background image

634

Managing Subscriber Services

JUNOSe 11.0.x Broadband Access Configuration Guide

Summary of Contents for JUNOSE 11.0.X MULTICAST ROUTING

Page 1: ...r E Series Broadband Services Routers Broadband Access Configuration Guide Release 11 0 x Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale California 94089 USA 408 745 2000 www juniper net Pu...

Page 2: ...051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 578 186 and 6 590 785 JUNOSe Software for E Series Broadband Services Routers Broadband Access...

Page 3: ...alms devices links ports or transactions or require the purchase of separate licenses to use particular features functionalities services applications operations or capabilities or provide throughput...

Page 4: ...n connection with such withholding taxes by promptly providing Juniper with valid tax receipts and other required documentation showing Customer s payment of any withholding taxes completing appropria...

Page 5: ...nted to in writing by the party to be charged If any portion of this Agreement is held invalid the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement T...

Page 6: ...vi...

Page 7: ...itoring RADIUS 297 Chapter 9 Configuring TACACS 311 Chapter 10 Monitoring TACACS 323 Part 3 Managing L2TP Chapter 11 L2TP Overview 329 Chapter 12 Configuring an L2TP LAC 337 Chapter 13 Configuring an...

Page 8: ...criber Management 593 Chapter 25 Configuring Subscriber Interfaces 597 Chapter 26 Monitoring Subscriber Interfaces 629 Part 6 Managing Subscriber Services Chapter 27 Configuring Service Manager 635 Ch...

Page 9: ...ons 5 B RAS Protocol Support 5 Remote Access References 6 Before You Configure B RAS 6 Remote Access Configuration Tasks 6 Configuring a B RAS License 7 Mapping a User Domain Name to a Virtual Router...

Page 10: ...nd 41 Using the aaa local username Command 41 Assigning a Local User Database to a Virtual Router 42 Enabling Local Authentication on the Virtual Router 42 Configuration Commands 43 Local Authenticati...

Page 11: ...nfiguring the SRC Client 94 DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview 101 DHCPv6 Prefix Delegation Example 103 Order of Preference in Determining the Local Address Pool for A...

Page 12: ...134 Monitoring Local Address Pool Aliases 136 Monitoring Local Address Pools 136 Monitoring Local Address Pool Statistics 138 Monitoring Shared Local Address Pools 138 Monitoring the Routing Table 139...

Page 13: ...ETF Attributes 185 4 NAS IP Address 185 5 NAS Port 186 8 Framed IP Address 189 9 Framed Ip Netmask 189 13 Framed Compression 190 25 Class 190 30 Called Station Id 191 31 Calling Station Id 191 32 NAS...

Page 14: ...26 56 DHCP MAC Address 222 26 57 DHCP GI Address 222 26 62 MLPPP Bundle Name 223 26 63 Interface Desc 223 26 81 L2C Information 224 26 92 L2C Up Stream Data 224 26 93 L2C Down Stream Data 225 26 129...

Page 15: ...er 245 RADIUS Relay Server Overview 245 RADIUS Relay Server Platform Considerations 246 RADIUS Relay Server References 246 How RADIUS Relay Server Works 246 Authentication and Addressing 247 Accountin...

Page 16: ...RADIUS Dynamic Request Server Statistics 305 Monitoring the Configuration of the RADIUS Dynamic Request Server 306 Setting a Baseline for RADIUS Relay Statistics 307 Monitoring RADIUS Relay Server Sta...

Page 17: ...the Router 340 Preventing Creation of New Tunnels and Sessions at a Destination 341 Preventing Creation of New Sessions for a Tunnel 341 Specifying a Drain Timeout for a Disconnected Tunnel 341 Shutti...

Page 18: ...ing 376 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP 376 Assigning Bundled Group Identifiers 377 Overriding All Endpoint Discriminators 378 Enabling Tunnel Switching 378 Creating Pers...

Page 19: ...r Dynamic Speed Timeout 398 Advisory Speed Precedence for VLANs over Bridged Ethernet 398 Using AAA Domain Maps to Configure the Transmit Connect Speed Calculation Method 398 Using AAA Tunnel Groups t...

Page 20: ...onnection 435 Monitoring Detailed Configuration Information about Specified Sessions 436 Monitoring Configured and Operational Summary Status 437 Monitoring Configured Switch Profiles on Router 438 Mo...

Page 21: ...ith the Same Client ID or Hardware Address 474 Logging Out DHCP Local Server Subscribers 475 Clearing an IP DHCP Local Server Binding 476 Using SNMP Traps to Monitor DHCP Local Server Events 476 Using...

Page 22: ...dhcp relay agent sub option Command to Enable Option 82 Suboption Support 505 Configuration Example Using DHCP Relay Option 82 to Pass IEEE 802 1p Values to DHCP Servers 507 Using the set dhcp relay...

Page 23: ...n 540 Monitoring DHCP Binding Host Information 542 Monitoring DHCP Bindings Displaying IP Address to MAC Address Bindings 544 Monitoring DHCP Bindings Displaying DHCP Bindings Based on Binding ID 545...

Page 24: ...Identifier and No Circuit Type 589 Username with VLAN Circuit Identifier and Circuit Type 590 Username with MAC Address 590 Chapter 24 Monitoring Subscriber Management 593 Monitoring IP Service Profil...

Page 25: ...faces 616 Configuring Dynamic Subscriber Interfaces over Ethernet 616 Configuring Dynamic Subscriber Interfaces over VLANs 617 Configuring Dynamic Subscriber Interfaces over Bridged Ethernet 618 Confi...

Page 26: ...to Deactivate Service Sessions 659 Setting Thresholds 659 Using the Deactivate Service Attribute 660 Using Mutex Groups to Activate and Deactivate Subscriber Services 661 Activating and Deactivating M...

Page 27: ...696 Chapter 28 Monitoring Service Manager 701 Setting a Baseline for HTTP Local Server Statistics 701 Monitoring the Connections to the HTTP Local Server 702 Monitoring the Configuration of the HTTP L...

Page 28: ...xxviii Table of Contents JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 29: ...ing the E Series Router as an LAC 330 Figure 8 Using the E Series Router as an LNS 330 Chapter 12 Configuring an L2TP LAC 337 Figure 9 Lockout States 361 Chapter 14 Configuring L2TP Dial Out 405 Figur...

Page 30: ...tion 617 Figure 25 IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration 618 Figure 26 IP over Bridged Ethernet over ATM Dynamic Subscriber Interface Configuration 619 Figure 27 GRE Tu...

Page 31: ...Fields 119 Table 15 show aaa route download Output Fields 120 Table 16 show aaa route download routes Output Fields 122 Table 17 show aaa route download routes global Output Fields 124 Table 18 show...

Page 32: ...ss Request Attributes 247 Table 48 Required RADIUS Accounting Attributes 248 Chapter 6 RADIUS Attribute Descriptions 253 Table 49 RADIUS IETF Attributes Supported by JUNOSe Software 253 Table 50 Junip...

Page 33: ...ers Output Fields 426 Table 83 show l2tp Output Fields 428 Table 84 show l2tp destination Output Fields 430 Table 85 show l2tp destination lockout Output Fields 431 Table 86 show l2tp destination prof...

Page 34: ...p relay proxy statistics Output Fields 562 Table 122 show dhcp relay statistics Output Fields 564 Table 123 show dhcp server statistics Output Fields 566 Table 124 show dhcp server Output Fields 567 T...

Page 35: ...hapter 28 Monitoring Service Manager 701 Table 152 show ip http scalar Output Fields 702 Table 153 show ip http server Output Fields 703 Table 154 show ip http statistics Output Fields 704 Table 155 s...

Page 36: ...xxxvi List of Tables JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 37: ...mation in the latest release notes differs from the information in the documentation follow the JUNOSe Release Notes To obtain the most current version of all Juniper Networks technical documentation...

Page 38: ...2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents information as displayed on your terminal s screen Fixed width text like this There are two levels of a...

Page 39: ...are CDs and at http www juniper net Documentation Feedback We encourage you to provide feedback comments and suggestions so that we can improve the documentation to better meet your needs Send your co...

Page 40: ...e notes http www juniper net customers csc software Search technical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Network...

Page 41: ...Part 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 109 Managing Remote Access 1...

Page 42: ...2 Managing Remote Access JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 43: ...g Local Authentication Servers on page 40 Configuring Tunnel Subscriber Authentication on page 50 Configuring Name Server Addresses on page 51 Configuring Local Address Servers on page 54 Configuring...

Page 44: ...aded to the router over an ATM connection via a DS3 OC3 E3 or OC12 link The router provides the logical termination for PPP sessions as well as the interface to authentication and accounting systems B...

Page 45: ...k services to different users Accounting Tracks what the user did and when they did it You can use accounting for an audit trail or for billing for connection time or resources used Central management...

Page 46: ...Refer to the Release Notes corresponding to your software release for information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers Bef...

Page 47: ...or port 16 Optional Set up the router to notify RADIUS when a user fails AAA 17 Optional Configure a RADIUS download server on the router 18 Optional Configure the Session and Resource Control SRC cl...

Page 48: ...dialog box When the router is configured to require authentication of a PPP user the router checks for the appropriate user domain name to virtual router mapping If it finds a match the router sends...

Page 49: ...the LNS Also the phone number configured in the aaa domain map command must be an exact match to the value passed by L2TP in the called number AVP AVP 21 For example as specified in the following seq...

Page 50: ...ntication of PPP sessions This address is included in the Access Request sent to the authentication server as an IP address hint aaa domain map Use to map a user domain name to a virtual router or a l...

Page 51: ...main map ipv6 router name vroutv6 Use the no version to delete the entry See ipv6 router name local interface Use to map a user domain name to a loopback interface The local interface identifies the i...

Page 52: ...e router searches for the domain name or the realm name To provide these features the router allows you to specify delimiters for the domain name and realm name You can use up to eight one character d...

Page 53: ...cifying the Domain Name or Realm Name Parse Direction You can specify the direction either left to right or right to left in which the router performs the parsing operation when identifying the realm...

Page 54: ...Example host1 config aaa delimiter domainName Use the no version to return to the default See aaa delimiter aaa parse direction Use to specify the direction the router uses to parse the username for...

Page 55: ...bc com the domain name is usEast If no realm name is found the router searches for a domain name Example host1 config aaa parse order domain first Use the no version to return to the default realm fir...

Page 56: ...e Name for Users from a Domain Assigning a single username and a single password for all users associated with a domain provides better compatibility with some RADIUS servers You can use this feature...

Page 57: ...host1 config aaa domain map xyz com host1 config domain map Use the no version to delete the map entry See aaa domain map override user Use to specify a single username and single password for all use...

Page 58: ...ed For example suppose that you have configured the following authentication servers Auth1 Auth2 Auth3 Auth4 and Auth5 Your router attempts to send an authentication request to Auth1 If Auth1 is unava...

Page 59: ...Routers ERX310 ERX710 ERX1410 and E120 Broadband Services Routers RADIUS Request Type 50000 50124 50000 50124 RADIUS authentication 50125 50499 50125 50249 RADIUS accounting 50500 50624 50250 50374 R...

Page 60: ...PPP and an external RADIUS authentication server The JUNOSe software s AAA service accepts and passes EAP messages between the JUNOSe application and the router s internal RADIUS authentication serve...

Page 61: ...If you have enabled duplicate or broadcast accounting the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context Duplicate and Broadca...

Page 62: ...ters in the group host1 vr group config aaa virtual router 1 vrXyz1 host1 vr group config aaa virtual router 2 vrXyz2 host1 vr group config aaa virtual router 3 vrXyz3 host1 vr group config exit host1...

Page 63: ...ers you cansure configure depends on available memory The router has an embedded RADIUS client for authentication and accounting NOTE You can configure B RAS with RADIUS accounting but without RADIUS...

Page 64: ...al Enable duplicate address checking host1 config aaa duplicate address check enable 10 Optional Specify that duplicate accounting records be sent to the accounting server for a virtual router host1 c...

Page 65: ...aa accounting broadcast westVrGroup38 host1 vrSouth25 config exit Use the no version to disable the AAA broadcast accounting See aaa accounting broadcast aaa accounting default Use to specify the acco...

Page 66: ...s be sent to the accounting server on another virtual router Example host1 config aaa accounting duplication routerBoston Use the no version to disable the feature See aaa accounting duplication aaa a...

Page 67: ...to collect only the uptime status of the sessions Collecting only uptime information is more efficient because less data is sent to AAA Example host1 config aaa accounting statistics time Use the no v...

Page 68: ...s of authentication used in the order specified For example radius none specifies that RADIUS authentication is initially used however if RADIUS servers are not available users are granted access with...

Page 69: ...which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval aaa virtual router Use to add virtual routers to a vir...

Page 70: ...available To turn off the deadtime mechanism specify a value of 0 Example host1 config radius authentication server 10 10 0 1 host1 config radius deadtime 10 Use the no version to set the time to the...

Page 71: ...ystem Maximums The same IP address can be used for both an authentication and accounting server but not for multiple servers of the same type The router uses different UDP ports for authentication ser...

Page 72: ...of the show radius servers command see Monitoring RADIUS Server Information on page 141 Example host1 config radius algorithm round robin Use the no version to set the algorithm to the default direct...

Page 73: ...ect Tunnel Link Start Tunnel Link Stop and Tunnel Link Reject as described in RFC 2867 Your router supports tunnel accounting for the L2TP LAC and LNS Example host1 config radius tunnel accounting ena...

Page 74: ...verify RADIUS authentication and accounting and IP address assignment setup You must specify either a PPP or Multilink PPP MLPPP user PPP indicates a regular PPP user MLPPP simulates Multilink PPP so...

Page 75: ...NOTE When a RADIUS server times out or when it has no available RADIUS identifier values the router removes the RADIUS server from the list of available servers for a period of time The router restore...

Page 76: ...US client will not issue another system log message or SNMP trap regarding this RADIUS server until the deadtime expires if configured or for 3 minutes if deadtime is not configured The E Series RADIU...

Page 77: ...ess Request messages host1 config radius trap auth server not responding enable 2 Optional Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access...

Page 78: ...Use to enable or disable SNMP traps when a particular RADIUS accounting server fails to respond to a RADIUS accounting request The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable E...

Page 79: ...ius trap auth server responding radius trap no acct server responding Use to enable or disable SNMP traps when all of the configured RADIUS accounting servers per VR fail to respond to a RADIUS accoun...

Page 80: ...d by the virtual router Creating Local User Databases When a subscriber connects to an E Series router that is using local authentication the local authentication server uses the entries in the local...

Page 81: ...ers are not supported in the username command However after the user is added to the default local user database you can use the aaa local username command with a database name default to enter Local...

Page 82: ...hentication when the subscriber connects to the E Series router Use the following commands in Global Configuration mode NOTE If you do not specify a local user database the virtual router selects the...

Page 83: ...aaa authentication ppp default local radius Use the no version to restore the default authentication method of radius See aaa authentication default aaa local database Use to create a local user datab...

Page 84: ...username ip address Use to specify the IP address parameter for a user entry in the local user database The address is negotiated with the subscriber after the subscriber is authenticated Example hos...

Page 85: ...al user database The password is used to authenticate a subscriber and is encrypted by means of a two way encryption algorithm NOTE CHAP authentication requires that passwords and secrets be stored in...

Page 86: ...gure a user entry and optional password or secret in the default local user database This command creates the database if it does not already exist Optionally specify a password or secret that is assi...

Page 87: ...create the AAA local authentication environment host1 config aaa local database westfordLocal40 host1 config aaa local username btjones database westfordLocal40 host1 config local user secret 38schil...

Page 88: ...rds to show the configured users and their parameters The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password encryption comma...

Page 89: ...aaa local username btjones database westfordLocal40 secret 5 9s7 4N WK2 2 6 operational virtual router boston2 no ip address ip address pool addressPoolA aaa local username maryrdavis database westfo...

Page 90: ...out sending access requests to the configured RADIUS server Because of this behavior these subscribers cannot get any additional control attributes from the authentication server This reduces your abi...

Page 91: ...PPP Internet Protocol Control Protocol IPCP specifically the remote client may request the DNS and WINS server IP addresses If the IP addresses passed to the router by the remote PC client are differe...

