-sets statement usage guidelines...........................................................572 ipsec-vpn-rules statement...............................................593 usage guidelines...........................................................572 IPv4 napt-44 option.............................................................168 napt-44 option, example..........................................196 translation type basic-nat-pt option............................................182 basic-nat44 option.............................................162 basic-nat66 option.............................................165 IPv4 dynamic source translation configuring......................................................................168 example...........................................................................196 IPv4 static source translation AMS...................................................................................273 example...........................................................................273 ipv4-template statement..................................................1121 IPv6 napt-66 option..............................................................173 napt-66 option, example..........................................197 transition configured tunnel.............................................1366 IPv6 dynamic source translation configuring.......................................................................173 example............................................................................197 ipv6-multicast-interfaces statement...........................249 softwire...........................................................................889 IPv6-over-IPv4 tunnel example configuration.............................................1370 standards supported...............................................1366 ipv6-template statement..................................................1121

Copyright 2011, Juniper Networks, Inc.

1403

Junos 11.4 Services Interfaces Configuration Guide

IPv6-to-IPv4 address translation configuring......................................................................189 example...........................................................................201

J
jservices-sfw package.........................................................135

K
keepalive-time statement GRE tunnel interface.................................................1381 key statement tunnel..............................................................................1381 usage guidelines.........................................................1357

L
L-PDF best-effort application identification..................897 L2TP access profile........................................................418, 419 attribute-value pairs..................................................420 example configuration..............................................426 redundancy....................................................................424 timers...............................................................................420 L2TP LNS statements service-interface..........................................................437 l2tp statement usage guidelines...........................................................413 L2TP statements traceoptions...................................................................441 l2tp-access-profile statement........................................433 usage guidelines...........................................................419 l2tp-interface-id statement usage guidelines..........................................................422 l2tp-profile statement usage guidelines...........................................................418 label-position statement..................................................1122 latch-deadlock-delay statement...................................697 lawful intercept architecture..........................................1202 learn-sip-register statement............................................108 LFI...............................................................490, 495, 524, 1245 example configuration........................493, 498, 1246 lifetime-seconds statement IKE.....................................................................................392 usage guidelines..................................................335 IPsec.................................................................................392 usage guidelines..................................................342 limiting flows per service set............................................578 link fragmentation and interleaving See LFI link PIC redundancy............................................................455

link services interfaces CoS components...................................465, 467, 1252 example configuration.................................1253, 1260 interleave fragments.................................................1245 example configuration....................................1246 link services IQ interfaces..................................................493 CoS components.........................................................447 example configuration....................................483, 488 link state replication...................................................455 link-layer overhead.....................................................466 link services protocols.......................................................1229 link state replication LSQ PICs.........................................................................455 link-layer overhead link services IQ interfaces........................................466 link-layer-overhead statement........................................513 usage guidelines......................................462, 466, 477 lmi-type statement............................................................1283 usage guidelines..........................................................1251 load balancing on monitoring interfaces.........................................1073 load-balancing-options statement aggregated Multiservices..........................................281 local-address statement PTSP................................................................................849 local-address-range statement PTSP................................................................................850 local-certificate statement..............................................393 usage guidelines..........................................................338 local-dump statement.......................................................1122 usage guidelines........................................................1059 local-gateway address statement................................434 usage guidelines...........................................................419 local-gateway statement.................................................593 usage guidelines...........................................................574 local-id statement...............................................................393 usage guidelines..........................................................339 local-policy-decision-function statement................986 local-port-range statement PTSP................................................................................850 local-ports statement PTSP.................................................................................851 local-prefix-list statement PTSP.................................................................................851 log output adaptive services..........................................................581 APPID................................................................................914 traffic sampling..........................................................1029

1404

Copyright 2011, Juniper Networks, Inc.

Index

log-prefix statement.................................................594, 632 L2TP.................................................................................434 usage guidelines........................................421, 578, 616 logging statement.....................................................309, 594 usage guidelines..........................................................294 logical interfaces multicast-capable connections...........................1244 logical tunnels......................................................................1362 example configuration.............................................1373 logical-system statement RPM.................................................................................1327 usage guidelines.........................................................1301 loopback tunnels................................................................1364 LSQ bandwidth oversubscribing...........................................................468 LSQ failover interchassis...................................................................450 stateful intrachassis...................................................453 stateless intrachassis.................................................452 LSQ PICs..................................................................................455 redundancy....................................................................453 lsq-failure-options statement..........................................513 usage guidelines..........................................................450

M
manipulation-rule statement..........................................793 manual security association.............................................327 manual statement...............................................................394 usage guidelines...........................................................327 manuals comments on....................................................................lii many-to-one statement aggregated Multiservices..........................................282 mapping-type statement.................................................249 match direction usage in service sets............................571 match statement.................................................................1123 match-direction statement AACL.................................................................................967 usage guidelines.................................................956 CoS....................................................................................557 usage guidelines.................................................544 IDS......................................................................................310 usage guidelines..................................................291 IPsec.................................................................................394 usage guidelines.................................................346 NAT...................................................................................250 usage guidelines..................................................156

PTSP................................................................................852 stateful firewall.............................................................128 usage guidelines....................................................115 max-burst-size statement...............................................699 max-checked-bytes statement.....................................934 APPID usage guidelines...................................................911 max-concurrent-calls statement..................................700 max-connection-duration statement........................1328 max-duplicates statement.............................................1220 usage guidelines.........................................................1196 max-flows statement........................................................595 usage guidelines..........................................................578 max-packets-per-second statement..........................1124 usage guidelines........................................................1025 maximum-age statement.................................................1181 usage guidelines..........................................................1163 maximum-connections statement.............................1328 maximum-connections-per-client statement..........................................................................1329 maximum-contexts statement.......................................537 usage guidelines..........................................................523 maximum-fuf-percentage statement..........................701 maximum-inactivity-time statement...........................702 maximum-net-propagation-delay statement..........703 maximum-packet-length statement...........................1123 maximum-records-in-cache statement......................797 maximum-send-window statement............................435 usage guidelines..........................................................420 maximum-sessions statement.....................................1329 maximum-sessions-per-connection statement.........................................................................1330 maximum-synchronization-mismatches statement...........................................................................703 maximum-terms statement............................................704 maximum-time-in-cache statement............................797 maximum-transactions statement nested applications....................................................935 maximum-waiting-delay statement............................704 media statement..................................................................705 media-policy statement....................................................794 media-type statement.......................................................795 mediation devices flow-tap.........................................................................1202 member statement nested applications....................................................935 member-failure-options statement aggregated Multiservices.........................................283

Copyright 2011, Juniper Networks, Inc.

1405

Junos 11.4 Services Interfaces Configuration Guide

member-interface statement aggregated Multiservices.........................................285 message-manipulation statement...............................796 message-manipulation-rules statement...................798 mg-maximum-pdu-size statement..............................706 mg-originated-pending-limit statement.....................707 mg-provisional-response-timer-value statement...........................................................................708 mg-segmentation-timer statement.............................709 mgc-maximum-pdu-size statement.............................710 mgc-originated-pending-limit statement....................711 mgc-provisional-response-timer-value statement.............................................................................712 mgc-segmentation-timer statement............................713 min-checked-bytes statement......................................936 APPID usage guidelines...................................................911 minimum links link services interfaces.............................................1242 multilink interfaces....................................................1242 minimum statement BGF...................................................................................799 minimum-links statement..............................................1284 usage guidelines.........................................................1242 minimum-priority statement.........................................1220 usage guidelines..........................................................1193 MLFR and MLPPP...............................................................1233 mlfr-uni-nni-bundle-options statement...................1285 usage guidelines..............................................1248, 1251 MLPPP..........................................................................480, 490 configuration example..............................................483 example configuration..............................................493 mode statement..................................................................395 usage guidelines...........................................................337 monitor statement................................................................714 monitoring statement........................................................1125 usage guidelines........................................................1034 moving-average-size statement..................................1330 usage guidelines........................................................1303 MPLS packets passive flow monitoring.................................1079 mpls-ipv4-template statement.....................................1126 mpls-template statement...............................................1126 mrru statement...................................................................1286 usage guidelines.........................................................1242 mss statement.......................................................................310 usage guidelines..........................................................294 mtu statement.....................................................................1287

multicast traffic AS PIC.............................................................................580 multicast tunnels................................................................1362 multicast-capable connections Frame Relay encapsulation...................................1244 multicast-dlci statement.................................................1287 usage guidelines.........................................................1244 multicast-only statement...............................................1382 usage guidelines.........................................................1362 multiclass MLPPP fragmentation...............................................................467 multilink bundles fractional T1..................................................................490 example configuration.................493, 495, 498 FRF.12...............................................................................495 example configuration.....................................498 MLPPP............................................................................490 example configuration.....................................493 NxT1.......................................................................480, 485 configuration example...........................483, 488 multilink interfaces example configuration..............................................1257 minimum links.............................................................1242 multilink-class statement..................................................514 usage guidelines..........................................................467 multilink-max-classes statement..................................514 usage guidelines..........................................................467 multiservice-options statement.....................................1127 MultiServices PIC hardware requirements...............................................38

N
n391 statement...................................................................1288 usage guidelines..........................................................1251 n392 statement..................................................................1288 usage guidelines..........................................................1251 n393 statement..................................................................1289 usage guidelines..........................................................1251 name-format statement..................................................1182 usage guidelines..........................................................1162 name-resolution-cache statement.............................800 NAPT configuring..............................................................168, 173 IPv4...................................................................................168 IPv6....................................................................................173 napt-44 option example...........................................................................196 usage guidelines...........................................................168

1406

Copyright 2011, Juniper Networks, Inc.