Page 92: ...PP clients and not for domain name server resolution aaa dns primary Use to specify the IP address of the DNS primary name server Example host1 config aaa dns primary 10 10 10 5 Use the no version to...

Page 93: ...2 Specify the IP address of the WINS secondary name server host1 config aaa wins secondary 192 168 10 40 NOTE The router uses name server addresses exclusively for PPP clients and not for domain name...

Page 94: ...f IP addresses that are available for allocation and used by clients such as PPP sessions Figure 1 Local Address Pool Hierarchy Local Address Pool Ranges As shown in Figure 1 on page 54 each local add...

Page 95: ...ols within the same virtual router The addresses are configured and managed within DHCP Therefore thresholds are not configured on the shared pool but are instead managed by the referenced DHCP local...

Page 96: ...the local address server to signal SNMP traps when certain conditions exist These thresholds include high utilization threshold and abated utilization threshold If a pool s outstanding addresses exce...

Page 97: ..._LAS_Pool_A DHCP_Pool_1 Delete a shared local address pool host1 config no ip local shared pool Shared_LAS_Pool_C Set SNMP variables by specifying an existing pool name and values host1 config ip loca...

Page 98: ...ls The backup pool name is a character string up to 16 characters long Example host1 config aaa domain map westford com host1 config domain map backup address pool name backup_poolB Use the no version...

Page 99: ...all ranges or the specified range See ip local pool ip local pool snmpTrap Use to enable SNMP pool utilization traps Example host 1 config ip local pool addr_test snmpTrap Use the no version to disabl...

Page 100: ...ss Accept message takes priority over the local prefix pool name configured for the domain map If the pool name or prefix is not present in the RADIUS Access Accept message the IPv6 local address pool...

Page 101: ...s per ATM Subinterface Configure an ATM interface by entering Configuration mode and performing the following tasks For more information about configuring ATM interfaces see JUNOSe Link Layer Configur...

Page 102: ...nfiguring ATM interfaces see JUNOSe Link Layer Configuration Guide 1 Configure a physical interface host1 config interface atm 0 1 2 Configure the subinterface host1 config if interface atm 0 1 20 3 C...

Page 103: ...Once you create an AAA profile you can map it between a PPP client s domain name and certain AAA services on given interfaces Using AAA profiles you can Allow or deny a domain name access to AAA authe...

Page 104: ...e administrator wants to restrict access of a PPP interface to the specific domain abc com 1 Create an AAA profile host1 config aaa profile restrictToABC 2 Specify the domain name you want to allow ho...

Page 105: ...is example an administrator wants to associate all subscribers of a PPP interface with a specific domain name 1 Create an AAA profile host1 config aaa profile forwardToXyz 2 Map the original domain na...

Page 106: ...specific domain name and not allow other domain names 1 Create an AAA profile host1 config aaa profile toAbc 2 Map the original domain name to the mapped domain name for domain map lookup host1 confi...

Page 107: ...ontinues processing as if there were no AAA profile aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delete the AAA profile See aaa profi...

Page 108: ...gned NOTE Although an AAA profile and an interface profile have similar functionality they are not related and should be treated differently Example host1 config if ppp aaa profile westford24 Use the...

Page 109: ...faces host1 config aaa profile nas port type ethernet wireless cable aaa profile Use to create and configure a AAA profile Example host1 config aaa profile nasPortType Use the no version to delete the...

Page 110: ...1 wireless cdma Wireless CDMA wireless other wireless umts Wireless UMTS Example host1 config aaa profile nas port type ethernet wireless 80211 Use the no version to remove the NAS Port Type setting f...

Page 111: ...access routes before they are assigned to clients Using the route download server helps eliminate routing protocol storms and other delays in client service activation that can be caused by protocol c...

Page 112: ...route download server is enabled as soon as IP is established in the virtual router in which the download is performed After the initial route download process is established the router repeats the ro...

Page 113: ...ry interval 25 password dl1456atl synchronization 03 45 00 4 Optional Verify your route download configuration host1 config exit host1 show aaa route download AAA Route Downloader configured in virtua...

Page 114: ...sed in RADIUS Access Request messages for route download requests You can specify from 1 through 32 alphanumeric characters The default password is juniper synchronization The time that the server sta...

Page 115: ...outes that you want cleared in the routing table of the current virtual router or in the specified VRF Use the wildcard character to clear all downloaded routes in the routing table of the current vir...

Page 116: ...eature enables service providers to track subscribers on the basis of a virtual port known as the logical line ID LLID The LLID is an alphanumeric string that logically identifies a subscriber line Th...

Page 117: ...he LLID to the router in the Calling Station Id RADIUS attribute 31 of an Access Accept message The router ignores any RADIUS attributes other than the Calling Station Id that are returned in the prea...

Page 118: ...r for example atm 4 1 104 2 104 NAS Port Id 87 The use of radius commands such as radius calling station format or radius override calling station id to control or change the inclusion of these attrib...

Page 119: ...the Router to Obtain the LLID for a Subscriber To configure the router to obtain the LLID for a subscriber 1 Create an AAA profile that supports subscriber preauthentication host1 config aaa profile p...

Page 120: ...istics command For information see Setting Baselines for Remote Access on page 110 aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delet...

Page 121: ...authenticate radius pre authentication server Use to specify the IP address of a RADIUS preauthentication server This command accesses RADIUS Configuration mode from which you can configure additiona...

Page 122: ...collected on input Ingress Statistics integer 0 disable 1 enable 6 13 12 26 Indicates whether statistics are collected on output Egress Statistics string qos profile name sublen 26 len 26 Specifies t...

Page 123: ...RADIUS appear in RADIUS Acct Start messages RADIUS attributes specified by a profile for dynamic interfaces do not appear in RADIUS Acct Start messages because the profile is not active when the Acct...

Page 124: ...e Cause attribute these mappings enable you to provide different information about the cause of a termination When a subscriber s L2TP or PPP session is terminated the router logs a message for the in...

Page 125: ...low threshold for example the bandwidth on demand algorithm determined that the port was no longer needed Port Unneeded 12 NAS ended the session to allocate the port to a higher priority use Port Pree...

Page 126: ...eer 17 ppp authenticate inactivity ti authenticate inactivity ti 4 meout meout More 3 Optional Display all PPP terminate reasons host1 config terminate code ppp authenticate authenticator timeout Conf...

Page 127: ...ude acct terminate cause acct off disable Use the no version to restore the default enable See radius include terminate code Use to configure a customized mapping relationship between an application s...

Page 128: ...timeout is useful for networks in which the PPP keepalive timer is disabled for wireless subscribers Without the keepalive timer the router cannot detect whether a wireless subscriber has been discon...

Page 129: ...timeout is reached the router terminates the user session Example 1 Sets the idle timeout to 1200 seconds and enables the router to monitor only ingress traffic for this idle timeout period to determi...

Page 130: ...ls AAA aaa accounting acct stop on aaa failure Use to cause the router to send an Acct Stop message if a user fails AAA but RADIUS grants access Example host1 vr17 config aaa accounting acct stop on a...

Page 131: ...Access Accept message was used for DHCPv6 Prefix Delegation In this release you can control the RADIUS IETF attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements and DHCPv6 Pre...

Page 132: ...ix Propagation of LAG Subscriber Information to AAA and RADIUS The RADIUS application sends the link aggregation group LAG interface ID to the RADIUS server when the subscriber is connected over LAG i...

Page 133: ...ribute The radius nas port format radius vlan nas port format stacked and radius pppoe nas port format commands do not affect the value of the Nas Port attribute 87 Nas Port Id The radius override nas...

Page 134: ...are functions as the COPS server or policy decision point PDP Table 10 on page 94 provides common terms used in the COPS environment Table 10 SRC Client and COPS Terminology Description Term Common Op...

Page 135: ...ed in bulk for example an entire QoS configuration or in smaller segments for example updating a marking filter The following list shows the interaction between the PEP and the PDP during the COPS PR...

Page 136: ...ware and the SRC client use Previously you disabled the SRC client and reenabled it to start synchronization The disabling of the SRC client s COPS support was undesirable for the applications that re...

Page 137: ...and QoS configuration support for L2TP interfaces on an L2TP access concentrator LAC host1 config sscc protocol lac 5 Optional Specify on which router the TCP COPS connection is to be established host...

Page 138: ...QoS configuration on IPv6 interfaces The IPv6 support is in addition to the default IPv4 support Example host1 config sscc protocol ipv6 Use the no version to disable IPv6 support on the SRC client S...

Page 139: ...he SRC client See sscc protocol lac sscc restart Use to force the router to restart a COPS connection to and resynchronize with the SRC software without removing the SRC client The no sscc enable cops...

Page 140: ...ddress If you do not specify a source address the TCP COPS connection is not bound to a specific source that is local address Example host1 config sscc sourceAddress 10 9 123 8 Use the no version to r...

Page 141: ...s in networks that use DHCPv6 These pools can be used to assign prefixes from a delegating router which is an E Series router configured as a DHCPv6 local server to the requesting router which is the...

Page 142: ...local pool The DNS server addresses are returned to the client in DHCPv6 responses as part of the DNS Recursive Name Server option You can configure a list of up to four domain names in an IPv6 local...

Page 143: ...er After the IPv6 link is formed between CPE1 and PE1 and the IPv6 link local address is created CPE1 requests and obtains prefixes that are shorter than 64 usually of length 48 from PE1 CPE1 is conne...

Page 144: ...IETF attribute 97 Delegated IPv6 Prefix RADIUS IETF attribute 123 Framed IPv6 Pool RADIUS IETF attribute 100 If any of the first three attributes are returned then the prefix contained in those attrib...

Page 145: ...2 32 48 In this case the starting and ending prefixes of the range are implicitly specified In this example the start of the range is 2002 2002 48 and the end of the range is 2002 2002 ffff 48 All pre...

Page 146: ...pool and on the DHCPv6 local server the values configured in the IPv6 local pool take precedence 6 Specify the name of a DNS domain in the IPv6 local pool to be returned to clients in the DHCPv6 respo...

Page 147: ...ld of the output of the following show ipv6 local pool largePrefixRange and show ipv6 local pool commands indicates the number of prefixes that can be allocated to DHCPv6 clients 1048756 host1 show ip...

Page 148: ...e IPv6 Local Pool Configuration mode host1 config ipv6 local pool example host1 config v6 local prefix 4004 4004 32 48 host1 config v6 local exclude prefix 4004 4004 48 host1 config v6 local exit Crea...

Page 149: ...g Routing Table Address Lookup on page 118 Monitoring the AAA Model on page 118 Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers on page 118 Monitoring AAA Profile Configurat...

Page 150: ...nitoring RADIUS Server IP Addresses on page 147 Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router Advertisements on page 148 Monitoring the RADIUS Attribute Used for DHCPv6 Prefi...

Page 151: ...baseline aaa command host1 baseline aaa There is no no version Setting a Baseline for AAA Route Downloads Purpose Set a baseline for route downloads Action Issue the baseline aaa route download comman...

Page 152: ...se the following commands show ppp interface summary show ppp interface selective control For details on the show ppp commands see JUNOSe Link Layer Configuration Guide You can use the output filterin...

Page 153: ...ounting records are sent to the accounting server Broadcast accounting Enabled disabled send acct stop on AAA access deny Enabled disabled send acct stop on authentication server access deny Number of...

Page 154: ...splay the names of a specific virtual router group or of all virtual router groups configured on the router Display the virtual routers making up the groups host1 show aaa accounting vr group vr group...

Page 155: ...se direction configured on the router Action To display the domain and realm name delimiters parse order and parse direction configured on the router host1 show aaa delimiters domain delimiters realm...

Page 156: ...mapped router name Name of the tunnel group assigned to the domain map tunnel group IPv6 virtual router to which user domain name is mapped ipv6 router name Interface information to use on the local E...

Page 157: ...r which is indicated by system chooses Tunnel RWS Name of the virtual router to map to the user domain name Tunnel Virtual Router L2TP peer resynchronization method Tunnel Failover Resync Name of the...

Page 158: ...a duplicate address check Monitoring the AAA Model Purpose Display the AAA model Action To display the AAA model host1 show aaa model aaa model old model Related Topics show aaa model Monitoring IP Ad...

Page 159: ...command output fields Table 14 show aaa profile Output Fields Field Description Field Name Configuration of NAS Port Type attribute for ATM interfaces atm nas port type Configuration of NAS Port Type...

Page 160: ...d Success TUE DEC 19 22 46 47 2006 Last Regular Download complete Next Download Scheduled WED DEC 20 10 46 47 2006 Next Regular Download WED DEC 20 10 46 47 2006 To display information about the RADIU...

Page 161: ...ER or the day date and time of attempt Last Download Attempt Either NEVER or the day date and time of success Last Download Success Status of last regular download either complete or not complete Last...

Page 162: ...255 255 254 2 null0 0 192 168 1 9 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 13 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 17 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 21...

Page 163: ...fy the first router context that you want to display in the output For example aaa a2 specifies that the display shows a list of router contexts starting with VRF a2 in virtual router aaa Action To di...

Page 164: ...192 168 40 7 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 8 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 9 32 Access P 255 255 255 255 0 2 null0 0 To specify the...

Page 165: ...equests 109 incoming disconnect requests 7 outgoing grant tunnel responses 3 outgoing grant responses 6 outgoing deny responses 0 outgoing error responses 0 outgoing Authentication requests 9 incoming...

Page 166: ...ing Re Authentication responses Number of preauthentication requests from AAA to the preauthentication task outgoing Pre Authentication requests Number of preauthentication responses from the preauthe...

Page 167: ...ubscriber Port Limits Port Limit 0 2 5 0 3 2 3 2 2 Related Topics show aaa subscriber per port limit Monitoring the Maximum Number of Active Subscribers Per Virtual Router Purpose Display the maximum...

Page 168: ...guration Guide Action To display the virtual router groups that are configured for AAA broadcast accounting host1 show configuration category aaa global attributes Configuration script being generated...

Page 169: ...for local authentication For additional information about the show configuration command see JUNOSe System Basics Configuration Guide Action To display the configuration information for AAA local aut...

Page 170: ...router virtual router Related Topics show configuration category aaa local authentication Monitoring AAA Server Attributes Purpose Display status of the attributes on the AAA server including AAA acc...

Page 171: ...tual router isp no aaa accounting duplication no aaa accounting broadcast aaa duplicate address check enable aaa accounting acct stop on aaa failure enable aaa accounting acct stop on access deny disa...

Page 172: ...n Purpose Display information about the COPS layer over which the SRC connection is made Action To display information about the COPS layer over which the SRC connection is made host1 show cops info G...

Page 173: ...ess of the remote pee Remote IP Address TCP port number of the remote peer Remote TCP Port Type of client for the session For this release the client type must be 16640 SRC client Client Type Number o...

Page 174: ...COPS layer over which the SRC connection is made Action To display statistics about the COPS layer host1 show cops statistics General Cops Information Sessions Created 0 Sessions Deleted 0 Current Se...

Page 175: ...umber of bytes received for this COPS session Bytes Received Number of packets received for this COPS session Packets Received Number of bytes sent on this COPS session Bytes Sent Number of packets se...

Page 176: ...al alias Alias Pool alias1 poolA alias2 poolB alias3 poolC poolA poolD poolB poolD poolC poolD Meaning Table 24 on page 136 lists the show ip local alias command output fields Table 24 show ip local a...

Page 177: ...0 10 2 2 1 10 2 2 10 10 0 High Abated Pool Thresh Thresh Trap Group poolC 85 75 N Aliases alias3 In Begin End Free Use 10 3 1 1 10 3 1 10 10 0 High Abated Pool Thresh Thresh Trap Group poolD 85 75 N...

Page 178: ...tistics Purpose Display local address pool statistics Use the optional delta keyword to specify that baselined statistics are to be shown Action To display local address pool statistics host1 show ip...

Page 179: ...Protocol Route type codes I1 ISIS level 1 I2 ISIS level2 I route type intra IA route type inter E route type external i metric type internal e metric type external P periodic download O OSPF E1 extern...

Page 180: ...radius algorithm Monitoring RADIUS Override Settings Purpose Display the current RADIUS override settings Action To display the RADIUS override settings host1 vrXyz7 show radius override nas ip addr...

Page 181: ...Related Topics show radius rollover on reject Monitoring RADIUS Server Information Purpose Display RADIUS server information Use with the optional accounting authentication dynamic request route down...

Page 182: ...radius alive Meaning Table 28 on page 142 lists the show radius servers command output fields Table 28 show radius servers Output Fields Field Description Field Name IP address of RADIUS server IP Ad...

Page 183: ...rver is accessed using the round robin algorithm Status Related Topics show radius servers Monitoring RADIUS Services Statistics Purpose Use to display statistics for RADIUS services Use with the opti...

Page 184: ...show radius pre authentication statistics RADIUS Pre Authentication Statistics Statistic 172 28 30 117 UDP Port 1812 Round Trip Time 0 Access Requests 2809 Rollover Requests 0 Retransmissions 56 Acces...

Page 185: ...mber of retransmissions Retransmissions Number of Access Accepts received from the server Access Accepts Number of Access Rejects received from the server Access Rejects Number of access challenges re...

Page 186: ...accounting requests Interim Requests Number of accounting stop requests sent includes Acct Off Acct Stop Acct Link Stop and Acct Tunnel Stop requests Stop Requests Number of accounting reject requests...

Page 187: ...tatus for RADIUS accounting for L2TP tunnels Action To display RADIUS accounting for L2TP tunnels host1 show radius tunnel accounting disabled Meaning RADIUS accounting is either enabled or disabled R...

Page 188: ...used for DHCPv6 Prefix Delegation Action To display the RADIUS attribute used for DHCPv6 Prefix Delegation host1 show aaa dhcpv6 delegated prefix DHCPv6 Delegated Prefix Framed IPv6 Prefix Related To...

Page 189: ...s 0 Create Addresses Sent 0 Delete Addresses Sent 0 Authentication Successes 0 Authentication Failures 0 Meaning Table 30 on page 149 lists the show sscc info command output fields Table 30 show sscc...

Page 190: ...ly Number of connections that were closed by the remote SAE Create Interfaces sent Number of create interface indications sent to the SAE Delete Interfaces sent Number of delete interface indications...

Page 191: ...ddresses 3274 Address Transitions 3280 Create Addresses Sent 3277 Delete Addresses Sent 3 Meaning Table 31 on page 151 lists the show sscc statistics command output fields Table 31 show sscc statistic...

Page 192: ...from the SAE Synchronizes received Number of synchronization complete indications sent Synchronize Complete sent Number of internal errors Internal Errors Number of errors with lower layer communicati...

Page 193: ...en the aaa intf desc format include sub intf enable command has been issued the subinterface is included in the subscriber s interface field at login and is displayed in the output When the aaa intf d...

Page 194: ...host1 show subscribers interface ethernet 5 2 Subscriber List Virtual User Name Type Addr Endpt Router bert tst 192 168 10 3 user default User Name Interface bert FastEthernet 5 2 4 User Name Login Ti...

Page 195: ...scribers summary Virtual Router Subscribers Ppp Ip Tnl Total default 1 1 0 0 1 Total Subscribers 10 chassis wide total Peak Subscribers 15 chassis wide total To display the number of subscribers on ea...

Page 196: ...ds Table 32 show subscribers Output Fields Field Description Field Name Name of the subscriber User Name Type of subscriber atm ip ipsec ppp tnl tunnel tst test Type IP or IPv6 address and source of t...

Page 197: ...nName command ICR Partition location id Number of subscribers Count Number of slot in the chassis Slot Related Topics show subscribers Monitoring Application Terminate Reason Mappings Purpose Display...

Page 198: ...reasons This example uses aaa as the application host1 config run show terminate code aaa Radius Apps Terminate Reason Description Code aaa deny server not available deny server not available 17 aaa d...

Page 199: ...number of prefixes that can be allocated to clients and the number of prefixes that are in use by clients Action To display information about all the IPv6 local address pools configured on a virtual r...

Page 200: ...ation for a specific IPv6 local address pool host1 show ipv6 local pool example Pool example Utilization 24 Start End Total In Use Exclude Util Preferred Valid Lifetime Lifetime 4004 4004 48 4004 4004...

Page 201: ...time Prefix length or prefix range excluded from allocation to the requesting router Exclude Percentage of prefixes currently allocated to clients from a particular prefix range in the pool Util List...

Page 202: ...ents from the local address pool Allocations Number of errors encountered during the allocation of prefixes Allocation Errors Number of prefixes released back to the pool Releases Number of errors enc...

Page 203: ...DIUS Dynamic Request Server on page 235 Configuring RADIUS Relay Server on page 245 RADIUS Attribute Descriptions on page 253 Application Terminate Reasons on page 273 Monitoring RADIUS on page 297 Co...

Page 204: ...164 Managing RADIUS and TACACS JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 205: ...s running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server You can access the RADIUS server through either a subscriber line or the CLI...

Page 206: ...ing Tracks service use by subscribers RADIUS Attributes JUNOSe software supports the RADIUS attributes and vendor specific attributes VSAs listed in this chapter These attributes define specific authe...

Page 207: ...es When an application requests user authentication the request must have certain authenticating attributes such as a user s name password and the particular type of service the user is requesting Thi...

Page 208: ...eout used for EAP request packets Table 37 on page 168 lists the RADIUS IETF attributes supported for Access Request Access Accept Access Reject CoA Request and Disconnect Request messages Table 37 AA...

Page 209: ...ifier 32 Proxy State 33 Acct Session Id 44 Acct Multi Session Id 50 CHAP Challenge 60 NAS Port Type 61 Port Limit 62 Tunnel Type See Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint S...

Page 210: ...nd Primary Dns 135 Ascend Secondary Dns 136 Ascend Num In Multilink 188 Ascend Data Filter 242 Supported Juniper Networks VSAs Table 38 on page 170 lists the Juniper Networks Vendor ID 4874 VSAs suppo...

Page 211: ...10 Egress Policy Name 26 11 Ingress Statistics 26 12 Egress Statistics 26 13 Service Category 26 14 PCR 26 15 SCR 26 16 Mbs 26 17 Sa Validate 26 22 IGMP Enable 26 23 Pppoe Description 26 24 Redirect V...

Page 212: ...56 DHCP GI Address 26 57 LI Action 26 58 Med Dev Handle 26 59 Med Ip Address 26 60 Med Port Number 26 61 MLPPP Bundle Name 26 62 Interface Desc 26 63 Tunnel Group 26 64 Activate Service 26 65 Deactiv...

Page 213: ...e IP SPI 26 85 Mobile IP Key 26 86 Mobile IP Replay 26 87 Mobile IP Access Control List 26 88 Mobile IP Lifetime 26 89 L2TP Resynch Method 26 90 Tunnel Switch Profile 26 91 L2C Up Stream Data 26 92 L2...

Page 214: ...26 120 Min LP Data Rate Up 26 121 Min LP Data Rate Dn 26 122 Max Interlv Delay Up 26 123 Act Interlv Delay Up 26 124 Max Interlv Delay Dn 26 125 Act Interlv Delay Dn 26 126 DSL Line State 26 127 DSL T...

Page 215: ...S IETF Attributes Table 39 on page 176 lists the RADIUS IETF attributes supported for Acct Start Acct Stop Interim Acct Acct On and Acct Off messages The following notes are referred to in Table 39 on...

Page 216: ...User Name 1 NAS IP Address 4 NAS Port 5 Service Type 6 Framed Protocol See Note 3 7 Framed IP Address See Note 2 8 Framed IP Netmask 9 Framed Compression See Note 3 13 Class 25 Called Station Id 30 Ca...

Page 217: ...ee Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint See Note 1 66 Tunnel Server Endpoint See Note 1 67 Acct Tunnel Connection See Note 1 68 Connect Info 77 Tunnel Assignment Id LAC on...

Page 218: ...ication server 2 ERX routers send IPv6 accounting attributes in the Acct Stop and Interim Acct messages stop interim when they are configured to return these attributes and when the subscriber is eith...

Page 219: ...ons see the Managing Interchassis Redundancy chapter in the JUNOSe Services Availability Configuration Guide Table 40 AAA Accounting Message Juniper Network Vendor ID 4874 VSAs Supported Partition Acc...

Page 220: ...Data Rate Up 26 113 Act Data Rate Dn 26 114 Min Data Rate Up 26 115 Min Data Rate Dn 26 116 Att Data Rate Up 26 117 Att Data Rate Dn 26 118 Max Data Rate Up 26 119 Max Data Rate Dn 26 120 Min LP Data...

Page 221: ...on page 181 lists RADIUS attributes supported by the following tunnel related accounting messages Acct Tunnel Start Acct Tunnel Stop Acct Tunnel Reject Acct Tunnel Link Start Acct Tunnel Link Stop Ac...

Page 222: ...the inclusion of a set of DSL Forum vendor specific attributes VSAs in the following AAA access and accounting messages Access Request Acct Start Acct Stop Interim Acct if Acct Stop messages are speci...

Page 223: ...DSL Forum Vendor ID 3561 VSAs Supported in AAA Access and Accounting Messages Interim Acct Acct Stop Acct Start Access Request Attribute Name Attribute Number Agent Circuit Id 26 1 Agent Remote Id 26...

Page 224: ...tribute Name Attribute Number User Name 1 User Password 2 NAS IP Address 4 Service Type 6 Reply Message 18 State Access Request is only in response to an Access Challenge 24 Class 25 Virtual Router 26...

Page 225: ...ge and display information for the NAS IP Address RADIUS attribute radius override nas ip addr tunnel client endpoint radius override nas info radius override nas ip addr tunnel client endpoint Use to...

Page 226: ...ses the value for the Nas Port attribute The radius nas port format radius vlan nas port format stacked and radius pppoe nas port format commands do not affect the value of the Nas Port attribute For...

Page 227: ...outers only The format attribute set using the radius nas port format command does not accommodate the number of bits required by the ATM interface specifier slot adapter port vpi vci or the Gigabit E...

Page 228: ...tended ethernet field widths slot 4 adapter 1 port 3 vlan 12 Use the no version to restore the default behavior of the radius nas port format command radius pppoe nas port format unique Use to set the...

Page 229: ...an IP address must be assigned to the subscriber See radius include Example host1 config radius include framed ip addr acct start enable Use the no version to restore the default enable 9 Framed Ip Ne...

Page 230: ...able 13 Framed Compression Use the following command to manage the Framed Compression RADIUS attribute radius include framed compression radius include framed compression Use to include the Framed Com...

Page 231: ...the Calling Station Id RADIUS attribute radius calling station format radius calling station delimiter radius include calling station id radius override calling station id remote circuit id NOTE For...

Page 232: ...nterface description command to enable sending of VC interface descriptors to AAA To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields use the fix...

Page 233: ...lation ASCII Character Slot Number ASCII Character Slot Number 9 9 0 0 A 10 1 1 B 11 2 2 C 12 3 3 D 13 4 4 E 14 5 5 F 15 6 6 G 16 7 7 8 8 For example slot 16 is shown as the ASCII character uppercase...

Page 234: ...yword is not supported for VLAN subinterfaces based on agent circuit identifier information otherwise known as ACI VLANs When you issue the radius calling station format fixed format stacked radius ca...

Page 235: ...14 adapter 1 port 2 VCI 3 and VPI 4 the virtual router displays the format in ASCII as E 1 2 003 00004 Example 3 host1 config radius calling station format fixed format adapter new field For example w...

Page 236: ...it ID transmitted from a DSLAM device See radius override calling station id remote circuit id Example host1 config radius override calling station id remote circuit id Use the no version to restore t...

Page 237: ...cast accounting specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting inf...

Page 238: ...version to restore the default format agent circuit id radius remote circuit id delimiter Use to configure the delimiter character that the router uses to set off multiple components in the format of...

Page 239: ...ization CoA message to start the mirroring session when the user is already logged in As a trigger in user initiated mirroring to identify the user whose traffic is to be mirrored This VSA can be opti...

Page 240: ...dius acct session id format decimal Use the no version to negate the Acct Session Id format 45 Acct Authentic Use the following command to manage the Acct Authentic RADIUS attribute radius include acc...

Page 241: ...sabling this command See radius include Example host1 config radius include acct multi session id acct stop disable Use the no version to restore the default enable for accounting messages and disable...

Page 242: ...ds RADIUS attribute radius include output gigawords radius include output gigawords Use to include the Acct Output Gigawords attribute in Acct Stop messages You can control inclusion of the Acct Outpu...

Page 243: ...AG interface in DHCP standalone authenticate mode see Propagation of LAG Subscriber Information to AAA and RADIUS on page 92 radius dsl port type Use to configure the NAS Port Type attribute for the D...

Page 244: ...d See radius include Example host1 config radius include nas port type acct start enable Use the no version to restore the default enable Related Topics Monitoring the DSL Port Type RADIUS Attribute o...

Page 245: ...Use the following command to manage the Tunnel Client Endpoint RADIUS attribute radius include tunnel client endpoint radius include tunnel client endpoint Use to include the Tunnel Client Endpoint a...

Page 246: ...s command See radius include Example host1 config radius include acct tunnel connection acct stop enable Use the no version to restore the default enable 77 Connect Info Use the following commands to...

Page 247: ...t is the same as the TX speed See radius connect info format radius include connect info Use to include the Connect Info attribute in Access Request Acct Start or Acct Stop messages You can control in...

Page 248: ...ude Example host1 config radius include tunnel preference acct start enable Use the no version to restore the default enable 87 NAS Port Id Use the following commands to manage and show information fo...

Page 249: ...onfig radius include nas port id access request enable Use the no version to restore the default enable radius override nas port id remote circuit id Use to configure RADIUS to override the standard u...

Page 250: ...include the Tunnel Server Auth Id attribute in Access Request Acct Start or Acct Stop messages You can control inclusion of the Tunnel Server Auth Id attribute by enabling or disabling this command Se...

Page 251: ...d For RADIUS to include this attribute at least one IPv6 prefix must be assigned to the subscriber See radius include Example host1 config radius include framed ipv6 prefix acct start enable Use the n...

Page 252: ...d in the accounting messages If the IPv6 pool name is configured in the AAA domain map using the CLI and is not returned from RADIUS server the Acct Start Acct Stop or Interim Acct messages report the...

Page 253: ...ned by the RADIUS server the immediate accounting Acct Stop or Interim Acct messages contain the prefix returned from the RADIUS server If this attribute is not returned from the RADIUS server the imm...

Page 254: ...u can configure using CLI commands The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute 26 1 Virtual Router Use the follow...

Page 255: ...dius ignore Example host1 config radius ignore ingress policy name enable Use the no version to restore the default enable 26 11 Egress Policy Name Use the following commands to manage the Egress Poli...

Page 256: ...ored in Access Accept messages You can control this behavior by enabling or disabling this command See radius ignore Example host1 config radius ignore atm service category enable Use the no version t...

Page 257: ...attribute to be ignored in Access Accept messages You can control this behavior by enabling or disabling this command See radius ignore Example host1 config radius ignore atm mbs enable Use the no ve...

Page 258: ...efault enable 26 36 Acct Output Gigapackets Use the following command to manage the Acct Output Gigapackets RADIUS attribute radius include output gigapkts radius include output gigapkts Use to includ...

Page 259: ...ccounting messages If the IPv6 virtual router is configured in the AAA domain map and is not returned from the RADIUS server the Acct Start Acct Stop or Interim Acct messages report the value configur...

Page 260: ...primary dns radius include ipv6 primary dns Use to include the IPv6 Primary DNS attribute in Acct Start or Acct Stop messages You can control inclusion of the attribute by enabling or disabling this...

Page 261: ...nnect Cause RADIUS attribute radius include l2tp ppp disconnect cause radius include l2tp ppp disconnect cause Use to include the Disconnect Cause attribute in Acct Stop and Acct Tunnel Link Stop mess...

Page 262: ...nable Use the no version to restore the default disable 26 56 DHCP MAC Address Use the following command to manage the DHCP MAC Address RADIUS attribute radius include dhcp mac address radius include...

Page 263: ...ute in Access Request Acct Start Interim Acct or Acct Stop messages You can control inclusion of the MLPPP Bundle Name attribute by enabling or disabling this command There is no explicit command to i...

Page 264: ...radius include access loop parameters radius include access loop parameters Use to include the L2C Information attribute in Access Request messages You can control inclusion of the L2C Information at...