Index

napt-66 option example............................................................................197 usage guidelines............................................................173 napt-pt option example..........................................................................202 usage guidelines...........................................................187 NAT action statements........................................................159 address configuration..................................................151 AMS....................................................................................271 applications....................................................................158 destination NAT...........................................177, 179, 190 example..................................................................199 dynamic address- only source translation..........174 dynamic address-only source translation..........198 dynamic NAT..................................................................174 example..................................................................198 dynamic source address and static destination address translation (IPv6 to IPV4)...................189 dynamic source address and static destination address translation (IPv6-to-IPv4) example..................................................................201 dynamic source translation.............................168, 173 dynamic source translation, example.........196, 197 example configuration...............................................193 load balancing, example...........................................273 match conditions.........................................................158 NAT-PT.............................................................................187 NAT-PT example.........................................................202 rule sets.............................................................................161 stateful NAT (IPv6 to IPV4).....................................189 stateful NAT (IPv6-to-IPv4) example..................................................................201 static destination address translation..................................................177, 179, 190 example..................................................................199 twice NAT description...............................................................50 nat-rule-sets statement usage guidelines...........................................................572 nat-rules statement............................................................597 usage guidelines...........................................................572 nested-application statement APPID...............................................................................937 usage guidelines.................................................909 nested-application-settings statement APPID..............................................................................938

Network Address Port Translation (NAPT) example..................................................................196, 197 IPv4 example.................................................................196 IPv6 example.................................................................197 network address translation port block allocation...................................................153 network-operator-id statement......................................714 new-call-usage-input-policies statement................800 new-call-usage-output-policies statement..............801 new-call-usage-policy statement................................802 new-call-usage-policy-set statement........................803 new-transaction-input-policies statement..............803 new-transaction-output-policies statement...........804 new-transaction-policy statement..............................805 new-transaction-policy-set statement......................807 next-hop groups.................................................................1059 next-hop statement............................................................1127 border signaling gateway........................................808 next-hop groups usage guidelines................................................1061 usage guidelines........................................................1059 next-hop style service sets................................................571 next-hop-group statement forwarding-options....................................................1128 port mirroring................................................................1129 usage guidelines.............................................1059, 1061 next-hop-service statement...........................................598 usage guidelines..........................................................570 no-anti-replay statement.......................................395, 599 usage guidelines.................................................352, 575 no-application-identification statement...................938 APPID usage guidelines...................................................911 no-application-system-cache statement.................939 APPID usage guidelines...................................................911 no-clear-application-system-cache statement...........................................................................939 APPID usage guidelines...................................................911 no-core-dump statement..............................................1093 usage guidelines.........................................................1032 no-dscp-bit-mirroring statement...................................715 no-filter-check statement................................................1129 usage guidelines........................................................1059 no-fragmentation statement...........................................515 usage guidelines..........................................................465 no-ipsec-tunnel-in-traceroute statement.................396 usage guidelines..........................................................358

Copyright 2011, Juniper Networks, Inc.

1407

Junos 11.4 Services Interfaces Configuration Guide

no-local-dump statement...............................................1122 usage guidelines........................................................1059 no-nested-application statement................................940 usage guidelines...........................................................910 no-per-unit-scheduler statement..................................515 no-protocol-method statement...................................940 APPID usage guidelines...................................................911 no-remote-trace statement flow monitoring...........................................................1130 no-rtcp-check statement...................................................715 no-signature-based statement.......................................941 APPID usage guidelines...................................................911 no-stamp statement.........................................................1148 usage guidelines.........................................................1027 no-syslog statement DFC...................................................................................1221 flow monitoring...........................................................1149 usage guidelines..........................................................1195 no-termination-request statement...............................516 usage guidelines..........................................................450 no-translation statement.................................................250 usage guidelines...........................................................159 no-world-readable statement flow monitoring...........................................................1158 usage guidelines.........................................................1027 normal-mg-execution-time statement........................716 normal-mgc-execution-time statement......................717 notice (system logging severity level)...................................................................421, 579, 616 notice icons defined...................................................................l Notification behavior...........................................................718 notification-behavior statement.....................................718 notification-rate-limit statement....................................718 notification-regulation statement..................................719 notification-targets statement.......................................1221 usage guidelines..........................................................1193 NxT1 bundles FRF.16...............................................................................485 configuration example.....................................488 MLPPP............................................................................480 configuration example.....................................483

one-way-hardware-timestamp statement...............1331 usage guidelines........................................................1308 open-timeout statement..................................................632 usage guidelines...........................................................614 option-refresh-rate statement........................................1131 order statement.....................................................................941 APPID usage guidelines.................................................904 output files logging information output file............................1029 traffic sampling output files..................................1027 output statement.................................................................633 discard accounting.....................................................1132 flow monitoring............................................................1133 port mirroring................................................................1133 sampling.........................................................................1134 usage guidelines................................................568, 618 output-interface-index statement................................1135 outside-service-interface statement usage guidelines............................................................571 overload-control statement..............................................719 overload-pool statement...................................................251 usage guidelines...........................................................159 overload-prefix statement.................................................251 usage guidelines...........................................................159 oversubscription..................................................................468

P
package statement loading on PIC................................................................145 packages jservices-sfw...................................................................135 packet-based IPsec............................................................348 parentheses, in syntax descriptions..................................lii passive flow monitoring....................................................1015 MPLS packets.............................................................1079 passive-mode-tunneling statement............................599 usage guidelines...........................................................577 passive-monitor-mode statement...............................1136 usage guidelines.........................................................1077 password statement flow collection.............................................................1184 usage guidelines................................................1161, 1163 pattern statement nested applications....................................................942 peak-data-rate statement.......................................720, 721 peer-unit statement tunnel.............................................................................1382 usage guidelines.........................................................1362

O
object-cache-size statement...........................................145 setting for stateful firewall........................................137 on-3xx-response statement...........................................809

1408

Copyright 2011, Juniper Networks, Inc.

Index

per-unit-scheduler statement.........................................516 usage guidelines...........................468, 473, 480, 485 perfect-forward-secrecy statement............................396 usage guidelines..........................................................344 performance, monitoring.................................................1302 pgcp statement NAT....................................................................................252 pgcp-rule-sets statement usage guidelines...........................................................572 pgcp-rules statement service-set.....................................................................600 usage guidelines...........................................................572 PIC types for services...............................................................3 pic-memory-threshold statement...............................1222 usage guidelines.........................................................1196 PIM tunnels...........................................................................1366 PIR.............................................................................................468 platform statement..............................................................722 platforms, supported...............................................................4 point-to-point connections Frame Relay encapsulation...................................1244 policy statement IKE......................................................................................397 usage guidelines..................................................335 IPsec.................................................................................398 usage guidelines.................................................343 policy-db-size statement..................................................146 setting for stateful firewall........................................137 policy-decision-statistics-profile statement............987 pool statement......................................................................253 service interface pool.................................................754 usage guidelines............................................................151 pop-all-labels statement.................................................1137 usage guidelines.........................................................1079 port forwarding dnat-44...................................................................179, 190 static destination address translation.........................................................179, 190 port mirroring.......................................................................1059 disabling.......................................................................1094 disabling all instances.............................................1095 port statement cflowd usage guidelines...............................................1040 flow monitoring...........................................................1138 NAT...................................................................................254 usage guidelines....................................................151 RPM.................................................................................1332

TWAMP..........................................................................1332 voice services.................................................................537 usage guidelines..................................................523 port-forwarding example............................................................................215 port-forwarding statement destined-port statement..........................................245 NAT...................................................................................255 translated-port statement......................................266 port-forwarding-mappings statement........................255 port-mapping statement..................................................942 port-mirroring statement.................................................1139 usage guidelines........................................................1059 port-range statement........................................................943 APPID usage guidelines.................................................904 ports-per-session statement..........................................256 post-service-filter statement..........................................633 usage guidelines..........................................................568 ppp-access-profile statement........................................435 usage guidelines...........................................................419 ppp-profile statement usage guidelines...........................................................418 pre-shared-key statement...............................................398 usage guidelines..........................................................338 preserve-interface statement...........................................517 usage guidelines..........................................................455 primary statement link services.....................................................................517 usage guidelines.................................................453 services PIC...................................................................634 usage guidelines.................................................620 probe statement RPM.................................................................................1333 usage guidelines........................................................1303 probe-count statement...................................................1334 usage guidelines........................................................1303 probe-interval statement................................................1334 usage guidelines........................................................1303 probe-limit statement......................................................1335 usage guidelines.........................................................1307 probe-server statement...................................................1335 usage guidelines.........................................................1307 probe-type statement......................................................1336 usage guidelines........................................................1303 probes, for monitoring traffic.........................................1303 procedural overview..............................................................44

Copyright 2011, Juniper Networks, Inc.