Page 265: ...9 Ipv6 NdRa Prefix Use the following command to manage the Ipv6 NdRa Prefix RADIUS attribute radius include ipv6 nd ra prefix radius include ipv6 nd ra prefix Use to include the IPv6 NdRa Prefix attri...

Page 266: ...te access request enable Use the no version to restore the default disable See radius include 26 142 Upstream Calculated Qos Rate The Upstream Calculated Qos Rate RADIUS attribute enables RADIUS to re...

Page 267: ...er You can control this behavior by enabling or disabling this command Ignoring the Max Clients Per Interface attribute is enabled by default Example 1 Ignores the Max Clients Per Interface attribute...

Page 268: ...nfigure ICR partition accounting per virtual router Example host1 config radius icr partition accounting enable Use the no version to restore the default disable All IPv6 Accounting Attributes Use the...

Page 269: ...t and Acct Stop messages that the router sends to RADIUS If you enable inclusion of the ANCP related VSAs in Acct Stop messages the router also includes the VSAs in Interim Acct messages Inclusion is...

Page 270: ...min lp data rate dn 139 4 Max Interlv Delay Up 26 123 l2cd max interlv delay up 140 4 Act Interlv Delay Up 26 124 l2cd act interlv delay up 141 4 Max Interlv Delay Dn 26 125 l2cd max interlv delay dn...

Page 271: ...ing one or more of the DSL Forum VSAs from a DSLAM connected to the router via a PPPoE interface When you enable the inclusion of the DSL Forum VSAs in these RADIUS messages the router includes all of...

Page 272: ...ed by default When you enable inclusion of the DSL Forum VSAs for a specified message type the router includes in that message all of the DSL Forum attributes that it receives from the DSLAM Example h...

Page 273: ...pted from Access Accept messages Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute Examples host1 config...

Page 274: ...234 CLI Commands Used to Modify RADIUS Attributes JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 275: ...namic Request Server Overview The E Series router s RADIUS dynamic request server feature provides an efficient way for you to use RADIUS servers to centrally manage user sessions The RADIUS dynamic r...

Page 276: ...rization and accounting information Having a common database allows any server to view who is currently valid and connected and allows service providers to manage the disconnection of users Figure 5 S...

Page 277: ...es from RADIUS servers The RADIUS initiated disconnect feature uses the existing format of RADIUS disconnect request and response messages The RADIUS initiated disconnect feature uses the following co...

Page 278: ...the disconnect request is owned by a component that does not support RADIUS initiated disconnect for example IP LAC subscribers cannot be disconnected Session context not removable 504 A request coul...

Page 279: ...config radius subscriber disconnect 3 Define the secret used in the RADIUS Authenticator field during exchanges between the RADIUS dynamic request server and the RADIUS server host1 config radius key...

Page 280: ...uter sends the CoA NAK without an error cause attribute Table 46 on page 240 lists the supported error cause codes Table 46 Error Cause Codes RADIUS Attribute 101 Description Value Code The request co...

Page 281: ...ccounting Request message in RFC 2866 The RADIUS dynamic request server verifies the request using authenticator calculation as specified for an Accounting Request in RFC 2866 A key secret as specifie...

Page 282: ...ured operations will continue See authorization change key Use to define the key secret that is used to calculate the RADIUS Authenticator field during exchanges between the RADIUS dynamic request ser...

Page 283: ...uest server subscriber disconnect Use to enable the RADIUS dynamic request server to receive RADIUS disconnect messages from a RADIUS server Example host1 config radius subscriber disconnect Use the n...

Page 284: ...seline for RADIUS Dynamic Request Server Statistics on page 304 Monitoring RADIUS Dynamic Request Server Statistics on page 305 Monitoring the Configuration of the RADIUS Dynamic Request Server on pag...

Page 285: ...ubscriber to be authenticated by a central authority The standard uses the Extensible Authentication Protocol EAP for message exchange during the authentication process The E Series router s RADIUS re...

Page 286: ...IUS Extensions June 2000 RFC 2284 PPP Extensible Authentication Protocol EAP March 1998 RFC 3539 Authentication Authorization and Accounting AAA Transport Profile June 2003 How RADIUS Relay Server Wor...

Page 287: ...outer s RADIUS relay server creates a RADIUS Access Accept message and sends the message back to the subscriber The router s DHCP server either the router s DHCP local server or an external DHCP serve...

Page 288: ...are received for this subscriber for more than 24 hours RADIUS Relay Server and the SRC Software The SRC software is an advanced subscriber configuration and management service The RADIUS relay server...

Page 289: ...E Series router supports one instance of the RADIUS relay server per virtual router The instance can provide authentication authorization and accounting support 1 Enable RADIUS relay server support on...

Page 290: ...ret3Clientkey Use the no version to delete the secret See key radius relay server Use to configure a RADIUS relay authentication or accounting server and enter RADIUS Relay Configuration mode Example...

Page 291: ...ort Monitoring RADIUS Relay Server To monitor RADIUS relay server see Setting the Baseline for RADIUS Dynamic Request Server Statistics on page 304 Monitoring RADIUS Dynamic Request Server Statistics...

Page 292: ...252 Monitoring RADIUS Relay Server JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 293: ...erences on page 272 RADIUS IETF Attributes Table 49 on page 253 describes the RADIUS IETF attributes supported by JUNOSe software The attributes are sorted by standard number Table 49 RADIUS IETF Attr...

Page 294: ...55 255 255 Framed IP Netmask 9 Name of the filter list for the user Interpreted as input policy name Filter Id 11 The maximum transmission unit to be configured for the user when it is not negotiated...

Page 295: ...2 E Series router s port ID and IP address Proxy State 33 Indicates whether this Accounting Request marks the beginning of the user service Start the end Stop or the interim Interim Update Acct Status...

Page 296: ...or 8 PVC failed no hardware or no interface NAS Error 9 Negotiation failures connection failures or address lease expiration NAS Request 10 PPP challenge timeout PPP request timeout tunnel establishme...

Page 297: ...o use in the case of a tunnel initiator or the tunneling protocol in use in the case of a tunnel terminator Only L2TP tunnels supported at this time Tunnel Type 64 Transport medium to use when creatin...

Page 298: ...1 1 98 172 81 1 99 18d cb8 ce6 9f4 6 In this case the local information refers to the LNS and the peer information refers to the LAC NAS Port Id usually contains one of the following atm slot port sub...

Page 299: ...Num In Multilink 188 RADIUS policy definitions used to configure a policy to classify packet flows and perform filter forward packet marking rate limit profile and traffic class actions Ascend Data Fi...

Page 300: ...te primary wins address 6 12 B RAS user s WINS NBNS address negotiated during IPCP 4 octet IP address Primary WINS NBNS 26 6 integer 4 byte secondary wins address 6 12 B RAS user s WINS NBNS address n...

Page 301: ...See the enable command in the Passwords and Security chapter in JUNOSe System Basics Configuration Guide Allow All VR Access 26 19 single attribute enter 0 1 5 10 or 15 sublen len Specifies other leve...

Page 302: ...Sessions 26 33 integer 4 octet 6 12 Route tag to apply to returned framed ip address Framed Ip Route Tag 26 34 string dial out number sublen len Dial number in L2TP dial out Tunnel Dialout Number 26...

Page 303: ...y DNS 26 48 string l2tp ppp disconnect cause sublen len L2TP PPP disconnect cause information received by the LAC Disconnect Cause 26 51 integer 4 octet 6 12 RADIUS relay server s IP address Radius Cl...

Page 304: ...volume is exceeded Service Volume tagX 26 67 integer time in seconds 0 no timeout 6 12 Number of seconds that the service can be active service is deactivated when the timeout expires Service Timeout...

Page 305: ...e ASCII representation of 0 21474836470 multiple instances of this VSA can be returned from RADIUS using this format sublen len Name of the QoS parameter instance to create on the user s interface fol...

Page 306: ...Data 26 92 string actual downstream rate access loop parameter ASCII encoded sublen len Actual downstream rate access loop parameter ASCII encoded as defined in GSMP extensions for layer2 control L2C...

Page 307: ...tion atm slot port vpi vci Acc Aggr Cir Id Asc 26 112 integer 4 octet 6 12 Actual upstream data rate of the subscriber s synchronized DSL link Act Data Rate Up 26 113 integer 4 octet 6 12 Actual downs...

Page 308: ...le 3 Silent 6 12 State of the DSL line DSL Line State 26 127 string 3 byte 5 11 Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated DSL Type 26 1...

Page 309: ...hat can be used to assign addresses to users being authenticated by a RADIUS server when the existing addresses in the primary local address pool are fully exhausted The authentication server override...

Page 310: ...for RADIUS JUNOSe software uses the vendor ID assigned to the DSL Forum 3561 or DE9 in hexadecimal format by the Internet Assigned Numbers Authority IANA Table 51 JUNOSe Software DSL Forum Vendor ID...

Page 311: ...y upstream interleaving delay configured for the subscriber Maximum Interleaving Delay Upstream 26 139 integer 4 octet 6 12 Subscriber s actual one way upstream interleaving delay Actual Interleaving...

Page 312: ...RADIUS Accounting June 2000 RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support June 2000 RFC 2868 RADIUS Attributes for Tunnel Protocol Support June 2000 RFC 2869 RADIUS Extensions...

Page 313: ...Cause attributes AAA Terminate Reasons on page 273 L2TP Terminate Reasons on page 274 PPP Terminate Reasons on page 289 RADIUS Client Terminate Reasons on page 295 AAA Terminate Reasons Table 53 on p...

Page 314: ...ror 17 deny unknown subscriber user error 17 deny user termination nas request 10 shutdown address lease expiration admin reset 6 shutdown administrative reset L2TP Terminate Reasons Table 54 on page...

Page 315: ...assigned session id nas request 10 session rx cdn avp malformed bad length nas request 10 session rx cdn avp malformed truncated nas request 10 session rx cdn avp missing mandatory assigned session i...

Page 316: ...session rx iccn no resources nas request 10 session rx iccn unexpected nas request 10 session rx icrp avp bad hidden nas request 10 session rx icrp avp bad value assigned session id nas request 10 se...

Page 317: ...p missing secret nas request 10 session rx icrq avp unknown nas request 10 session rx icrq no resources nas request 10 session rx icrq unexpected nas request 10 session rx occn avp bad hidden nas requ...

Page 318: ...0 session rx ocrq avp bad value assigned session id nas request 10 session rx ocrq avp bad value bearer type nas request 10 session rx ocrq avp bad value framing type nas request 10 session rx ocrq av...

Page 319: ...r nas request 10 session rx sli avp missing secret nas request 10 session rx sli avp unknown nas request 10 session rx sli no resources nas request 10 session rx unexpected packet lac incoming nas req...

Page 320: ...vice unavailable 15 session upper removed service unavailable 15 session warmstart not operational service unavailable 15 session warmstart recovery error nas request 10 session warmstart upper not re...

Page 321: ...bad length service unavailable 15 tunnel rx scccn avp malformed truncated user error 17 tunnel rx scccn avp missing challenge response service unavailable 15 tunnel rx scccn avp missing random vector...

Page 322: ...avp missing mandatory framing capabilities service unavailable 15 tunnel rx sccrp avp missing mandatory host name service unavailable 15 tunnel rx sccrp avp missing mandatory protocol version service...

Page 323: ...ilable 15 tunnel rx sccrq avp missing mandatory host name service unavailable 15 tunnel rx sccrq avp missing mandatory protocol version service unavailable 15 tunnel rx sccrq avp missing random vector...

Page 324: ...able 15 tunnel rx frs avp missing random vector service unavailable 15 tunnel rx frs avp missing secret service unavailable 15 tunnel rx frs avp unknown service unavailable 15 tunnel rx frs no resourc...

Page 325: ...ing secret service unavailable 15 tunnel rx recovery scccn avp unexpected challenge response service unavailable 15 tunnel rx recovery scccn avp unknown service unavailable 15 tunnel rx recovery scccn...

Page 326: ...version service unavailable 15 tunnel rx recovery sccrp avp missing random vector service unavailable 15 tunnel rx recovery sccrp avp missing secret service unavailable 15 tunnel rx recovery sccrp avp...

Page 327: ...vp missing mandatory framing capabilities service unavailable 15 tunnel rx recovery sccrq avp missing mandatory host name service unavailable 15 tunnel rx recovery sccrq avp missing mandatory protocol...

Page 328: ...ry stopccn avp unknown service unavailable 15 tunnel rx recovery stopccn no resources service unavailable 15 tunnel rx recovery stopccn session id not null service unavailable 15 tunnel rx recovery un...

Page 329: ...uest 10 authenticate max requests nas request 10 authenticate no authenticator user error 17 authenticate pap peer authenticator timeout nas request 10 authenticate pap request timeout session timeout...

Page 330: ...n disable lost carrier 2 interface down port error 8 interface no hardware nas request 10 ip admin disable nas request 10 ip inhibited by authentication nas request 10 ip link down nas request 10 ip m...

Page 331: ...request 10 ip service disable nas request 10 ip stale stacking nas request 10 ipv6 admin disable nas request 10 ipv6 inhibited by authentication nas request 10 ipv6 link down nas request 10 ipv6 local...

Page 332: ...k rx conf req nas request 10 lcp loopback rx echo reply nas request 10 lcp loopback rx echo req nas request 10 lcp max configure exceeded nas request 10 lcp mru changed nas request 10 lcp negotiation...

Page 333: ...t 1 lcp peer renegotiate rx conf rej user request 1 lcp peer renegotiate rx conf req nas request 10 lcp tunnel disconnected nas request 10 lcp tunnel failed port error 8 link interface no hardware los...

Page 334: ...terface nas request 10 osi admin disable nas request 10 osi link down nas request 10 osi max configure exceeded nas request 10 osi no local align npdu nas request 10 osi no peer align npdu nas request...

Page 335: ...s and the RADIUS Acct Terminate Cause attributes they are mapped to by default Table 56 Default RADIUS Client Mappings RADIUS Acct Terminate Cause RADIUS Client Terminate Reason Description Code nas r...

Page 336: ...296 RADIUS Client Terminate Reasons JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 337: ...toring the NAS Port ID RADIUS Attribute on page 301 Monitoring Included RADIUS Attributes on page 302 Monitoring Ignored RADIUS Attributes on page 304 Setting the Baseline for RADIUS Dynamic Request S...

Page 338: ...ide nas port id remote circuit id command to override the standard NAS Port Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM nas port id Displays the current setting for the Ca...

Page 339: ...radius vlan nas port format Monitoring the Calling Station Id RADIUS Attribute Purpose Display the format and delimiter used for the Calling Station Id 31 attribute Action To display the format config...

Page 340: ...fect Action To display the format configured for the PPPoE remote circuit ID value captured from a DSLAM host1 show radius remote circuit id format nas identifier agent circuit id agent remote id Rela...

Page 341: ...ow radius dsl port type show radius ethernet port type Monitoring the Connect Info RADIUS Attribute Purpose Display the format for the Connect Info attribute Action To display the format for the Conne...

Page 342: ...c n c disabled disabled dhcp options n c n c disabled disabled disabled dhcp mac address n c n c disabled disabled disabled dhcp gi address n c n c disabled disabled disabled dsl forum attributes n c...

Page 343: ...l2cd act interlv delay dn vsa n c n c disabled disabled disabled l2cd dsl line state vsa n c n c disabled disabled disabled l2cd dsl type vsa n c n c disabled disabled disabled l2tp ppp disconnect ca...

Page 344: ...m service category vsa accepted from RADIUS server attribute atm mbs vsa accepted from RADIUS server attribute atm pcr vsa accepted from RADIUS server attribute atm scr vsa accepted from RADIUS server...

Page 345: ...Bad Authenticators 0 CoA Packets Dropped 0 No Secret 0 Unknown Request 0 Invalid Addresses Received 0 Meaning Table 59 on page 305 lists the show radius dynamic request statistics command output field...

Page 346: ...tics on page 304 show radius statistics Monitoring the Configuration of the RADIUS Dynamic Request Server Purpose Display the configuration of the RADIUS dynamic request server Action To display the c...