1409

Junos 11.4 Services Interfaces Configuration Guide

profile statement APPID usage guidelines................................................908 application identification.........................................943 profile-name statement.....................................................723 profile-version statement..................................................723 proposal statement IKE.....................................................................................399 usage guidelines..................................................332 IPsec................................................................................400 usage guidelines..................................................341 proposals statement IKE....................................................................................400 usage guidelines..................................................337 IPsec................................................................................400 usage guidelines.................................................345 protocol statement applications...................................................................109 usage guidelines....................................................74 IPsec..................................................................................401 usage guidelines........................................329, 343 nested applications...................................................944 PTSP................................................................................852 ptsp-rule-sets statement usage guidelines...........................................................572 ptsp-rules statement..........................................................601 usage guidelines...........................................................572

Q
queue-limit-percentage statement..............................724 queues statement...............................................................538 usage guidelines..........................................................523

R
RADIUS servers configuration example...............................................273 random-allocation statement........................................254 rate statement...........................................................634, 1140 usage guidelines............................................1025, 1059 Real-Time Performance Monitoring See RPM reassemble-packets statement...................................1383 usage guidelines.........................................................1359 receive-options-packets statement............................1140 usage guidelines.........................................................1077 receive-ttl-exceeded statement.....................................1141 usage guidelines.........................................................1077 receive-window statement..............................................436 usage guidelines..........................................................420 reconnect statement...........................................................725

red-differential-delay statement.................................1289 usage guidelines........................................................1250 redistribute-all-traffic statement aggregated Multiservices.........................................286 redundancy AS PIC..............................................................................620 flow monitoring..........................................................1084 L2TP.................................................................................424 redundancy-options statement............................518, 635 usage guidelines..........................................................620 reflexive | reverse statement...........................................558 usage guidelines..........................................................546 reject-all-commands-threshold statement..............725 reject-new-calls-threshold statement........................726 rejoin-timeout statement aggregated Multiservices.........................................286 remote-address statement PTSP................................................................................853 remote-address-range statement PTSP................................................................................854 remote-gateway statement.............................................401 usage guidelines..........................................................350 remote-id statement..........................................................402 usage guidelines..........................................................339 remote-port-range statement........................................854 remote-ports statement...................................................855 remote-prefix-list statement PTSP................................................................................855 remotely-controlled statement......................................256 report-service-change statement.................................726 request-timestamp statement........................................727 request-uri statement.........................................................810 required-depth statement................................................1141 usage guidelines.........................................................1079 retransmit-interval statement........................................436 usage guidelines..........................................................420 retry statement.....................................................................1185 usage guidelines..........................................................1163 retry-delay statement........................................................1185 usage guidelines..........................................................1163 reverse-manipulation statement.....................................811 RFC 2890...............................................................................1357 route statement.....................................................................812 route-record statement usage guidelines........................................................1039 router identifier....................................................................1384 routing-destinations statement......................................813

1410

Copyright 2011, Juniper Networks, Inc.

Index

routing-instance statement BGF....................................................................................727 RPM.................................................................................1337 tunnel.............................................................................1383 usage guidelines........................................................1364 routing-instances statement RPM.................................................................................1337 usage guidelines.........................................................1302 rpc-program-number statement.....................................110 usage guidelines............................................................80 RPM..............................................................................1297, 1299 example configuration..............................................1314 rpm statement.....................................................................1338 usage guidelines.........................................................1307 rtp statement...............................................................538, 728 usage guidelines..........................................................523 rule statement AACL................................................................................968 usage guidelines.................................................956 APPID usage guidelines.................................................904 application identification.........................................945 BGF....................................................................................729 CoS...................................................................................559 usage guidelines.................................................543 IDS.......................................................................................311 usage guidelines..................................................291 IPsec.................................................................................403 usage guidelines.................................................346 NAT....................................................................................257 usage guidelines..................................................156 PTSP......................................................................856, 857 softwire.................................................................867, 885 stateful firewall.............................................................129 usage guidelines...................................................114 rule-set statement AACL................................................................................969 usage guidelines.................................................959 APPID usage guidelines.................................................904 application identification.........................................946 BGF....................................................................................729 CoS...................................................................................560 usage guidelines.................................................548 IDS......................................................................................312 usage guidelines..................................................297 IPsec................................................................................404 usage guidelines..................................................353

NAT...................................................................................258 usage guidelines...................................................161 PTSP.................................................................................857 softwire...........................................................................885 stateful firewall.............................................................130 usage guidelines...................................................118 run-length statement.........................................................1142 usage guidelines............................................1025, 1059

S
sample (firewall filter action)........................................1024 sample-once statement flow monitoring............................................................1142 usage guidelines.........................................................1027 sampled file..........................................................................1029 sampled.pkts file.................................................................1027 sampling logical interface..........................................................1025 monitoring interface.................................................1032 sampling rate.......................................................................1025 sampling statement flow monitoring...........................................................1146 usage guidelines........................................................1024 sbc-utils statement....................................................730, 814 scheduler map CoS configuration example....................................1246 secondary statement link services....................................................................518 usage guidelines.................................................453 services PIC...................................................................635 usage guidelines.................................................620 secured-port-block-allocation statement.................259 security associations clearing............................................................................332 segmentation statement....................................................731 senable-asymmetic-traffic-processing statement usage guidelines...........................................................913 send cflowd records to flow collector.........................1164 send-notification-on-delay statement........................732 server statement.................................................................1339 server-inactivity-timeout statement..........................1339 servers statement.................................................................815 service filters...........................................................................619 service interface configuration.......................................568 service packages.....................................................................39 service rules configuration.................................................572

Copyright 2011, Juniper Networks, Inc.

1411

Junos 11.4 Services Interfaces Configuration Guide

service sets example configuration..............................................583 overview............................................................................38 service statement................................................................636 usage guidelines...........................................................618 service-change statement................................................733 service-change-type statement.....................................734 service-class statement.....................................................816 service-domain statement..............................................636 usage guidelines..........................................................570 service-filter statement firewall usage guidelines..................................................619 interfaces........................................................................637 usage guidelines.................................................568 service-interface statement...................................437, 601 BGF....................................................................................734 border signaling gateway gateway...................................................................817 service point...........................................................817 usage guidelines.................................................419, 568 service-interface-pools statement................................754 service-point statement....................................................818 service-point-type statement..........................................819 service-policies statement................................................819 service-port statement.....................................................1222 usage guidelines..........................................................1193 service-set statement..............................................602, 637 usage guidelines.................................................567, 618 service-state statement virtual BGF......................................................................735 virtual interface in BGF..............................................736 services configuration overview........................................44 services PICs................................................................................3 services statement AACL usage guidelines.................................................955 APPID usage guidelines..................................................901 BGF....................................................................................736 border signaling gateway.........................................820 CoS...................................................................................560 usage guidelines..................................................541 DFC..................................................................................1223 usage guidelines..................................................1191 flow monitoring usage guidelines................................................1023 flow-monitoring..........................................................1146

IDS......................................................................................312 usage guidelines.................................................289 interfaces........................................................................638 usage guidelines..................................................616 IPsec................................................................................404 usage guidelines..................................................323 L2TP.................................................................................438 usage guidelines...................................................421 NAT...................................................................................260 usage guidelines..................................................149 PTSP................................................................................858 RPM................................................................................1340 usage guidelines................................................1299 service sets....................................................................604 usage guidelines..................................................578 stateful firewall.............................................................130 usage guidelines....................................................113 services-options statement.............................................639 usage guidelines..................................................614, 616 session-limit statement...........................................313, 640 usage guidelines..........................................................294 session-mirroring statement............................................737 session-timeout statement.............................................948 usage guidelines..........................................................903 session-trace statement....................................................821 shaping-rate statement usage guidelines......................................463, 468, 473 shared-key statement.......................................................1223 usage guidelines..........................................................1193 short-sequence statement............................................1290 usage guidelines.........................................................1243 signaling statement............................................................822 signaling-realms statement border signaling gateway new transaction policy.....................................823 signature statement nested applications...................................................949 sip statement...............................................................561, 824 usage guidelines..........................................................546 sip-call-hold-timeout statement....................................110 sip-header statement.........................................................827 sip-stack statement...........................................................829 size statement.......................................................................1147 usage guidelines........................................................1029 snmp-command statement...............................................111 usage guidelines............................................................80 soft-limit statement..........................................................1224 usage guidelines..........................................................1192

1412

Copyright 2011, Juniper Networks, Inc.

Index

soft-limit-clear statement..............................................1224 usage guidelines..........................................................1192 softwire-concentrator statement.................................886 softwire-rules statement.................................................886 usage guidelines...........................................................572 SONET interfaces sampling SONET interfaces..................................1029 source statement APPID usage guidelines.................................................904 application identification rule................................950 encryption.....................................................................1010 tunnel.............................................................................1385 usage guidelines.............................................1003, 1355 source-address statement AACL................................................................................970 usage guidelines..................................................957 BGF....................................................................................737 CoS....................................................................................561 usage guidelines.................................................544 flow monitoring...........................................................1148 usage guidelines...............................................1034 IDS......................................................................................314 usage guidelines.................................................293 IPsec................................................................................405 usage guidelines.................................................348 NAT...................................................................................260 usage guidelines..................................................158 RPM................................................................................1340 usage guidelines................................................1303 stateful firewall..............................................................131 usage guidelines....................................................115 tunnel.............................................................................1385 tunnel services usage guidelines................................................1367 source-address-range statement AACL................................................................................970 usage guidelines..................................................957 IDS......................................................................................314 usage guidelines.................................................293 NAT....................................................................................261 usage guidelines..................................................158 stateful firewall..............................................................131 usage guidelines....................................................115 source-addresses statement DFC..................................................................................1225 usage guidelines..........................................................1193 source-pool statement.......................................................261 usage guidelines...........................................................159

source-port statement BGF...................................................................................738 RPM.....................................................................................111 usage guidelines.....................................................77 source-prefix statement...........................................262, 315 usage guidelines..........................................................294 source-prefix-ipv6 statement..........................................315 usage guidelines..........................................................294 source-prefix-list statement AACL..................................................................................971 usage guidelines..................................................957 CoS...................................................................................562 IDS......................................................................................316 NAT...................................................................................262 stateful firewall..............................................................132 usage guidelines....................................................115 spi statement........................................................................405 usage guidelines..........................................................329 stamp option.......................................................................1028 stamp statement................................................................1148 usage guidelines.........................................................1027 state-loss statement..........................................................739 stateful firewall action statements.........................................................116 anomalies.........................................................................46 applications.....................................................................115 example configuration................................................118 match conditions...........................................................115 restrictions.......................................................................137 rules....................................................................................118 stateful firewall plug-in configuring memory for..............................................137 stateful firewall use with APPID....................................906 stateful firewalls jservices-sfw package................................................135 SDK Kerberos-enabled, configuring......................137 SDK plug-in for, loading.............................................135 stateful NAT configuring......................................................................189 example...........................................................................201 stateful-firewall-rule-sets statement usage guidelines...........................................................572 stateful-firewall-rules statement.................................606 usage guidelines...........................................................572 stateful-nat64 option example...........................................................................201 usage guidelines...........................................................189

Copyright 2011, Juniper Networks, Inc.

1413

Junos 11.4 Services Interfaces Configuration Guide

statement flow monitoring usage guidelines...............................................1029 IPsec usage guidelines.................................................358 L2TP usage guidelines.................................................424 services usage guidelines.................................................1164 static destination address translation configuring.....................................................177, 179, 190 example...........................................................................199 statistics statement L-PDF..............................................................................988 stop-detection-on-drop statement..............................739 support, technical See technical support support-uni-directional-traffic statement................950 usage guidelines...........................................................913 sustained-data-rate statement.....................................740 gate in packet gateway...............................................741 syn-cookie statement.........................................................316 usage guidelines..........................................................294 syntax conventions...................................................................li syslog statement...................................................................147 CoS...................................................................................562 usage guidelines.................................................545 flow monitoring...........................................................1149 IDS.......................................................................................317 usage guidelines.................................................294 interfaces.......................................................................640 usage guidelines..................................................616 IPsec................................................................................406 usage guidelines.......................................349, 352 L2TP.................................................................................440 usage guidelines...................................................421 NAT...................................................................................263 usage guidelines..................................................159 service sets....................................................................606 usage guidelines..................................................578 stateful firewall..............................................................132 usage guidelines...................................................116

T
t391 statement....................................................................1290 usage guidelines..........................................................1251 t392 statement.....................................................................1291 usage guidelines..........................................................1251 target statement..................................................................1341

target-url statement usage guidelines........................................................1303 tcp statement RPM..................................................................................1341 tcp-mss statement.............................................................607 tcp-tickles statement..........................................................641 technical support contacting JTAC................................................................lii template statement flow monitoring...........................................................1150 template-refresh-rate statement..................................1152 term statement AACL.................................................................................972 usage guidelines.................................................956 border signaling gateway new call usage policy.........................................831 new transaction policy.....................................832 service-class.........................................................833 CoS...................................................................................563 usage guidelines.................................................543 IDS......................................................................................318 usage guidelines..................................................291 IPsec.................................................................................407 usage guidelines.................................................346 NAT...................................................................................264 usage guidelines..................................................156 PTSP................................................................................860 PTSP forward rule......................................................859 softwire...........................................................................887 stateful firewall.............................................................133 usage guidelines...................................................114 test statement RPM.................................................................................1342 usage guidelines........................................................1303 test-interval statement....................................................1343 usage guidelines........................................................1303 then statement AACL.................................................................................973 usage guidelines.................................................956 border signaling gateway new call usage policy........................................834 new transaction policy.....................................835 service-class........................................................836 CoS...................................................................................564 usage guidelines.................................................543 IDS.....................................................................................320 usage guidelines..................................................291 IPsec................................................................................408 usage guidelines.................................................346

1414

Copyright 2011, Juniper Networks, Inc.

Index

NAT...................................................................................265 usage guidelines..................................................156 PTSP................................................................................862 PTSP forward rule.......................................................861 stateful firewall.............................................................134 usage guidelines...........................................114, 116 threshold statement.............................................................321 usage guidelines..........................................................294 thresholds statement RPM................................................................................1344 usage guidelines........................................................1303 time-to-live threshold..........................................................80 timer-c statement................................................................837 timers statement..................................................................837 timerx statement..................................................................742 timestamp option..............................................................1028 tmax-retransmission-delay statement........................742 trace-options server (tracing flag)....................................................582 timer-events (tracing flag)......................................582 traceoptions statement....................................................838 application identification..........................................951 BGF....................................................................................743 flow monitoring............................................................1152 IPsec................................................................................409 L-PDF..............................................................................989 L2TP..................................................................................441 security..............................................................................411 services...........................................................................608 tracing flags event policy all.....................................................................582, 915 configuration........................................................582 database................................................................582 events......................................................................582 policy.......................................................................582 server.......................................................................582 timer-events.........................................................582 tracing operations adaptive services........................................................580 APPID................................................................................913 traffic.........................................................................................997 inbound (decryption)...............................................1001 IPsec, configuring........................................................997 monitoring....................................................................1302 outbound (encryption).............................................999 traffic sampling configuring...................................................................1024 disabling...........................................................1026, 1094

example configurations..........................................1029 flow aggregation........................................................1039 FTP traffic......................................................................1031 logging information output file............................1029 output files...................................................................1027 SONET interfaces......................................................1029 traffic from single IP addresses...........................1030 traffic-control-profiles statement usage guidelines................................................468, 473 traffic-management statement.....................................744 transactions statement.....................................................839 transfer statement..............................................................1186 usage guidelines..........................................................1162 transfer-log-archive statement.....................................1186 usage guidelines..........................................................1163 translated statement.........................................................266 usage guidelines...........................................................159 translated-port statement NAT...................................................................................266 translation-type statement..............................................267 basic-nat-pt option.....................................................182 basic-nat44 option......................................................162 basic-nat66 option.....................................................165 dnat-44 option, configuring....................177, 179, 190 dnat-44 option, example..........................................199 dynamic-nat44, configuring.....................................174 dynamic-nat44, example.........................................198 napt-44 option, configuring.....................................168 napt-44 option, example..........................................196 napt-66 option, configuring.....................................173 napt-66 option, example..........................................197 napt-pt option, configuring......................................187 napt-pt option, example..........................................202 stateful-nat64 option, configuring........................189 stateful-nat64 option, example.............................201 usage guidelines...........................................................159 transport statement NAT...................................................................................268 transport-details statement...........................................840 traps statement..................................................................1345 usage guidelines........................................................1303 trigger-link-failure statement...........................................519 usage guidelines..........................................................450 trusted-ca statement........................................................609 usage guidelines...........................................................575

Copyright 2011, Juniper Networks, Inc.