Page 347: ...adius relay command host1 baseline radius relay There is no no version Related Topics Monitoring RADIUS Relay Server Statistics on page 307 baseline radius relay Monitoring RADIUS Relay Server Statist...

Page 348: ...Accepts Number of access challenges received Access Challenges Number of access rejects received Access Rejects Number of access requests waiting for a response Pending Requests Number of duplicate re...

Page 349: ...Address IP Mask Secret 10 10 8 15 255 255 255 255 newsecret 192 168 102 5 255 255 255 255 999Y2K Udp Port 1812 RADIUS Relay Accounting Server Configuration IP Address IP Mask Secret 10 10 1 0 255 255...

Page 350: ...Output Fields Field Description Field Name Status of UDP checksums enabled or disabled udp checksums Related Topics show radius relay udp checksum Monitoring the Status of ICR Partition Accounting Pu...

Page 351: ...o are attempting to gain access to a router or NAS TACACS a more recent version of the original TACACS protocol provides separate authentication authorization and accounting AAA services NOTE TACACS i...

Page 352: ...d passwords Authorization Determines what an authenticated user is allowed to do Authorization gives the network manager the ability to limit network services to different users Also the network manag...

Page 353: ...To allow login authorization through the TACACS server you can use the following commands aaa authorization aaa authorization config commands and authorization For information about using these comma...

Page 354: ...mode Specifies the type of accounting records that are recorded on the TACACS server Accounting records track user actions and resource usage You can analyze and use the records for network managemen...

Page 355: ...AVP timezone TACACS Platform Considerations TACACS is supported on all E Series routers For information about the modules supported on E Series routers See the ERX Module Guide for modules supported...

Page 356: ...imary 2 Optional Set the authentication and encryption key value shared by all TACACS servers that do not have a server specific key set up by the tacacs server host command host1 config tacacs server...

Page 357: ...cs host1 config aaa accounting commands 1 listX stop only tacacs host1 config aaa accounting commands 13 listY stop only tacacs host1 config aaa accounting commands 14 default stop only tacacs host1 c...

Page 358: ...on the router and to create accounting method lists Specify default to configure the default method list or configure a named method list The default method list is used by lines and consoles unless...

Page 359: ...r vty lines an authentication list called default is automatically assigned to the vty lines To allow users to access the vty lines you must create an authentication list and either Name the list defa...

Page 360: ...commands to capture accounting information for User Exec mode commands at the indicated JUNOSe privilege level 0 through 15 Specify the name of the method list to be applied to the line or console To...

Page 361: ...nated primary host is always the first in the search order the remaining hosts are contacted in the order in which they were created If the primary host is deleted or if you modify the primary host wi...

Page 362: ...version to remove the address See tacacs server source address tacacs server timeout Use to set the interval in seconds that the server waits for the server host to reply The specified interval is sha...

Page 363: ...CACS Statistics You can set a baseline for TACACS statistics To set the baseline Issue the baseline tacacs command host1 baseline tacacs There is no no version Related Topics baseline tacacs Monitorin...

Page 364: ...m the host Auth Replies Number of expected but not received authentication replies from the host Auth Pending Number of authentication timeouts for the host Auth Timeouts Number of authorization reque...

Page 365: ...ted for the pending statistics host1 show tacacs delta Meaning Table 67 on page 325 lists the show tacacs command output fields Table 67 show tacacs Output Fields Field Description Field Name Authenti...

Page 366: ...ntinued Field Description Field Name The order in which requests are sent to hosts until a response is received Search Order Related Topics show tacacs 326 Monitoring TACACS Information JUNOSe 11 0 x...

Page 367: ...view on page 329 Configuring an L2TP LAC on page 337 Configuring an L2TP LNS on page 369 Configuring L2TP Dial Out on page 405 L2TP Disconnect Cause Codes on page 417 Monitoring L2TP and L2TP Dial Out...

Page 368: ...328 Managing L2TP JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 369: ...s PPP for transmission across a network An L2TP access concentrator LAC configured on an access device such as an E Series router receives packets from a remote client and forwards them to an L2TP net...

Page 370: ...rm Combination of a unique attribute represented by an integer and a value containing the actual value identified by the attribute Attribute value pair AVP L2TP access concentrator LAC a node that act...

Page 371: ...t of a call Remote system A logical connection created between the LAC and the LNS when an end to end PPP connection is established between a remote system and the LNS NOTE There is a one to one relat...

Page 372: ...too large The router always supports packets that have an offset pad field of up to 16 bytes and may support larger offset pad fields depending on other information in the header This restriction is a...

Page 373: ...ore even if PPP in the LNS chooses to renegotiate the MRU it has no way to determine the proper MRU since it does not know the minimum MRU on all of the intervening links between it and the LAC To ove...

Page 374: ...talled in the ERX router For information about installing modules in the ERX router see the ERX Hardware Guide SMs provide dedicated tunnel server ports that are always configured on the module Unlike...

Page 375: ...the ERX1440 router supports 32 000 L2TP sessions and all other E Series routers support a maximum of 16 000 L2TP sessions The following guidelines apply On all E Series routers The SM and the ES2 S1...

Page 376: ...formation July 2001 Fail Over extensions for L2TP failover draft ietf l2tpext failover 06 txt April 2006 expiration RFC 4951 Fail Over Extensions for Layer 2 Tunneling Protocol L2TP failover August 20...

Page 377: ...nnels and Sessions on page 340 Shutting Down Destinations Tunnels and Sessions on page 342 Specifying the Number of Retransmission Attempts on page 343 Configuring Calling Number AVP Formats on page 3...

Page 378: ...using shared tunnel server ports you must configure the shared tunnel server ports before you configure Layer 2 Tunneling Protocol L2TP network server LNS support You use the tunnel server command in...

Page 379: ...40 Shutting Down Destinations Tunnels and Sessions on page 342 Specifying the Number of Retransmission Attempts on page 343 Generating UDP Checksums in Packets to L2TP Peers You can configure the rout...

Page 380: ...meout 1200 Related Topics l2tp destruct timeout Preventing Creation of New Destinations Tunnels and Sessions You can configure several L2TP drain operations which determine how the router creates new...

Page 381: ...n tunnel command both affect the administrative state of L2TP for the tunnel Although each command has a different effect the no version of each command is equivalent Each command s no version leaves...

Page 382: ...each command is equivalent Each command s no version leaves L2TP in the enabled state To close all destinations tunnels and sessions on the router host1 config l2tp shutdown Closing Existing and Preve...

Page 383: ...router uses a retry count of 5 Use the established keyword to apply the retry count only to established tunnels Use the not established keyword to apply the retry count only to tunnels that are not es...

Page 384: ...lar to the fixed format of RADIUS attribute 31 Calling Station Id If you set up the router to generate the Calling Number AVP in fixed format the router formats the AVP to use a fixed format of up to...

Page 385: ...outer For ERX7xx models ERX14xx models and ERX310 Broadband Services Routers which do not use IOAs adapter is always shown as 0 Slot numbers 0 through 16 are shown as ASCII characters in the 1 byte sl...

Page 386: ...ter new field format host1 config aaa tunnel calling number format fixed adapter new field For example when you configure this L2TP Calling Number AVP format on an E320 router for an ATM interface on...

Page 387: ...specify the optional stacked keyword but the Ethernet interface does not have an S VLAN ID Example The following command configures the L2TP Calling Number AVP in fixed adapter new field format for an...

Page 388: ...ured calling number format includes either or both of the agent circuit id and agent remote id suboptions The calling number format determines what element triggers use of the fallback format as shown...

Page 389: ...P to use a fixed format of up to 15 characters consisting of all ASCII fields with a 1 byte slot field 1 byte adapter field and 1 byte port field Fallback format for ATM interfaces systemName up to 4...

Page 390: ...new field format the router formats the AVP to use a fixed format of up to 17 characters consisting of all ASCII fields with a 2 byte slot field 1 byte adapter field and 2 byte port field Fallback for...

Page 391: ...bytes VLAN 4 bytes Fallback format for Ethernet interfaces that use fixed adapter embedded systemName up to 4 bytes slot 1 byte adapter 1 byte port 1 byte S VLAN 4 bytes VLAN 4 bytes Fallback format...

Page 392: ...that the fixed format is used when both PPPoE agent circuit id and agent remote id are unavailable issue the following commands host1 config radius calling station format fixed format host1 config ra...

Page 393: ...el locally on the router from Domain Map Tunnel mode perform the following steps 1 Specify a domain name and enter Domain Map Configuration mode host1 config aaa domain map westford com host1 config d...

Page 394: ...onfig domain map tunnel server name boston 10 Optional Specify a source IP address for the LAC tunnel endpoint All L2TP packets sent to the peer use this source address host1 config domain map tunnel...

Page 395: ...D If you do not set a tunnel assignment ID the software sets it to the default assignmentID This parameter is only generated and used by the L2TP LAC device 17 Optional Specify whether or not to use t...

Page 396: ...Sessions Tunnel RWS Router 3 boston 5 0 system chooses vr2 host1 show aaa tunnel parameters Tunnel password is 3 92k b q4 Tunnel client name is NULL Tunnel nas port method is none Tunnel nas port igno...

Page 397: ...tunnel group tunnel router name default 4 Specify the LNS endpoint address of a tunnel host1 config tunnel group tunnel address 192 0 2 13 5 Specify a preference for the tunnel You can specify up to e...

Page 398: ...table IP interface for example a loopback interface Make sure that the address is configured in the virtual router for this domain map and that the address is reachable by the peer host1 config tunnel...

Page 399: ...and preference command router name server name source address tunnel type Configuring the RX Speed on the LAC You can configure the E Series LAC to always generate L2TP Receive RX Speed AVP 38 If you...

Page 400: ...a Locked Out Destination Is Available on page 362 3 Configuring a Lockout Timeout on page 362 4 Unlocking a Destination that is Currently Locked Out on page 362 5 Starting an Immediate Lockout Test on...

Page 401: ...the following commands to manage L2TP destination lockout and configure a lockout process that meets the needs of your network environment Use the l2tp destination lockout timeout command to modify t...

Page 402: ...out expires all information about the locked out destination is deleted including the time remaining on the destination s lockout timeout and the requirement to run a lockout test prior to returning t...

Page 403: ...nels with separate receive and transmit addresses and to avoid problems due to a misconfiguration Three possible configurations are available Default configuration The E Series LAC accepts the change...

Page 404: ...l from a set of tunnels associated with either the PPP user or the PPP user s domain The router provides the following methods for selecting tunnels Tunnel selection failover between preference levels...

Page 405: ...ect to every destination available for the domain Support for multiple destinations affects the procedure for mapping a user domain name to an L2TP tunnel To learn how to complete this mapping see Map...

Page 406: ...vel the router drops to the next lower preference level to make the next selection This process is consistent regardless of which fail over scheme is currently running on the router A tunnel without a...

Page 407: ...host1 config l2tp weighted load balancing Configuring the Weighted Load Balancing Method 367 Chapter 12 Configuring an L2TP LAC...

Page 408: ...368 Configuring the Weighted Load Balancing Method JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 409: ...RADIUS Connect Info Attribute on the LNS on page 374 Overriding LNS Out of Resource Result Codes 4 and 5 on page 375 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP on page 376 Enabling...

Page 410: ...configure an LNS you can configure it to accept calls from any LAC NOTE If there is no explicit LNS configuration on the router the UDP port used for L2TP traffic is closed and no tunnels or sessions...

Page 411: ...ame to be used in any hostname AVP sends to the LAC By default the router name is used as the local hostname host1 config l2tp dest profile host local host andy 7 Optional Specify the local IP address...

Page 412: ...Attribute on the LNS on page 374 Overriding LNS Out of Resource Result Codes 4 and 5 on page 375 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP on page 376 bundled group id bundled grou...

Page 413: ...t profile and access L2TP Destination Profile Host Configuration mode Each L2TP destination profile can have multiple L2TP host profiles For an LAC to connect to an LNS the appropriate L2TP destinatio...

Page 414: ...rofile or host profile maximum session limit is not exceeded For information about the maximum number of L2TP sessions supported per chassis see JUNOSe Release Notes Appendix A System Maximums To set...

Page 415: ...CDN Call Disconnect Notify message to the LAC This signals the LAC to fail over to another LNS that has the resources for more sessions Some third party LAC implementations fail over only when they r...

Page 416: ...of resource result code override show l2tp destination profile Selecting Tunnel Service Modules for LNS Sessions Using MLPPP You can install multiple tunnel service modules in an E Series router deplo...

Page 417: ...include a endpoint discriminator option in the LCP proxy AVPs The router places all bundled sessions without endpoint discriminators on the same SM However if there are many such bundled sessions the...

Page 418: ...opics bundled group id bundled group id overrides mlppp ed Enabling Tunnel Switching L2TP tunnel switching allows you to switch packets between one session terminating at an L2TP LNS and another sessi...

Page 419: ...ou to verify both the tunnel configuration and connectivity This command supports tunnel initiation incoming calls on the LAC outgoing calls on the LNS The command does not support tunnel respondent o...

Page 420: ...nt all PPP signaling for the tunnel session takes place between the LNS and the client without active participation of the LAC As a result the LAC is not aware of the reason that a session has disconn...

Page 421: ...st profile host disconnect cause Enabling RADIUS Accounting for Disconnect Cause You use the radius include l2tp ppp disconnect cause acct stop enable command to specify that the Disconnect Cause RADI...

Page 422: ...ndow command in L2TP Destination Profile Host Configuration mode 1 Configuring the Default Receive Window Size on page 382 2 Configuring the Receive Window Size on the LAC on page 383 3 Configuring th...

Page 423: ...ndow command TIP The RWS setting must be the same for all users of the same tunnel If you modify the RWS setting for an existing tunnel subsequent tunnel users might be not be able to log in if their...

Page 424: ...he LNS 1 Access L2TP Destination Profile Host Configuration mode For example host1 config virtual router fms02 host1 fms02 config l2tp destination profile fms02 ip address 192 168 5 61 host1 fms02 con...

Page 425: ...ocol method as the primary peer resynchronization method but then fall back to the silent failover method if the peer does not support the failover protocol method The following list highlights differ...

Page 426: ...ailover forces disconnection of the tunnel and all of its sessions failover protocol fallback to silent failover The tunnel uses the L2TP failover protocol method however if the peer non failed endpoi...

Page 427: ...e the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration failover protocol Tunnels use the L2TP failover protocol method If the peer non...

Page 428: ...r protocol 2 silent failover 3 failover protocol with silent failover as backup 6 12 L2TP peer resynchronization method L2TP Resynch Method 26 90 Configuring L2TP Tunnel Switch Profiles You can use th...

Page 429: ...l switch profile the router also disconnects all associated L2TP switched sessions using that profile In some cases attributes configured in a tunnel switch profile take precedence over similar attrib...

Page 430: ...ing AAA Tunnel Groups on page 392 To apply a named tunnel switch profile through RADIUS include the Tunnel Switch Profile RADIUS attribute VSA 26 91 in RADIUS Access Accept messages For details see Ap...

Page 431: ...to relay the Bearer Type Calling Number and Cisco NAS Port Info AVP types across the LNS LAC boundary host1 config l2tp tunnel switch profile avp bearer type relay host1 config l2tp tunnel switch pro...

Page 432: ...nel RWS Router Profile 3 null 2000 0 system chooses null concord Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups To apply an L2TP tunnel switch profile to sessions associated with an A...

Page 433: ...pply a different default tunnel switch profile to each virtual router configured To apply a default L2TP tunnel switch profile to a virtual router 1 Create the virtual router to which you want to appl...

Page 434: ...the establishment of an L2TP tunnel session the LAC sends AVP 24 to the LNS to convey the transmit speed of the subscriber s access interface You can configure the calculation method for the transmit...

Page 435: ...alculation methods NOTE Configuring the transmit connect speed calculation method has no effect on the operation of the L2TP Receive RX Speed AVP 38 or the Connect Info RADIUS attribute 77 at the LAC...

Page 436: ...f any logical interface in the interface column For those logical interfaces with a rate controlled by QoS QoS reports this configured rate as the transmit connect speed for that interface For those l...

Page 437: ...speed 5 Mbps 5 Mbps Actual Example 2 L2TP Session over Ethernet VLAN Interface In this example an L2TP session is established over a PPPoE subinterface over an Ethernet VLAN subinterface The configur...