1415

Junos 11.4 Services Interfaces Configuration Guide

ttl statement DFC..................................................................................1225 usage guidelines.................................................1192 tunnel.............................................................................1386 usage guidelines.........................................................1355 ttl-threshold statement.......................................................112 usage guidelines............................................................80 tunnel interfaces configuration statements................1355, 1362, 1364 dynamic tunnels.........................................................1367 example configuration.............................................1369 logical tunnels.............................................................1362 loopback tunnels.......................................................1364 multicast tunnels.......................................................1362 PIM tunnels..................................................................1366 unicast tunnels...........................................................1355 tunnel statement................................................................1387 encryption......................................................................1011 usage guidelines.................................................995 redundancy usage guidelines...............................................1003 unicast usage guidelines................................................1355 tunnel-group statement...................................................445 usage guidelines...........................................................418 tunnel-mtu statement...............................................412, 610 usage guidelines.................................................352, 577 tunnel-timeout statement...............................................446 usage guidelines..........................................................420 tunnel-type statement....................................................1388 usage guidelines.........................................................1367 tunnels definition........................................................................1351 GRE fragmentation of...............................................1358 key number..........................................................1357 interface types.............................................................1351 IPv6-over-IPv4................................................1366, 1370 twamp statement..............................................................1346 twamp-server statement................................................1346 twice NAT..................................................................................50 twice-napt-44 option example............................................................................215 type statement.....................................................................952 APPID usage guidelines.................................................903 type-of-service statement...............................................952 APPID usage guidelines.................................................903

U
udp statement RPM.................................................................................1347 undirectional traffic support APPID................................................................................913 unicast tunnels....................................................................1355 unit statement aggregated Multiservices..........................................287 encryption......................................................................1012 usage guidelines.................................................995 flow monitoring...........................................................1153 usage guidelines................................................1024 interfaces........................................................................642 usage guidelines...................................................611 link services........................................................539, 1292 usage guidelines................................................1233 tunnel.............................................................................1389 usage guidelines................................................1355 Universal Unique Identifier...................................................81 up statement BGF....................................................................................745 url statement.........................................................................953 APPID usage guidelines..................................................912 use-lower-case statement...............................................745 use-wildcard-response statement................................746 username statement flow collection..............................................................1187 usage guidelines..........................................................1163 uuid statement........................................................................112 usage guidelines..............................................................81

V
v6rd statement....................................................................888 usage guidelines.........................................................866 var/log/sampled file..........................................................1029 var/tmp/sampled.pkts file..............................................1027 variant statement................................................................1187 usage guidelines..........................................................1162 version statement flow monitoring...........................................................1154 IKE......................................................................................412 usage guidelines..............................................337, 1040 version-ipfix statement......................................................1157 usage guidelines............................................1053, 1055 version9 statement.............................................................1155 video statement...................................................................564 usage guidelines..........................................................546

1416

Copyright 2011, Juniper Networks, Inc.

Index

virtual loopback tunnel configuration guidelines..........................................1364 VRF table lookup example configuration....................................1370 virtual-interface statement...............................................747 virtual-interface-down statement.................................748 virtual-interface-indications statement......................749 virtual-interface-up statement.......................................749 voice services bundles............................................................................526 configuration..................................................................521 encapsulation...............................................................525 example configuration..............................................526 interface type................................................................522 voice services interfaces interleave fragments..................................................524 voice statement....................................................................565 usage guidelines..........................................................546

W
warm standby AS PIC..............................................................................620 LSQ PIC...........................................................................453 warm statement...................................................................750 warm-standby statement.................................................519 warning (system logging severity level)...................................................................421, 579, 616 wired-process-mem-size statement............................148 world-readable statement flow monitoring...........................................................1158 usage guidelines.........................................................1027

Y
yellow-differential-delay statement...........................1293 usage guidelines........................................................1250

Copyright 2011, Juniper Networks, Inc.

1417

Junos 11.4 Services Interfaces Configuration Guide

1418

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

A
aacl-fields statement.........................................................982 aacl-statistics-profile statement..................................983 accelerations statement....................................................763 accounting statement flow monitoring.........................................................1088 acknowledge-retries statement.....................................1271 acknowledge-timer statement......................................1272 action-red-differential-delay statement...................1273 actions statement................................................................762 adaptive-services-pics statement................................585 address statement application rule............................................................920 DFC.................................................................................1209 encryption....................................................................1005 flow monitoring.........................................................1089 interfaces........................................................................625 link services...................................................................1274 NAT...................................................................................239 voice services.................................................................531 address-allocation statement........................................240 address-pooling statement.............................................240 address-range statement NAT....................................................................................241 administrative statement BGF...................................................................................650 admission-control statement................................764, 765 aggregate-export-interval statement........................1089 aggregation statement.......................................................301 flow monitoring.........................................................1090 algorithm statement...........................................................652 allow-fragmentation statement...................................1375 allow-ip-options statement..............................................124 allow-multicast statement..............................................586 allowed-destinations statement...................................1210 analyzer-address statement............................................1171

analyzer-id statement........................................................1172 anti-replay-window-size statement....................377, 587 application statement......................................103, 921, 922 application-aware-access-list-fields statement..........................................................................984 application-data-inactivity-detection statement...........................................................................652 application-group statement..........................................922 application-group-any statement................................964 PTSP................................................................................843 application-groups statement.............................923, 964 PTSP................................................................................843 application-profile statement.........................................552 application-protocol statement.....................................104 application-set statement................................................105 application-sets statement CoS....................................................................................553 IDS.....................................................................................302 NAT....................................................................................241 stateful firewall.............................................................125 application-system-cache-timeout statement...........................................................................923 applications statement AACL................................................................................963 application identification.........................................924 application-level gateways.......................................125 applications hierarchy................................................105 CoS....................................................................................553 IDS.....................................................................................302 NAT....................................................................................242 PTSP................................................................................844 stateful firewall.............................................................125 archive-sites statement.....................................................1172 audit-observed-events-returns statement...............653 authentication statement.................................................378 authentication-algorithm statement IKE......................................................................................379 IPsec.................................................................................379 authentication-method statement..............................380 authentication-mode statement RPM..................................................................................1319 automatic statement.........................................................924 autonomous-system-type statement........................1091 auxiliary-spi statement.....................................................380 availability-check-profiles statement..........................766

B
backup-destination statement.....................................1376 backup-interface statement.........................................1006

Copyright 2011, Juniper Networks, Inc.

1419

Junos 11.4 Services Interfaces Configuration Guide

backup-remote-gateway statement.............................381 base-root statement..........................................................654 bgf-core statement.............................................................655 bgp statement RPM.................................................................................1320 blacklist-period statement...............................................767 bundle statement......................................................532, 1274 by-destination statement.................................................303 by-pair statement................................................................304 by-source statement..........................................................305 bypass-traffic-on-pic-failure statement....................588

D
data statement.....................................................................554 data-cores statement.........................................................140 data-fill statement..............................................................1321 data-flow-affinity statement...........................................140 data-format statement.....................................................1173 data-inactivity-detection statement..................662, 770 data-size statement..........................................................1322 datastore statement.............................................................771 default statement................................................................663 default-media-realm statement....................................772 delivery-function statement...........................................664 demux statement................................................................845 description statement IKE.....................................................................................383 IPsec.................................................................................383 destination statement..........................................................141 application identification rule................................926 encryption....................................................................1006 flow monitoring..........................................................1094 link services...................................................................1275 tunnel..............................................................................1377 destination-address statement AACL................................................................................965 BGF...................................................................................664 CoS...................................................................................554 IDS....................................................................................306 IPsec.................................................................................383 NAT....................................................................................242 stateful firewall.............................................................126 destination-address-range statement AACL................................................................................965 IDS....................................................................................306 NAT....................................................................................243 stateful firewall.............................................................126 destination-networks statement tunnel..............................................................................1378 destination-pool statement.............................................243 destination-port range statement NAT...................................................................................244 destination-port statement applications....................................................................105 BGF...................................................................................665 RPM.......................................................................106, 1324 destination-prefix statement................................244, 307 destination-prefix-ipv6 statement................................307 destination-prefix-list statement AACL................................................................................966 CoS...................................................................................555

C
cancel-graceful statement...............................................657 capture-group statement..................................................1211 cflowd statement...............................................................1092 cgn-pic statement...............................................................626 chain-order statement nested applications....................................................925 cisco-interoperability statement...................................509 cleanup-timeout statement............................................658 clear-dont-fragment-bit statement GRE tunnel.....................................................................626 IPsec..................................................................................381 service-set.....................................................................589 clear-ike-sas-on-pic-restart statement......................382 clear-ipsec-sas-on-pic-restart statement.................382 client-list statement...........................................................1321 clusters statement...............................................................768 collector statement.............................................................1173 committed-burst-size statement..................................769 committed-information-rate statement.....................770 compression statement.....................................................532 compression-device statement.....................................533 content-destination statement......................................1212 context statement nested applications....................................................925 context-indications statement.......................................659 control-association-indications statement..............660 control-cores statement....................................................139 control-source statement................................................1213 controller-address statement.........................................661 controller-failure statement.............................................661 controller-port statement................................................662 copy-tos-to-outer-ip-header statement...................1376 core-dump statement......................................................1093 count-type statement.......................................................844

1420

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

IDS....................................................................................308 NAT...................................................................................245 stateful firewall..............................................................127 destinations statement flow collection..............................................................1174 destined-port statement NAT...................................................................................245 detect statement.................................................................665 dh-group statement...........................................................384 dial-options statement......................................................627 dialogs statement.................................................................773 diffserv statement...............................................................666 direction statement.............................................................385 nested applications....................................................926 disable statement application......................................................................927 application group.........................................................927 flow monitoring..........................................................1094 port mapping................................................................928 disable-all-instances statement flow monitoring..........................................................1095 disable-global-timeout-override statement.............928 disable-mlppp-inner-ppp-pfc statement.................1275 disable-session-mirroring statement..........................666 disconnect statement........................................................667 dlci statement......................................................................1276 do-not-fragment statement tunnel..............................................................................1378 down statement..................................................................668 download statement APPID...............................................................................929 drop-member-traffic statement aggregated Multiservices..........................................277 drop-timeout statement..................................................1277 ds-lite statement.................................................................884 dscp statement.....................................................................555 BGF...................................................................................669 BSG....................................................................................774 dscp-code-point statement RPM.................................................................................1325 duplicates-dropped-periodicity statement...............1213 dynamic route insertion.....................................................355 dynamic statement.............................................................386 dynamic-flow-capture statement................................1214 dynamic-tunnels statement...........................................1379

enable-asymmetic-traffic-processing statement...........................................................................930 enable-heuristics statement................................929, 930 enable-rejoin statement aggregated Multiservices..........................................278 encapsulation statement..................................................533 link services..................................................................1278 encoding statement...........................................................669 encryption statement.........................................................387 encryption-algorithm statement IKE.....................................................................................388 IPsec.................................................................................388 engine-id statement flow monitoring..........................................................1095 engine-type statement....................................................1096 es-options statement.......................................................1007 event-timestamp-notification statement..................670 export-format statement...............................................1098 extension-provider statement..........................................142 extension-service statement.........................................1097

F
f-max-period statement...................................................534 facility-override statement...........................431, 590, 628 failover statement................................................................672 failover-cold statement.....................................................670 failover-warm statement...................................................671 family statement aggregated Multiservices..........................................278 encryption....................................................................1008 flow monitoring.........................................................1099 interfaces........................................................................629 link services..................................................................1280 voice services................................................................535 fast-update-filters statement.........................................673 file statement.......................................................................1104 BGF....................................................................................674 border signaling gateway..........................................777 L-PDF statistics...........................................................985 traffic sampling...........................................................1104 file-specification statement............................................1175 filename statement............................................................1105 filename-prefix statement...............................................1174 files statement.....................................................................1105 filter statement encryption....................................................................1009 flow monitoring...........................................................1106 filtering-type statement....................................................246 flag statement..............................................................675, 778

E
egress-service-point statement......................................775 embedded-spdf statement..............................................776

Copyright 2011, Juniper Networks, Inc.

1421

Junos 11.4 Services Interfaces Configuration Guide

flow-active-timeout statement.....................................1107 flow-collector statement..................................................1176 flow-control-options statement...................................1108 flow-export-destination statement.............................1109 flow-export-rate statement flow monitoring...........................................................1108 flow-inactive-timeout statement..................................1110 flow-monitoring statement...............................................1111 flow-server statement flow monitoring.............................................................1112 flow-tap statement............................................................1215 force-entry statement.......................................................308 forward-manipulation statement..................................779 forward-rule statement PTSP......................................................................846, 847 forwarding-class statement...................................510, 556 forwarding-db-size statement.........................................143 forwarding-options statement........................................1113 fragment-threshold statement link services...................................................................1281 LSQ.....................................................................................511 voice services................................................................536 fragmentation-map statement........................................511 fragmentation-maps statement.....................................512 framework statement........................................................780 from statement AACL................................................................................966 border signaling gateway new call usage policy........................................783 new transaction policy.....................................784 service class..........................................................786 CoS...................................................................................556 IDS....................................................................................309 IPsec.................................................................................389 NAT....................................................................................247 PTSP................................................................................848 PTSP forward rule.......................................................847 stateful firewall.............................................................128 ftp statement.........................................................................557 flow collection..............................................................1178

gateway-port statement...................................................682 graceful statement..............................................................683 graceful-restart statement..............................................684

H
h248-options statement..................................................685 h248-profile statement.....................................................687 h248-properties statement............................................688 h248-stack statement........................................................691 h248-timers statement.....................................................692 hanging-termination-detection statement...............692 hard-limit statement..........................................................1217 hard-limit-target statement............................................1218 hardware-timestamp statement.................................1326 hash-key statement SDK....................................................................................144 hello-interval statement L2TP.................................................................................432 hello-timer statement link services..................................................................1282 hide-avps statement..........................................................432 high-availability-options statement aggregated Multiservices..........................................279 hint statement.......................................................................248 history-size statement......................................................1326 hold-time statement GRE tunnel interface................................................1380 host statement..........................................................590, 630 L2TP.................................................................................433 hot-standby statement......................................................512

I
icmp-code statement.........................................................106 icmp-type statement...........................................................107 idle-timeout statement......................................................931 ids-rules statement..............................................................591 ignore-entry statement.....................................................308 ignore-errors statement.....................................................931 ike statement........................................................................390 ike-access-profile statement...........................................591 inactivity-delay statement...............................................693 inactivity-duration statement...............................693, 792 inactivity-non-tcp-timeout statement........................932 inactivity-tcp-timeout statement..................................932 inactivity-timeout statement...........................................107 BGF...................................................................................694 flow monitoring...........................................................630 RPM.................................................................................1327 inactivity-timer statement...............................................695

G
g-duplicates-dropped-periodicity statement..........1216 g-max-duplicates statement..........................................1217 gateway statement BGF...................................................................................676 border signaling gateway..........................................787 gateway-address statement..........................................680 gateway-controller statement........................................681

1422

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

index statement....................................................................933 nested applications....................................................933 initial-average-ack-delay statement...........................695 initiate-dead-peer-detection statement.....................391 inline-jflow statement flow monitoring.............................................................1113 input statement flow monitoring............................................................1114 interfaces.........................................................................631 input-interface-index statement....................................1115 input-packet-rate-threshold statement....................1218 instance statement port mirroring.................................................................1116 sampling..........................................................................1117 interface statement flow monitoring............................................................1119 flow-tap..........................................................................1219 service interface pool.................................................753 interface-map statement................................................1180 interface-service statement.............................................592 interfaces statement aggregated Multiservices.........................................280 DFC...................................................................................1219 encryption....................................................................1009 flow monitoring.............................................................1121 interfaces hierarchy.....................................................631 link services..................................................................1282 tunnel.............................................................................1380 voice services................................................................536 interim-ah-scheme statement......................................696 interleave-fragments statement..................................1283 ip statement application identification.........................................934 ip-flow-stop-detection statement...............................696 ipsec statement.....................................................................391 ipsec-inside-interface statement..................................392 ipsec-sa statement encryption.....................................................................1010 ipsec-transport-security-association statement...........................................................................697 ipsec-vpn-options statement.........................................592 ipsec-vpn-rules statement...............................................593 ipv4-template statement..................................................1121 ipv6-multicast-interfaces statement...........................249 softwire...........................................................................889 ipv6-template statement..................................................1121

K
keepalive-time statement GRE tunnel interface.................................................1381 key statement tunnel..............................................................................1381

L
L2TP statements traceoptions...................................................................441 l2tp-access-profile statement........................................433 label-position statement..................................................1122 latch-deadlock-delay statement...................................697 learn-sip-register statement............................................108 lifetime-seconds statement IKE.....................................................................................392 IPsec.................................................................................392 link-layer-overhead statement........................................513 lmi-type statement............................................................1283 load-balancing-options statement aggregated Multiservices..........................................281 local-address statement PTSP................................................................................849 local-address-range statement PTSP................................................................................850 local-certificate statement..............................................393 local-dump statement.......................................................1122 local-gateway address statement................................434 local-gateway statement.................................................593 local-id statement...............................................................393 local-policy-decision-function statement................986 local-port-range statement PTSP................................................................................850 local-ports statement PTSP.................................................................................851 local-prefix-list statement PTSP.................................................................................851 log-prefix statement.................................................594, 632 L2TP.................................................................................434 logging statement.....................................................309, 594 logical-system statement RPM.................................................................................1327 lsq-failure-options statement..........................................513

M
manipulation-rule statement..........................................793 manual statement...............................................................394 many-to-one statement aggregated Multiservices..........................................282 mapping-type statement.................................................249

Copyright 2011, Juniper Networks, Inc.