Page 438: ...e information about supported L2TP terminate reasons see AAA Terminate Reasons on page 273 Advisory Speed Precedence for VLANs over Bridged Ethernet For interface columns that consist of an L2TP sessi...

Page 439: ...ystem chooses null Tunnel Tunnel Tunnel Tunnel Failover Switch Tx Tag Resync Profile Speed Method 5 null null dynamic layer2 Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation...

Page 440: ...Configuring the calculation method as a default AAA tunnel parameter for a virtual router has lower precedence than using AAA domain maps AAA tunnel groups or RADIUS to configure the transmit connect...

Page 441: ...rmat is assignmentId Tunnel calling number format is fixed Using RADIUS to Configure the Transmit Connect Speed Calculation Method On the LAC the router can receive tunnel configuration attributes thr...

Page 442: ...lation Method on page 399 Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method on page 400 Using RADIUS to Configure the Transmit Connect Speed Calculation Me...

Page 443: ...en proxy LCP is disabled or required to renegotiate at the LNS All PPP LCP echo requests and their responses PPP LCP terminate request or terminate acknowledgement packets from the client or LNS when...

Page 444: ...404 PPP Accounting Statistics JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 445: ...work server LNS function is deployed in networks that have a combination of broadband and narrowband access A remote site can communicate on demand with the home site with a normal L2TP access concent...

Page 446: ...Protocol PPP stack for the dial out session Dial out route Network Model for Dial Out In Figure 10 on page 406 the home site connects to the Internet over a permanent leased line to the Internet serv...

Page 447: ...5 Once the LNS successfully completes a control connection and session with the LAC the LAC performs the actual narrowband dial out operation to the remote site using the information passed by the LN...

Page 448: ...e not functional down Targets Table 76 on page 408 describes the operational states of the targets Table 76 Target Operational States Description State Dial out route is up and operational inService D...

Page 449: ...was unsuccessful This state prevents the router from thrashing on an outgoing call that cannot be completed When in this state the router discards all trigger packets received for the session The inhi...

Page 450: ...cannot be routed successfully by the new access route the router detects this discrepancy as a configuration error because trigger packets that arrive are not forwarded into the outgoing call rather...

Page 451: ...sed in PPP L2TP dial out sessions at the LNS PPP Username Juniper VSA 26 36 Password used in PPP L2TP dial out sessions at the LNS PPP Password Juniper VSA 26 37 Authentication protocol used for L2TP...

Page 452: ...e The route does not need to be identical to the one specified in the dial out route but it must be able to forward packets that have the same destination address as the trigger packet However if the...

Page 453: ...Dial Out To configure L2TP dial out 1 Enable the creation of a dial out session host1 config l2tp dial out target 10 10 0 0 255 255 0 0 L2TP dial out de dt profile dialOut 2 Optional Set the maximum...

Page 454: ...P outgoing call ends If no trigger is received before the dormant timer expires the dial out session is deleted The range is 0 3600 seconds Example host1 config l2tp dial out dormant timer value 300 U...

Page 455: ...dial out target Use to define an L2TP dial out target When the router receives packets destined for the target it creates a dial out session When you create a target you must specify the following ip...

Page 456: ...nitoring Status of Dial out Sessions on page 447 Monitoring Dial out Targets within the Current VR Context on page 448 Monitoring Operational Status within the Current VR Context on page 450 416 Monit...

Page 457: ...e cause of the disconnection The following list shows current disconnection causes on an E Series LNS that do not have a specific disconnect cause codes The peer initiated termination of LCP after the...

Page 458: ...beyond the completion of LCP negotiation and Prior to receiving the terminate request from the peer the local LCP has sent a Protocol Reject in response to any packet for Encryption Control Protocol E...

Page 459: ...PPP L2TP uses the authenticated name as part of the key for bundle selection Therefore there will never be an unexpected authenticated name for an existing MLPPP bundle authenticate mlppp name mismatc...

Page 460: ...within the time allowed for upper layer negotiation Code 19 with direction 1 is generated if the peer denies address parameters requested by the local NCP Code 19 with direction 2 is generated if the...

Page 461: ...cked Out Destinations on page 431 Monitoring Configured Destination Profiles or Host Profiles on page 431 Monitoring Configured and Operational Status of all Destinations on page 434 Monitoring Statis...

Page 462: ...page 422 lists the show aaa domain map command output fields Table 80 show aaa domain map Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user domain name...

Page 463: ...expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tunnel Tunnel Max Sessions L2TP r...

Page 464: ...e 81 on page 424 lists the show aaa tunnel group command output fields Table 81 show aaa tunnel group Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user...

Page 465: ...l Tunnel Client Name Host name expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tu...

Page 466: ...the show aaa tunnel parameters command output fields Table 82 show aaa tunnel parameters Output Fields Field Description Field Name Default tunnel password Tunnel password Hostname that the LAC sends...

Page 467: ...ission retries for established tunnels is 5 Retransmission retries for not established tunnels is 5 Tunnel idle timeout is 60 seconds Failover within a preference level is disabled Weighted load balan...

Page 468: ...timeout Enabled or disabled Failover within a preference level Enabled or disabled Weighted load balancing Enabled or disabled Tunnel authentication challenge Whether the E Series LAC sends Calling S...

Page 469: ...nformation about specified destinations To display information about a specific destination host1 show l2tp destination ip 172 31 1 98 L2TP destination 1 is Up with 5 active tunnels and 64 active sess...

Page 470: ...uter on which the tunnel is configured Virtual Addresses of the local and remote interfaces Local and peer addresses Effective administrative state The more restrictive of the router and destination a...

Page 471: ...destination is waiting for the lockout timeout to expire and how much time is left or waiting for the lockout test to start or finish L2TP destination waiting Number of destinations that are currentl...

Page 472: ...ssword is 222 Interface profile is ascints Default upper binding type mlppp Maximum sessions is 250 Failover resync is failover protocol Statistics Current session count is 2 Remote host is mexico Con...

Page 473: ...t Local IP address Identifier for bundled sessions Bundled group id Password for the tunnel Tunnel password Name of the host profile Interface profile Status of proxy LCP for the remote host Proxy lcp...

Page 474: ...strative status of the L2TP destination enabled No restrictions on creation and operation of sessions and tunnels for this destination drain Router will not create new sessions or tunnels for this des...

Page 475: ...lppp endpoint discriminator mismatch 9 0 0 0 lcp mlppp peer mrru not valid 10 0 0 0 lcp mlppp peer ssn invalid 11 0 0 0 lcp callback refused 12 0 0 0 authenticate timed out 13 0 0 0 authenticate mlppp...

Page 476: ...session id is 2 Statistics packets octets discards errors Data rx 7 237 1 0 Data tx 6 160 0 0 Session operational configuration User name is t1 s1 local Tunneling PPP interface atm 0 0 1 Call type is...

Page 477: ...ify the session locally and remotely Local and peer session id Information about the traffic for this session Statistics Information received from the peer when the session was created Session operati...

Page 478: ...profiles configured on the router Action To display only the names of the L2TP tunnel switch profiles configured on the router host1 show l2tp switch profile L2TP tunnel switch profile concord L2TP tu...

Page 479: ...p with 12 active sessions 5 L2TP tunnels found To display detailed configuration information about specified tunnel host1 show l2tp tunnel detail 1 xyz L2TP tunnel 1 xyz is Up with 13 active sessions...

Page 480: ...ps Tunnel address information Tunnel address Method used to transfer traffic Transport Name of the virtual router on which the tunnel is configured Virtual router IP addresses of the local and remote...

Page 481: ...n acknowledgment from the router Receive window size Number of acknowledgments that the router has received from the peer Receive ZLB Number of received control packets that were out of order Receive...

Page 482: ...creation and operation of sessions for this tunnel drain Router will not create new sessions for this tunnel disabled Router disabled existing sessions and will not create new sessions for this tunne...

Page 483: ...nhibited 0 Maximum targets inhibited 0 Authentication grant for nonexistent session 0 Authentication deny for nonexistent session 0 Dial out Virtual router statistics Virtual routers active 0 Virtual...

Page 484: ...state 0 Sessions in connecting state 0 Sessions in inService state 0 Sessions in inhibited state 0 Sessions in postInhibited state 0 Sessions in failed state 0 To display information about the operati...

Page 485: ...al router statistics VRs in use by the state machine Virtual routers active VRs that have been used by the state machine Virtual routers created VRs no longer used by the state machine Virtual routers...

Page 486: ...tics Currently active sessions Sessions active All sessions created Sessions created Sessions deleted Sessions removed Sessions reset using the l2tp dial out session reset command Sessions reset Trigg...

Page 487: ...aspects of the dial out state machine and details about the dial out routes themselves This section presents sample output The actual output on your router may differ significantly Action To display...

Page 488: ...Session Current status of the session Status Current operational status of session Operational status Related Topics For detailed information about operational states see Dial Out Operational States...

Page 489: ...virtual routers host1 dialout show l2tp dial out target allVirtualRouters NOTE The level of a user s permission determines the use of the allVirtualRouters option For example if you have permission to...

Page 490: ...fers per session 0 To display aggregate counts for dial out state machines in each of the possible operational and administrative states host1 dialout show l2tp dial out virtual router summary To disp...

Page 491: ...um number of trigger packets held in buffer while the dial out session is being established Maximum trigger buffers per session Related Topics For detailed information about operational states see Dia...

Page 492: ...452 Monitoring Operational Status within the Current VR Context JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 493: ...5 DHCP Local Server Overview on page 463 Configuring DHCP Local Server on page 471 Configuring DHCP Relay on page 489 Configuring the DHCP External Server Application on page 517 Monitoring and Troubl...

Page 494: ...454 Managing DHCP JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 495: ...on parameter carried by DHCP is the IP address A computer must be initially assigned a specific IP address that is appropriate to the network to which the computer is attached and that is not assigned...

Page 496: ...L line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external server and DHCP local server in equal access mode the router retrieves th...

Page 497: ...ring RADIUS Attributes on page 165 and RADIUS IETF Attributes on page 253 Configuring the DHCP Access Model The E Series router provides a DHCP access model which enables you to integrate the router i...

Page 498: ...address to the remote host The new IP address is included when the router next updates its routing table Dynamic IP addresses are leased to the remote host for a specific period of time which can rang...

Page 499: ...CP packet processing The logged packets are output to the dhcpCapture event logging category You can configure per interface DHCP packet logging on statically configured and dynamically created IP int...

Page 500: ...mand To delete a connected user s IP address lease and the associated route configuration when the DHCP client binding is no longer needed use the dhcp delete binding command When you delete a DHCP cl...

Page 501: ...e remote ID string supports matching of both regular expression metacharacters and nonprintable ASCII characters in binary sequences subnetAddress IP address of the subnet on which the DHCP client res...

Page 502: ...delete DHCP client bindings that match the specified circuit ID string host1 vr3 dhcp delete binding circuit id xe3 To specify nonprintable byte codes in the circuit ID string or remote ID string you...

Page 503: ...Server on page 483 In equal access mode the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service In standalone mode the...

Page 504: ...ess Mode Overview In equal access mode the router enables access to non PPP users Non PPP equal access requires the use of the router s DHCP local server and SRC software which communicates with a RAD...

Page 505: ...rk can be presented to the DHCP local server in the client s DHCP request message The giaddr field in the DHCP request message contains the IP address of a DHCP relay agent The router attempts to matc...

Page 506: ...configure the DHCP local server to use AAA authentication for the incoming clients The DHCP local server receives DHCP client requests for addresses selects DHCP local pools from which to allocate add...

Page 507: ...e authentication is successful the local server selects an IP address pool based on the order presented in Table 100 on page 467 When the router finds a match it selects a pool based on the match and...

Page 508: ...entify clients when it receives subsequent messages and to maintain the state of each client within the DHCP protocol In addition the table contains information that may be transferred to and from the...

Page 509: ...Authentication for DHCP Local Server Standalone Mode on page 481 for a sample configuration 2 For standalone mode optionally configure the router to use AAA authentication for DHCP requests from subsc...

Page 510: ...470 DHCP Local Server Configuration Tasks JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 511: ...Addresses from Address Pools on page 473 Configuring DHCP Local Server to Support Creation of Dynamic Subscriber Interfaces on page 474 Differentiating Between Clients with the Same Client ID or Hard...

Page 512: ...fied in the DHCP local pool host1 config ip dhcp local excluded address 10 10 3 4 4 Optional Enable general DHCP local server traps See Using SNMP Traps to Monitor DHCP Local Server Events on page 476...

Page 513: ...itchover or reload if the action that caused the dynamic interface to be created occurs again a new dynamic interface is created The new dynamic interface then inherits the limit set by the global val...

Page 514: ...enables the DHCP local server to create unique client IDs to support roaming clients and to manage situations in which two clients in the network have the same hardware address NOTE This feature repl...

Page 515: ...in the following situations When duplicate client IDs and duplicate hardware addresses do not exist in your network When the DHCP local server application interacts with DHCP relays in your network t...

Page 516: ...verity level 1 alert 2 critical and 3 error events This trap helps administrators monitor DHCP local server general health error statistics address lease status and protocol events The global SNMP tra...

Page 517: ...an IP DHCP Local Server Binding on page 476 Configuring DHCP Local Address Pools on page 478 Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 481 Configuring DHCP Local Ser...

Page 518: ...0 10 1 1 The default router must be on the same subnetwork as the local server pool IP addresses that you configure with the network command You specify the IP address of a primary server and optional...

Page 519: ...p node Peer to peer m node Mixed h node Hybrid 9 Specify the IP addresses that the DHCP local server can provide from an address pool host1 config dhcp local network 10 10 1 0 255 255 0 0 Use the forc...

Page 520: ...address pools that are linked are viewed as a group Setting Grace Periods for Address Leases The JUNOSe software enables you to configure a grace period for a particular local address pool the grace p...

Page 521: ...ptionally apply the grace period to released addresses Configuring AAA Authentication for DHCP Local Server Standalone Mode The DHCP local server enables you to optionally configure AAA based authenti...

Page 522: ...s host1 config service dhcp local standalone authenticate 3 Specify the password that authenticates a locally configured DHCP standalone mode client In DHCP standalone mode the password is presented t...

Page 523: ...ID included MAC Address excluded Option 82 excluded Related Topics ip dhcp local auth domain command ip dhcp local auth include command ip dhcp local auth password command ip dhcp local auth user pref...

Page 524: ...does not expire 3 Specify the name of a DNS domain for DHCPv6 clients in the current virtual router to search You can specify a maximum of four DNS domains for a DHCPv6 local server s search list hos...

Page 525: ...s you want to delete all All DHCPv6 local server client bindings ipv6Prefix IPv6 prefix address and subnetwork mask of the DHCPv6 clients for example 2002 2 4 1 64 string Local address pool name for e...

Page 526: ...io for this example Subscribers obtain access to ISP Boston via a router Subscribers log in through the SRC software and a RADIUS server provides authentication Figure 12 Non PPP Equal Access Configur...

Page 527: ...he DHCP local server cannot assign these addresses host1 config ip dhcp local excluded address 10 10 1 1 host1 config ip dhcp local excluded address 10 10 1 2 6 Configure the DHCP local server to prov...

Page 528: ...488 Configuring the Router to Work with the SRC Software JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 529: ...P request If you do not configure DHCP relay then BOOTP relay is disabled The router must wait for an acknowledgment from the DHCP server that the assigned address has been accepted The IP client must...

Page 530: ...0 Strings to Forward Client Traffic to Specific DHCP Servers on page 497 host1 config set dhcp relay Use the no version without specifying an IP address to explicitly delete the DHCP relay from the cu...

Page 531: ...ional option 82 if one is already present in the DHCP packets Assigning the Giaddr to Source IP Address As a security measure DHCP servers typically use the giaddr included in DHCP packets to ensure t...

Page 532: ...sing the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets Each DHCP request packet includes a broadcast flag that if set specifies how to transmit DHCP Offer reply packets and DHCP...

Page 533: ...st first issue the no set dhcp relay layer2 unicast replies command to disable layer 2 unicast replies and then issue the set dhcp relay broadcast flag replies command again to enable broadcast flag r...

Page 534: ...ault which is required in certain configurations to enable address renewals from the DHCP server to work properly However the default installation of host routes might cause a conflict when you config...