1423

Junos 11.4 Services Interfaces Configuration Guide

match statement.................................................................1123 match-direction statement AACL.................................................................................967 CoS....................................................................................557 IDS......................................................................................310 IPsec.................................................................................394 NAT...................................................................................250 PTSP................................................................................852 stateful firewall.............................................................128 max-burst-size statement...............................................699 max-checked-bytes statement.....................................934 max-concurrent-calls statement..................................700 max-connection-duration statement........................1328 max-duplicates statement.............................................1220 max-flows statement........................................................595 max-packets-per-second statement..........................1124 maximum-age statement.................................................1181 maximum-connections statement.............................1328 maximum-connections-per-client statement..........................................................................1329 maximum-contexts statement.......................................537 maximum-fuf-percentage statement..........................701 maximum-inactivity-time statement...........................702 maximum-net-propagation-delay statement..........703 maximum-records-in-cache statement......................797 maximum-send-window statement............................435 maximum-sessions statement.....................................1329 maximum-sessions-per-connection statement.........................................................................1330 maximum-synchronization-mismatches statement...........................................................................703 maximum-terms statement............................................704 maximum-time-in-cache statement............................797 maximum-transactions statement nested applications....................................................935 maximum-waiting-delay statement............................704 media statement..................................................................705 media-policy statement....................................................794 media-type statement.......................................................795 member statement nested applications....................................................935 member-failure-options statement aggregated Multiservices.........................................283 member-interface statement aggregated Multiservices.........................................285 message-manipulation statement...............................796 message-manipulation-rules statement...................798 mg-maximum-pdu-size statement..............................706 mg-originated-pending-limit statement.....................707

mg-provisional-response-timer-value statement...........................................................................708 mg-segmentation-timer statement.............................709 mgc-maximum-pdu-size statement.............................710 mgc-originated-pending-limit statement....................711 mgc-provisional-response-timer-value statement.............................................................................712 mgc-segmentation-timer statement............................713 min-checked-bytes statement......................................936 minimum statement BGF...................................................................................799 minimum-links statement..............................................1284 minimum-priority statement.........................................1220 mlfr-uni-nni-bundle-options statement...................1285 mode statement..................................................................395 monitor statement................................................................714 monitoring statement........................................................1125 moving-average-size statement..................................1330 mpls-ipv4-template statement.....................................1126 mpls-template statement...............................................1126 mrru statement...................................................................1286 mss statement.......................................................................310 mtu statement.....................................................................1287 multicast-dlci statement.................................................1287 multicast-only statement...............................................1382 multilink-class statement..................................................514 multilink-max-classes statement..................................514 multiservice-options statement.....................................1127

N
n391 statement...................................................................1288 n392 statement..................................................................1288 n393 statement..................................................................1289 name-format statement..................................................1182 name-resolution-cache statement.............................800 nat-rules statement............................................................597 nested-application statement APPID...............................................................................937 nested-application-settings statement APPID..............................................................................938 network-operator-id statement......................................714 new-call-usage-input-policies statement................800 new-call-usage-output-policies statement..............801 new-call-usage-policy statement................................802 new-call-usage-policy-set statement........................803 new-transaction-input-policies statement..............803 new-transaction-output-policies statement...........804 new-transaction-policy statement..............................805 new-transaction-policy-set statement......................807

1424

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

next-hop statement............................................................1127 border signaling gateway........................................808 next-hop-group statement forwarding-options....................................................1128 port mirroring................................................................1129 next-hop-service statement...........................................598 no-anti-replay statement.......................................395, 599 no-application-identification statement...................938 no-application-system-cache statement.................939 no-clear-application-system-cache statement...........................................................................939 no-core-dump statement..............................................1093 no-dscp-bit-mirroring statement...................................715 no-filter-check statement................................................1129 no-fragmentation statement...........................................515 no-ipsec-tunnel-in-traceroute statement.................396 no-local-dump statement...............................................1122 no-nested-application statement................................940 no-per-unit-scheduler statement..................................515 no-protocol-method statement...................................940 no-remote-trace statement flow monitoring...........................................................1130 no-rtcp-check statement...................................................715 no-signature-based statement.......................................941 no-stamp statement.........................................................1148 no-syslog statement DFC...................................................................................1221 flow monitoring...........................................................1149 no-termination-request statement...............................516 no-translation statement.................................................250 no-world-readable statement flow monitoring...........................................................1158 normal-mg-execution-time statement........................716 normal-mgc-execution-time statement......................717 notification-behavior statement.....................................718 notification-rate-limit statement....................................718 notification-regulation statement..................................719 notification-targets statement.......................................1221

port mirroring................................................................1133 sampling.........................................................................1134 output-interface-index statement................................1135 overload-control statement..............................................719 overload-pool statement...................................................251 overload-prefix statement.................................................251

P
package statement loading on PIC................................................................145 passive-mode-tunneling statement............................599 passive-monitor-mode statement...............................1136 password statement flow collection.............................................................1184 pattern statement nested applications....................................................942 peak-data-rate statement.......................................720, 721 peer-unit statement tunnel.............................................................................1382 per-unit-scheduler statement.........................................516 perfect-forward-secrecy statement............................396 pgcp statement NAT....................................................................................252 pgcp-rules statement service-set.....................................................................600 pic-memory-threshold statement...............................1222 platform statement..............................................................722 policy statement IKE......................................................................................397 policy-db-size statement..................................................146 policy-decision-statistics-profile statement............987 pool statement......................................................................253 service interface pool.................................................754 pop-all-labels statement.................................................1137 port statement flow monitoring...........................................................1138 NAT...................................................................................254 RPM.................................................................................1332 TWAMP..........................................................................1332 voice services.................................................................537 port-forwarding statement destined-port statement..........................................245 NAT...................................................................................255 translated-port statement......................................266 port-mapping statement..................................................942 port-mirroring statement.................................................1139 port-range statement........................................................943 ports-per-session statement..........................................256 post-service-filter statement..........................................633

O
object-cache-size statement...........................................145 on-3xx-response statement...........................................809 one-way-hardware-timestamp statement...............1331 open-timeout statement..................................................632 option-refresh-rate statement........................................1131 order statement.....................................................................941 output statement.................................................................633 discard accounting.....................................................1132 flow monitoring............................................................1133

Copyright 2011, Juniper Networks, Inc.

1425

Junos 11.4 Services Interfaces Configuration Guide

ppp-access-profile statement........................................435 pre-shared-key statement...............................................398 preserve-interface statement...........................................517 primary statement link services.....................................................................517 services PIC...................................................................634 probe statement RPM.................................................................................1333 probe-count statement...................................................1334 probe-interval statement................................................1334 probe-limit statement......................................................1335 probe-server statement...................................................1335 probe-type statement......................................................1336 profile statement application identification.........................................943 profile-name statement.....................................................723 profile-version statement..................................................723 proposal statement IKE.....................................................................................399 IPsec................................................................................400 proposals statement IKE....................................................................................400 IPsec................................................................................400 protocol statement applications...................................................................109 IPsec..................................................................................401 nested applications...................................................944 PTSP................................................................................852 ptsp-rules statement..........................................................601

Q
queue-limit-percentage statement..............................724 queues statement...............................................................538

R
random-allocation statement........................................254 rate statement...........................................................634, 1140 reassemble-packets statement...................................1383 receive-options-packets statement............................1140 receive-ttl-exceeded statement.....................................1141 receive-window statement..............................................436 reconnect statement...........................................................725 red-differential-delay statement.................................1289 redistribute-all-traffic statement aggregated Multiservices.........................................286 redundancy-options statement............................518, 635 reflexive | reverse statement...........................................558 reject-all-commands-threshold statement..............725 reject-new-calls-threshold statement........................726

rejoin-timeout statement aggregated Multiservices.........................................286 remote-address statement PTSP................................................................................853 remote-address-range statement PTSP................................................................................854 remote-gateway statement.............................................401 remote-id statement..........................................................402 remote-port-range statement........................................854 remote-ports statement...................................................855 remote-prefix-list statement PTSP................................................................................855 remotely-controlled statement......................................256 report-service-change statement.................................726 request-timestamp statement........................................727 request-uri statement.........................................................810 required-depth statement................................................1141 retransmit-interval statement........................................436 retry statement.....................................................................1185 retry-delay statement........................................................1185 reverse-manipulation statement.....................................811 route statement.....................................................................812 routing-destinations statement......................................813 routing-instance statement BGF....................................................................................727 RPM.................................................................................1337 tunnel.............................................................................1383 routing-instances statement RPM.................................................................................1337 rpc-program-number statement.....................................110 rpm statement.....................................................................1338 rtp statement...............................................................538, 728 rule statement AACL................................................................................968 application identification.........................................945 BGF....................................................................................729 CoS...................................................................................559 IDS.......................................................................................311 IPsec.................................................................................403 NAT....................................................................................257 PTSP......................................................................856, 857 softwire.................................................................867, 885 stateful firewall.............................................................129 rule-set statement AACL................................................................................969 application identification.........................................946 BGF....................................................................................729 CoS...................................................................................560 IDS......................................................................................312

1426

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

IPsec................................................................................404 NAT...................................................................................258 PTSP.................................................................................857 softwire...........................................................................885 stateful firewall.............................................................130 run-length statement.........................................................1142

S
sample-once statement flow monitoring............................................................1142 sampling statement flow monitoring...........................................................1146 sbc-utils statement....................................................730, 814 secondary statement link services....................................................................518 services PIC...................................................................635 secured-port-block-allocation statement.................259 segmentation statement....................................................731 send-notification-on-delay statement........................732 server statement.................................................................1339 server-inactivity-timeout statement..........................1339 servers statement.................................................................815 service statement................................................................636 service-change statement................................................733 service-change-type statement.....................................734 service-class statement.....................................................816 service-domain statement..............................................636 service-filter statement interfaces........................................................................637 service-interface statement...................................437, 601 BGF....................................................................................734 border signaling gateway gateway...................................................................817 service point...........................................................817 service-interface-pools statement................................754 service-point statement....................................................818 service-point-type statement..........................................819 service-policies statement................................................819 service-port statement.....................................................1222 service-set statement..............................................602, 637 service-state statement virtual BGF......................................................................735 virtual interface in BGF..............................................736 services statement BGF....................................................................................736 border signaling gateway.........................................820 CoS...................................................................................560 DFC..................................................................................1223 flow-monitoring..........................................................1146

IDS......................................................................................312 interfaces........................................................................638 IPsec................................................................................404 L2TP.................................................................................438 NAT...................................................................................260 PTSP................................................................................858 RPM................................................................................1340 service sets....................................................................604 stateful firewall.............................................................130 services-options statement.............................................639 session-limit statement...........................................313, 640 session-mirroring statement............................................737 session-timeout statement.............................................948 session-trace statement....................................................821 shared-key statement.......................................................1223 short-sequence statement............................................1290 signaling statement............................................................822 signaling-realms statement border signaling gateway new transaction policy.....................................823 signature statement nested applications...................................................949 sip statement...............................................................561, 824 sip-call-hold-timeout statement....................................110 sip-header statement.........................................................827 sip-stack statement...........................................................829 size statement.......................................................................1147 snmp-command statement...............................................111 soft-limit statement..........................................................1224 soft-limit-clear statement..............................................1224 softwire-concentrator statement.................................886 softwire-rules statement.................................................886 source statement application identification rule................................950 encryption.....................................................................1010 tunnel.............................................................................1385 source-address statement AACL................................................................................970 BGF....................................................................................737 CoS....................................................................................561 flow monitoring...........................................................1148 IDS......................................................................................314 IPsec................................................................................405 NAT...................................................................................260 RPM................................................................................1340 stateful firewall..............................................................131 tunnel.............................................................................1385

Copyright 2011, Juniper Networks, Inc.

1427

Junos 11.4 Services Interfaces Configuration Guide

source-address-range statement AACL................................................................................970 IDS......................................................................................314 NAT....................................................................................261 stateful firewall..............................................................131 source-addresses statement DFC..................................................................................1225 source-pool statement.......................................................261 source-port statement BGF...................................................................................738 RPM.....................................................................................111 source-prefix statement...........................................262, 315 source-prefix-ipv6 statement..........................................315 source-prefix-list statement AACL..................................................................................971 CoS...................................................................................562 IDS......................................................................................316 NAT...................................................................................262 stateful firewall..............................................................132 spi statement........................................................................405 stamp statement................................................................1148 state-loss statement..........................................................739 stateful-firewall-rules statement.................................606 statistics statement L-PDF..............................................................................988 stop-detection-on-drop statement..............................739 support-uni-directional-traffic statement................950 sustained-data-rate statement.....................................740 gate in packet gateway...............................................741 syn-cookie statement.........................................................316 syslog statement...................................................................147 CoS...................................................................................562 flow monitoring...........................................................1149 IDS.......................................................................................317 interfaces.......................................................................640 IPsec................................................................................406 L2TP.................................................................................440 NAT...................................................................................263 service sets....................................................................606 stateful firewall..............................................................132

T
t391 statement....................................................................1290 t392 statement.....................................................................1291 target statement..................................................................1341 tcp statement RPM..................................................................................1341 tcp-mss statement.............................................................607 tcp-tickles statement..........................................................641

template statement flow monitoring...........................................................1150 template-refresh-rate statement..................................1152 term statement AACL.................................................................................972 border signaling gateway new call usage policy.........................................831 new transaction policy.....................................832 service-class.........................................................833 CoS...................................................................................563 IDS......................................................................................318 IPsec.................................................................................407 NAT...................................................................................264 PTSP................................................................................860 PTSP forward rule......................................................859 softwire...........................................................................887 stateful firewall.............................................................133 test statement RPM.................................................................................1342 test-interval statement....................................................1343 then statement AACL.................................................................................973 border signaling gateway new call usage policy........................................834 new transaction policy.....................................835 service-class........................................................836 CoS...................................................................................564 IDS.....................................................................................320 IPsec................................................................................408 NAT...................................................................................265 PTSP................................................................................862 PTSP forward rule.......................................................861 stateful firewall.............................................................134 threshold statement.............................................................321 thresholds statement RPM................................................................................1344 timer-c statement................................................................837 timers statement..................................................................837 timerx statement..................................................................742 tmax-retransmission-delay statement........................742 traceoptions statement....................................................838 application identification..........................................951 BGF....................................................................................743 flow monitoring............................................................1152 IPsec................................................................................409 L-PDF..............................................................................989 L2TP..................................................................................441 security..............................................................................411 services...........................................................................608

1428

Copyright 2011, Juniper Networks, Inc.

Index of Statements and Commands

traffic-management statement.....................................744 transactions statement.....................................................839 transfer statement..............................................................1186 transfer-log-archive statement.....................................1186 translated statement.........................................................266 translated-port statement NAT...................................................................................266 transport statement NAT...................................................................................268 transport-details statement...........................................840 traps statement..................................................................1345 trigger-link-failure statement...........................................519 trusted-ca statement........................................................609 ttl statement DFC..................................................................................1225 tunnel.............................................................................1386 ttl-threshold statement.......................................................112 tunnel statement................................................................1387 encryption......................................................................1011 tunnel-group statement...................................................445 tunnel-mtu statement...............................................412, 610 tunnel-timeout statement...............................................446 tunnel-type statement....................................................1388 twamp statement..............................................................1346 twamp-server statement................................................1346 type statement.....................................................................952 type-of-service statement...............................................952

variant statement................................................................1187 version statement flow monitoring...........................................................1154 IKE......................................................................................412 version-ipfix statement......................................................1157 version9 statement.............................................................1155 video statement...................................................................564 virtual-interface statement...............................................747 virtual-interface-down statement.................................748 virtual-interface-indications statement......................749 virtual-interface-up statement.......................................749 voice statement....................................................................565

W
warm statement...................................................................750 warm-standby statement.................................................519 wired-process-mem-size statement............................148 world-readable statement flow monitoring...........................................................1158

Y
yellow-differential-delay statement...........................1293

U
udp statement RPM.................................................................................1347 unit statement aggregated Multiservices..........................................287 encryption......................................................................1012 flow monitoring...........................................................1153 interfaces........................................................................642 link services........................................................539, 1292 tunnel.............................................................................1389 up statement BGF....................................................................................745 url statement.........................................................................953 use-lower-case statement...............................................745 use-wildcard-response statement................................746 username statement flow collection..............................................................1187 uuid statement........................................................................112

V
v6rd statement....................................................................888

Copyright 2011, Juniper Networks, Inc.

1429

Junos 11.4 Services Interfaces Configuration Guide

1430

Copyright 2011, Juniper Networks, Inc.