Page 535: ...10 0 to subscriber interface ip53001 host1 config ip route 10 10 10 0 255 255 255 252 ip ip53001 7 Prevent DHCP relay from installing host routes this avoids a conflict that can cause undesirable ARP...

Page 536: ...figure DHCP relay to use information in the giaddr in DHCP ACK messages to specify which interface is to be used as the primary interface This capability allows you to build dynamic interfaces on the...

Page 537: ...re option 60 strings in received DHCP client packets against strings that you configure on the router You can use the DHCP relay option 60 feature when providing converged services in your network env...

Page 538: ...eywords to configure actions for nonmatching strings drop Discard traffic local server Forward packets to the DHCP local server proxy client Forward traffic to the DHCP proxy client server relay Forwa...

Page 539: ...onfig set dhcp relay 2 Configure the action DHCP relay takes when the incoming traffic has an exact option 60 string of myword DHCP relay forwards this traffic to the DHCP server with an IP address of...

Page 540: ...dhcp local equal access host1 config set dhcp vendor option equals docsis relay 192 168 1 1 host1 config set dhcp vendor option equals cablemodem relay 192 168 1 1 Use the show dhcp summary and show d...

Page 541: ...he client originated DHCP packets that the DHCP relay forwards to a DHCP server When the DHCP relay agent information option is enabled the DHCP relay adds the option 82 information to packets it rece...

Page 542: ...gent replaces any existing Vendor Specific value in the client packet with the relay agent s value The JUNOSe software provides two commands that you can use to configure DHCP relay agent information...

Page 543: ...ble Disable set dhcp relay agent remote id only Disable Disable Disable no set dhcp relay agent Format of the JUNOSe Data Field in the Vendor Specific Suboption for Option 82 RFC 4243 describes suppor...

Page 544: ...4 high order bits are 0 Example 1 The Vendor Specific suboption for a VLAN ID of 2468 0x09a4 and a UPC of 5 is formatted as follows 09 0c 00 00 13 0a 07 01 02 09 a4 02 01 05 UPC val 5 UPC len 1 byte U...

Page 545: ...Agent Circuit ID suboption identifies the interface on which DHCP packets are received When the packets are received on a LAG interface the router clearly identifies the interface The suboptions inclu...

Page 546: ...dleA LAG interface with VLAN hostname vrname interface type bundle name sub if vlan id Examples lag bundleA 1 2 relayVr lag bundleA 2 bostonHost lag bundleA 1 2 LAG interface with Stacked VLAN hostnam...

Page 547: ...signs an IP address that provides the desired service to the DHCP client The DHCP server uses information based on the IEEE 802 1p values which are extracted from the DHCP packets using JUNOSe softwar...

Page 548: ...0 host1 config policy list classifier group exit host1 config policy list classifier group dot1p1 host1 config policy list classifier group user packet class 1 host1 config policy list classifier grou...

Page 549: ...use the option 82 suboptions This configuration includes the command that specifies the mapping of the user packet class values from the layer 2 policy to the user packet class type in the option 82 V...

Page 550: ...command to enable support for DHCP relay agent option which includes the option 82 suboptions Agent Circuit ID suboption 1 and Agent Remote ID suboption 2 This command does not support the Vendor Spe...

Page 551: ...astEthernet 1 2 3 4 relayVr fastEthernet 1 2 4 bostonHost fastEthernet 1 2 3 4 Ethernet interface with Stacked VLAN hostname vrname interface type slot port sub if svlan id vlan id Examples fastEthern...

Page 552: ...cuit ID suboption If you do not explicitly specify the circuit id only or remote id only keyword both suboptions are used Related Topics radius remote circuit id format set dhcp relay set dhcp relay a...

Page 553: ...t a Timeout for DHCP Client Renewal Messages You can set the amount of time in the range 1 168 hours that the DHCP relay proxy waits for a renewal message from DHCP clients after a router reboot or sw...

Page 554: ...released the host routes that are no longer needed are still unavailable For additional information on managing client bindings see Viewing and Deleting DHCP Client Bindings on page 460 Selecting the...

Page 555: ...s renewal requests from clients For information about using the set dhcp relay layer2 unicast replies command see Configuring Layer 2 Unicast Transmission Method for Reply Packets to DHCP Clients on p...

Page 556: ...516 Configuring DHCP Relay Proxy JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 557: ...namic Subscriber Interfaces on page 524 Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces on page 526 Configuring Dynamic Subscriber Interfaces for Interoperati...

Page 558: ...riber requests an address from the DHCP server through the E Series router All communication between the subscriber and the DHCP server is monitored by the E Series router After the subscriber receive...

Page 559: ...dynamic subscriber interface for the client that exists with the client s primary interface A client normally receives broadcast traffic such as the traffic associated with the DHCP discovery process...

Page 560: ...OSe releases in which deleting and re creating the dynamic subscriber interface was the default behavior for the DHCP external server Related Topics Configuring DHCP External Server to Control Preserv...

Page 561: ...uplicate MAC mode by issuing the dhcp external duplicate mac address command and creation of subscriber state information based on lease renewals by issuing the ip dhcp external server sync command si...

Page 562: ...guration Requirements To configure the E Series router to support an external DHCP server you enable the DHCP external server application on the router If you are using DHCP packet detection you must...

Page 563: ...the DHCP external server application You can resynchronize and create subscriber state information that is based on lease renewals To synchronize the external DHCP server with the E Series router Issu...

Page 564: ...external server application to ignore the giaddr when determining the next hop for the subscriber access routes Issue the ip dhcp external disregard giaddr next hop command from Global Configuration...

Page 565: ...er a dynamically created VLAN the VLAN is dynamically created based on the agent circuit id option suboption 1 that is contained in the DHCP option 82 field For information about configuring agent cir...

Page 566: ...starts the discovery process on its primary IP interface Issue the ip dhcp external recreate subscriber interface command from Global Configuration mode host1 vr1 config ip dhcp external recreate subs...

Page 567: ...face profile host1 config profile dsiTest host1 config profile ip unnumbered loopback 5500 host1 config profile exit 2 Define a route map in the VR in which the static primary IP interface resides hos...

Page 568: ...to configure the primary IP interface to support creation of dynamic subscribers interfaces which is accomplished by issuing the ip auto configure ip subscriber exclude primary command as shown in Ste...

Page 569: ...lete a specific client host1 dhcp external delete binding binding id 3972819365 Related Topics dhcp delete binding dhcp external delete binding Deleting Clients from a Virtual Router s DHCP Binding Ta...

Page 570: ...ult in a service interruption To configure the DHCP external server application to use a combination of the MAC address and giaddr to uniquely identify DHCP clients also known as enabling duplicate MA...

Page 571: ...enable the IP Subscriber Manager application to re authenticate the auto detected subscribers created on static and dynamic primary IP interfaces after a cold boot Issue the ip re authenticate auto d...

Page 572: ...532 Configuring DHCP External Server to Re Authenticate Auto Detected Dynamic Subscriber Interfaces JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 573: ...ion Information on page 547 Monitoring DHCP External Server Statistics on page 548 Monitoring DHCP External Server Duplicate MAC Address Setting on page 549 Monitoring DHCP Local Address Pools on page...

Page 574: ...you retrieve baseline relative statistics Use the delta keyword with the show dhcp commands to display baselined statistics Tasks to set a baseline for DHCP statistics are 1 Setting a Baseline for DH...

Page 575: ...fy the type of interface and interface specifier host1 baseline ip dhcp local interface atm 3 1 To set a baseline for DHCPv6 local server statistics Issue the baseline ipv6 dhcpv6 local command host1...

Page 576: ...ings Tasks to monitor DHCP bindings are Monitoring DHCP Binding Information on page 537 Monitoring DHCP Binding Count Information on page 540 Monitoring DHCP Binding Host Information on page 542 Monit...

Page 577: ...00 0013 9365 local 0 0 0 0 81 3 0 11 bound 2409734618 8000 000b 9365 local 0 0 0 0 81 3 0 7 bound 2409734619 8000 0009 9365 local 0 0 0 0 81 3 0 6 bound The output of the show dhcp binding command is...

Page 578: ...0 0 71 1 0 14 bound 3070230543 7000 000e 9365 relay p 0 0 0 0 71 1 0 16 bound 3070230545 7000 0010 9365 relay p 0 0 0 0 71 1 0 18 bound 3070230547 7000 0012 9365 relay p 0 0 0 0 71 1 0 20 bound 307023...

Page 579: ...ent 0 0 0 0 for DHCP external server and DHCP relay proxy bindings IpSubnet IP address assigned to client IpAddress State of the DHCP client binding State IP address of the DHCP server that allocated...

Page 580: ...and interfaces with the specified interface string host1 vr2 show dhcp count interface ip71 4 Assigned Bound Type IpSubnet Interfaces Clients Clients Clients external 0 0 0 0 3 3 3 3 This show dhcp co...

Page 581: ...remote ID string is not supported for the DHCP external server application DHCP external server does not store information about the agent circuit id suboption or agent remote id suboption of option 8...

Page 582: ...ts of the show dhcp host command are arranged in ascending order by IP address whereas the results of the show dhcp binding command are arranged in ascending order by binding ID To display binding inf...

Page 583: ...nding order by IP address To display information about DHCP external server bindings with a specified subnet address host1 vr1 show dhcp host external 0 0 0 0 To display information about DHCP binding...

Page 584: ...available in seconds Lease Detailed output only Time remaining on the current lease in seconds Remaining Detailed output only IP interface that is associated with the client IpInterface Related Topics...

Page 585: ...he current lease in seconds Expire Interface that is associated with the subscriber s computer Interface Related Topics show ip dhcp external binding Monitoring DHCP Bindings Displaying DHCP Bindings...

Page 586: ...ace NOTE This command is deprecated and might be removed completely in a future release The function provided by this command has been replaced by the show dhcp binding command Action To display DHCP...

Page 587: ...ernal Server Configuration Information Purpose Display information about the router s DHCP external server application Action To display DHCP external server information host1 show ip dhcp external co...

Page 588: ...urpose Display statistics for all external DHCP servers or for a specific server Action To display statistics for a DHCP external server host1 config show ip dhcp external statistics server address 10...

Page 589: ...ernal server application Currently this command displays the status of the method that DHCP external server uses to uniquely identify DHCP clients with duplicate MAC addresses Action To display the du...

Page 590: ...Server Address 10 10 20 8 Linked Pool cable5 High utilization threshold 85 Abated utilization threshold 75 Current utilization 0 Utilization trap disabled Shared pool allocations 25 To display informa...

Page 591: ...Servers Address of default router used for subscribers Default Routers DHCP server address that is sent to subscribers Server Address Names of any pools that are linked to this pool Linked Pool Thres...

Page 592: ...ver Authentication Configuration User Prefix ERX4 Boston Domain ISP1 com Password to4TooL8 Virtual Router included Circuit Type included Circuit ID included MAC Address excluded Option 82 excluded To...

Page 593: ...sts that have been granted auth grants Number of authorization requests that have been denied auth denies Related Topics show ip dhcp local auth Monitoring DHCP Local Server Configuration Purpose Disp...

Page 594: ...2005 08 01 12 UTC To display information about all DHCP local server leases host1 show ip dhcp local leases Dhcp Local Leases Address Hardware Lease Initiated Renewed 192 168 0 2 10 06 10 00 10 32 120...

Page 595: ...or clients in the grace period Expiration Infinite or the number of seconds remaining in the lease if any remaining time of grace period for clients in the grace period Remaining Day date and time the...

Page 596: ...packet 17 in error 0 in discard 0 unknown client packet 3 Transmit Statistics offer 4 ack accept 5 ack renew 1 ack rebind 1 nak 3 nak renew 0 nak rebind 0 total out packet 14 out error 0 out discard 0...

Page 597: ...acket Statistics for packets that have been transmitted Transmit Statistics Number of DHCP offer messages sent offer Number of DHCP acknowledgments sent in response to accepted requests ack accept Num...

Page 598: ...d with the vendor option command drop the DHCP application responsible for the action has not been configured yet therefore all packets for this application will be dropped Total 4 entries Vendor opti...

Page 599: ...entries no match Related Topics show dhcp vendor option Monitoring DHCP Packet Capture Settings Purpose Display the configuration for per interface DHCP packet logging Action To display configuration...

Page 600: ...Override Option off Trust All Clients off Preserve Option From Trusted Clients off Circuit ID Sub option 1 on select hostname select exclude subinterface id Remote ID Sub option 2 on Vendor Specific S...

Page 601: ...IP addresses of configured DHCP servers DHCP Server Addresses Related Topics show dhcp relay Monitoring DHCP Relay Proxy Statistics Purpose Display statistics for the DHCP relay proxy NOTE The show dh...

Page 602: ...e messages sent to a server Decline Number of releases sent to a server Release Number of information messages sent to a server Inform Number of clients being maintained by the relay proxy Active Clie...

Page 603: ...tion circuit ID suboption On add Relay Agent Option remote ID suboption On packets with giaddr override 0 packets with Relay Agent Option override 2 packets forwarded with Relay Agent Option already p...

Page 604: ...y reply messages that were discarded because their message type for example offer ack was unknown possibly due to corruption dropped unknown message type reply packets Relay Agent Option statistics st...

Page 605: ...received from DHCP servers that were discarded because their server address and XID do not match an outstanding DHCP server request dropped unknown xid reply packets Number of DHCP relay requests sent...

Page 606: ...gments received from the server Naks received Number of IP addresses rejected because they were already in use addresses declined Number of IP addresses released back to the server addresses released...

Page 607: ...server Address Number of IP address leases granted by the server Leases Number of offers sent by the server Offers Number of requests sent to the server Requests Number of acknowledgments received fr...

Page 608: ...DHCPv6 Local Server DNS Search Lists Purpose Display the DHCPv6 local servers DNS search list Action To display the DNS search list for DHCPv6 local servers host1 show ipv6 dhcpv6 local dns domain sea...

Page 609: ...s Field Description Field Name IPv6 address of the DNS server DNS server Related Topics show ipv6 dhcpv6 local dns servers Monitoring DHCPv6 Local Server Prefix Lifetime Purpose Display the DHCPv6 def...

Page 610: ...pv6 dhcpv6 local statistics command output fields Table 129 show ipv6 dhcpv6 local statistics Output Fields Field Description Field Name Number of bytes of memory used by DHCPv6 local server memUsage...

Page 611: ...es that are being used by DHCP local server clients Optionally display information for a specific duplicate MAC address Action To display information about a specific MAC address being used by multipl...

Page 612: ...hcp Local Interface Limits Total Interface Limit Count Denied Denied atm 3 1 300 127 5 29 To display information about the maximum number of leases on all interfaces host1 config show ip dhcp local li...

Page 613: ...ated Topics show ip dhcp local limits Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local Server Purpose Display the static IP address MAC address pairs that the DHCP local serve...

Page 614: ...server and DHCP external server Action To display the status of the configured DHCP applications host1 show dhcp summary DHCP local server configured and inactive DHCP relay configured and active Mean...

Page 615: ...nvironment Configuring Subscriber Management on page 577 Monitoring Subscriber Management on page 593 Configuring Subscriber Interfaces on page 597 Monitoring Subscriber Interfaces on page 629 Managin...

Page 616: ...576 Managing the Subscriber Environment JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 617: ...mers to create a unified subscriber management provisioning and service delivery environment The flexibility of the router provides a variety of methods and configurations that enable customers to dyn...

Page 618: ...k service usage that can be used for volume based billing Dynamic address assignment Uses RADIUS DHCP and profiles to dynamically allocate IP addresses to subscribers Dynamic policy management Uses po...

Page 619: ...Subscriber Management Procedure Figure 15 on page 579 shows a subscriber management environment that includes an external DHCP server a RADIUS server the SRC software and the DHCP external server appl...

Page 620: ...to provide authentication authorization accounting and address assignment RADIUS uses the profile to obtain information for the subscriber s IP interface Creates the subscriber s dynamic subscriber in...

Page 621: ...route map exit 6 Enable autoconfiguration mode host1 config interface gigabitEthernet 12 0 host1 config if ip address 192 168 1 1 255 255 255 0 host1 config if ip auto configure ip subscriber include...

Page 622: ...created by JUNOSe subscriber management Specify one of the following circuit types atm or vlan Use the optional prepend circuit type keyword to specify that the circuit type is prepended to the circui...

Page 623: ...nclusion of the IP address in the username See include ip address include mac address Use to include the MAC address identifier in the username that is dynamically created by JUNOSe subscriber managem...

Page 624: ...keyword to specify that the primary interface is assigned to a subscriber See ip auto configure ip subscriber ip auto detect ip subscriber Use to set the router packet detect feature and specify that...

Page 625: ...is greater than the configured value and the interface is deleted On static interfaces the subscriber s access route is removed when the inactivity timer is exceeded When the subscriber logs back in t...

Page 626: ...stateful SRP switchover high availability using an IP service profile to configure subscriber authentication is preferable to using either the subscriber command or the atm atm1483 subscriber command...

Page 627: ...c subscriber interfaces associated with this primary IP interface See ip use framed routes ip subscriber password Use to specify the password for an IP service profile The password is used as the dyna...

Page 628: ...he no version to remove the source address range from the route map See set ip source prefix user name Use to specify the username for an IP service profile The username is used as the dynamically cre...

Page 629: ...ier group filter host1 config policy list classifier group exit host1 config policy list exit host1 config An interface profile that references the restrictAccess policy host1 config profile atlInterf...

Page 630: ...atlServiceProfile host1 config service profile user prefix xyzcorp atl host1 config service profile domain eastcoast host1 config service profile include hostname host1 config service profile include...

Page 631: ...ier vlan host1 config service profile include mac address host1 config service profile include dhcp option 82 agent circuit id host1 config service profile exit host1 config The example generates the...

Page 632: ...592 Subscriber Management Configuration Examples JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 633: ...tion about IP service profiles host1 show ip service profile ip service profile west500 user name finance22 user prefix xyz bos domain xyzcorp net include virtual router name include mac address inclu...

Page 634: ...file agent circuit id or agent remote id include dhcp option 82 Password used to retrieve information from RADIUS for subscriber interfaces password Related Topics show ip service profile Monitoring A...

Page 635: ...is configured Virtual Router Name of subscriber interface ip indicates that subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address o...

Page 636: ...596 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 637: ...page 616 Subscriber Interfaces Overview You can configure E Series routers to create subscriber interfaces statically or dynamically The following list shows the underlying layer 2 interfaces on which...

Page 638: ...P session An example of a dynamic interface configuration is a PPPoE session running on top of a Gigabit Ethernet VLAN interface Figure 16 on page 598 shows an example of the dynamic interface stack F...

Page 639: ...u must manually configure the SSI and you cannot use the same dynamic profiles and RADIUS that DSIs use Subscribers can be connected to a single broadcast segment without using dynamic or static subsc...

Page 640: ...addresses at any given time For example Figure 18 on page 600 illustrates the relationship between subscriber interfaces an associated primary IP interface and an associated Ethernet interface Figure...

Page 641: ...cally created subscriber interfaces see Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces on page 607 Routing Protocols You configure unicast routing protocols on subscribe...

Page 642: ...6 or a local gaming service on network 10 12 0 0 16 Rate limits and policies on the subscriber interface customize the service level for the associated service In this application the E Series router...

Page 643: ...uter can separate the traffic from subnets A and B Because the E Series router is forwarding traffic in this application the shared IP interface should demultiplex the traffic by using a source addres...

Page 644: ...igabitEthernet 0 1 For E120 and E320 Routers use the slot adapter port format which includes an identifier for the bay in which the I O adapter IOA resides In the software adapter 0 identifies the rig...

Page 645: ...ubscriber an IP address from one of the local address pools In equal access mode the DHCP local server works with Juniper Networks Session and Resource Control SRC software and the authorization accou...

Page 646: ...06 shows the interface stacking in an IP over Ethernet dynamic subscriber interface configuration The illustration indicates which layers in the stack are static and dynamic and identifies the CLI com...

Page 647: ...configurations or the router for packet detection configurations then assigns a subscriber an IP address matching this source prefix the router does not create a dynamic subscriber interface for that...

Page 648: ...is discarded In addition creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router s Address Resolution Protocol ARP table This occurs regardless of whet...

Page 649: ...ow arp command The following sample output from the show ip mac validate interface command displays the MAC address validation state strict inherited by the dynamic subscriber interface ip74 39 64 3 f...

Page 650: ...s on network 10 12 0 0 16 Figure 22 Subscriber Interfaces Using a Destination Address to Demultiplex Traffic E Series router To configure the static subscriber interfaces shown in Figure 22 on page 61...

Page 651: ...an address or make it unnumbered host1 config if ip unnumbered loopback 0 d Specify the destination addresses for the subscriber interface to use to demultiplex traffic host1 config if ip destination...

Page 652: ...yer 2 interface host1 config interface fastEthernet 4 1 b Create a primary IP interface host1 config if ip address 10 1 1 1 255 255 255 0 c Exit Interface Configuration mode host1 config if exit 2 Con...

Page 653: ...subscriber interface IP2 host1 config virtual router vrb Proceed with new virtual router creation confirm yes host1 vrb config interface ip ip2 host1 vrb config if ip share interface fastEthernet 4 1...

Page 654: ...Broadband Services Router or the E320 router you can configure up to 1024 subnets for static subscriber interfaces per primary IP interface when each subnet has a variable network mask that is less th...

Page 655: ...stination if the next hop IP address is resolvable over MPLS If you specify a virtual router the command fails if the VR does not already exist If you do not specify a VR the current VR is assumed Aft...

Page 656: ...ing DHCP events perform the following steps 1 Configure the DHCP server For instructions see Configuring the DHCP Local Server on page 471 2 Specify a Fast Ethernet Gigabit Ethernet or 10 Gigabit Ethe...

Page 657: ...rface by adding a subinterface number to the interface identification command host1 config if interface gigabitEthernet 1 0 1 5 Assign a unique VLAN ID to the VLAN subinterface host1 config if vlan id...

Page 658: ...Configure an associated PVC for the ATM 1483 subinterface by specifying the VCD the VPI the VCI and the encapsulation type host1 config subif atm pvc 10 100 22 aal5snap 5 Specify bridged Ethernet as t...

Page 659: ...GRE tunnel interface For instructions see the Configuration Tasks section in JUNOSe IP Services Configuration Guide 2 Create the primary IP interface by assigning an IP address and mask to the bridge...

Page 660: ...each physical interface this example assigns an IP address to a loopback interface loopback 0 Each physical interface is then configured as an unnumbered IP interface referencing the same loopback int...

Page 661: ...0 10 Create an unnumbered primary IP interface associated with the loopback interface configured in Steps 6 and 7 host1 config if ip unnumbered loopback 0 11 Configure the primary IP interface to ena...

Page 662: ...rver Example host1 config dhcp local default router 10 10 1 1 Use the no version to remove the association between the address pool and the router See default router encapsulation bridge1483 Use to co...

Page 663: ...move an interface or a subinterface if the one above it still exists See interface fastEthernet interface gigabitEthernet Use to select a Gigabit Ethernet interface NOTE You can configure only the pri...

Page 664: ...er host IP addresses within that subnet 1 1 1 1 16 if no specific or longer route entry is found or if the SRP module receives too much traffic from subnets other than 1 1 1 1 the CPU utilization on t...

Page 665: ...figure ip subscriber include primary Use the no version to disable creation of dynamic subscriber interfaces associated with this primary IP interface Use the no version with the include primary keywo...

Page 666: ...amic creation of subscriber interfaces to demultiplex traffic with the specified source address You can issue this command from either Interface Configuration mode or Subinterface Configuration mode E...

Page 667: ...er can provide from an address pool Example host1 config dhcp local network 10 10 1 0 255 255 255 0 Use the no version to remove the network address and mask See network service dhcp local Use to enab...

Page 668: ...vlan id Use to configure a VLAN ID for a VLAN subinterface Specify a VLAN ID number that is in the range 0 4095 and is unique within the Ethernet interface Issue the vlan id command before you config...

Page 669: ...see the Monitoring IP section in JUNOSe IP Services Configuration Guide Action You can use the show ip demux interface command to monitor the configuration of subscriber interfaces Monitoring Subscri...

Page 670: ...Display information about active IP subscribers that were created by the JUNOSe software s subscriber management feature Action To display information about subscribers that were created by subscribe...

Page 671: ...at subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address of the subscriber Mac Address AAA profile handle Profile Handle Interface...

Page 672: ...632 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 673: ...Part 6 Managing Subscriber Services Configuring Service Manager on page 635 Monitoring Service Manager on page 701 Managing Subscriber Services 633...

Page 674: ...634 Managing Subscriber Services JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 675: ...on page 661 Combined and Independent IPv4 and IPv6 Services in a Dual Stack Overview on page 663 Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack on page 664 Configuring RADIUS Ac...

Page 676: ...and Acronyms Table 138 on page 636 defines terms and acronyms that are used in this discussion of the Service Manager application Table 138 Service Manager Terms and Acronyms Definition Term A service...

Page 677: ...tion about the topics covered in this chapter see the following documents Data Over Cable Service Interface Specifications DOCSIS 2 0 Radio Frequency Interface Specification CM SP RFIv2 0 I10 051209 F...

Page 678: ...nable statistics collection Activate the service session Deactivate service sessions Optional for RADIUS CoA method Configure the CoA feature for the RADIUS dynamic request server Use the CLI to manag...

Page 679: ...hen you can associate the service definition with subscribers to create their service sessions Service definitions gives you flexibility by enabling you to use A single service definition to create a...

Page 680: ...initions independent of the Service Manager commands and operations which are performed on the E Series router For detailed information about the JUNOSe software s macro language see the Command Line...

Page 681: ...n the service definition that has the error Optional command in error Passes the value env getErrorStatus Service Manager displays the error status for the error Optional command error status Specifie...

Page 682: ...d hierarchical policy parameters Optional output stat epg Collects input statistics associated with the external group that is attached at the secondary input stage from policy manager Both the extern...

Page 683: ...continue to use the original definition until you deactivate the service session 4 Modify You can update an existing service definition file at any time To update a service definition file a Use your...

Page 684: ...eferencing Policies in Service Definitions In Profile Configuration mode policy interface commands for IP and L2TP allow attachments to be merged into any existing merge capable attachment at an attac...

Page 685: ...oS profile when activating a service but make sure that the QoS profile is attached to the subscriber s interface For more information about configuring QoS profiles see the Configuring and Attaching...

Page 686: ...pecify that Service Manager create QoS parameter instances when the subscriber logs in during service activation or through RADIUS QoS parameter VSAs You can specify up to eight parameter instance com...

Page 687: ...ue 15000 In Profile Configuration mode the no version removes the QoS parameter instance command in the profile See qos parameter Specifying QoS Parameter Instances in a Service Definition After you c...

Page 688: ...rameterName4 for the subscriber s interface If it finds a parameter instance it adds bandwidth2 3 000 000 to the current value If Service Manager does not find a parameter instance it creates one with...

Page 689: ...g parameter instances in profiles and modifying explicit parameter instances can cause invalid parameter instance values Table 141 on page 649 lists a series of activations and deactivations using par...

Page 690: ...events Table 142 on page 650 lists the sources that overwrite QoS profiles and parameter instances created by other sources Each row represents new QoS profiles and parameter instances columns represe...

Page 691: ...ager using other sources without affecting the reference counts For more information see QoS Statistics on page 653 RADIUS QoS profile attachments and parameter instances configured through RADIUS can...

Page 692: ...and parameter instances After removing the QoS profile and parameter instances Service Manager automatically removes the following QoS configurations in the following order 1 QoS profiles 2 Scheduler...

Page 693: ...ch time the parameter is modified through service deactivation References of regular parameter instances are also counted using a separate reference count Parameter instances are removed when both ref...

Page 694: ...s greater flexibility and efficient management for a large number of subscribers and services Enables you to use mutual exclusion mutex groups to create mutex services RADIUS CoA only CLI based suppor...

Page 695: ...when you have a large number of users already logged in through RADIUS and you want to activate new services for them This method is also used for the guided entrance service described in Guided Entra...

Page 696: ...VSA you specify values for the input and output bandwidth tiered 1280000 5120000 2 Specify optional VSAs for the service session as needed Service Volume Service Timeout Service Statistics Service Ma...

Page 697: ...hat the service is to remain active the service is terminated when the time expires a tagged VSA Access Accept and CoA Request Service Timeout 26 68 Statistics configuration a tagged VSA 0 disable 1 t...

Page 698: ...000 and output bandwidth of 5120000 The subscriber can use the service for 5 hours 18000 seconds and Service Manager captures both timestamp and volume statistics during the session service statistics...

Page 699: ...ics 600 2 service interim acct interval voice 100000 6 service activation 1440 6 service timeout 1200 6 service interim acct interval Using RADIUS to Deactivate Service Sessions A service session can...

Page 700: ...ervices NOTE Service Manager terminates a session when the output byte count exceeds the configured service volume threshold The output byte count is captured by the output stat clacl string in the cl...

Page 701: ...existing service This ensures that the subscriber is never without an active service In the original CoA Request method the order of activation and deactivation is random in some cases the existing se...

Page 702: ...lighted in bold text parameterizes input and output bandwidth tiered inputBW outputBW uid app servicemanager getUniqueId name SM tiered uid oname SM O tiered uid classifier list matchAll ip any any ra...

Page 703: ...in which IPv4 and IPv6 protocols share a common transport and framing layer A dual stack implementation supports both IPv4 and IPv6 hosts to help provide a smooth transition to all parts of a enterpr...

Page 704: ...when IPv6 subscribers or IPv4 and IPv6 subscribers in a dual stack are in a network When you create the service definition include the following service attribute in the service definition if you want...

Page 705: ...rvice is deleted when the service is deactivated Combined IPv4 and IPv6 Service in a Dual Stack To configure a single service for IPv4 and IPv6 interfaces you can create and install one service defini...

Page 706: ...s You must enable Service Manager volume statistics for a service session When you terminate a subscriber session Service Manager first sends RADIUS Acct Stop messages for any active services associat...

Page 707: ...ng interval for services that are created during a user RADIUS based login and services that are activated by a CoA operation The service interim accounting interval is specified by the RADIUS Service...

Page 708: ...vate attribute VSA 26 65 Table 149 on page 668 describes a sample Acct Start message for a service session In the table the three fields used by Service Manager are shown in bold characters An Acct St...

Page 709: ...l aaa service accounting interval Use to specify the default interval between service accounting updates Service manager uses the default interval when no value is specified in the Service Interim Ac...

Page 710: ...reset the accounting interval to 0 which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval Service Interim Acc...

Page 711: ...ce definitions for example you might use the CLI commands to verify that a newly created service definition is correct When you are satisfied with the service definition you can then use RADIUS to act...

Page 712: ...ssion keyword tiered 1280000 5120000 service management owner session Use to activate a service for an existing subscriber by identifying the owner used to create the subscriber session and specifying...

Page 713: ...management owner session service management subscriber session service session Use to activate a service for a subscriber by creating a subscriber session and a service session NOTE Always activate at...

Page 714: ...ger s performance Typically when you use a service definition to activate a subscriber s service session Service Manager uses resources to build that service However if you later use the same service...

Page 715: ...service s duration and traffic volume volume Specifies that the service is automatically deactivated when the indicated traffic volume is exceeded time Specifies that the service is automatically deac...

Page 716: ...ollect statistics about both the volume of traffic and the duration of the service session Example host1 config service management service session profile vodISP1 host1 config service session profile...

Page 717: ...elete the volume attribute from the service session profile See volume Using the CLI to Deactivate Subscriber Service Sessions The CLI supports several methods that enable you to manually deactivate s...

Page 718: ...service management owner session command See service management owner session no service management subscriber session service session Use to gracefully deactivate service sessions for a subscriber U...

Page 719: ...when a threshold is reached you create a service session profile that includes a time threshold or a volume threshold or both Then you attach the service session profile when you activate the service...

Page 720: ...stics Collection with the CLI on page 682 if you are using the CLI Setting Up the Service Definition File for Statistics Collection Service Manager statistics are based on classifier lists the classif...

Page 721: ...profile Example 2 This example shows how you can also configure your service definition to collect total statistics from multiple classifier lists The following command specifies that three classifier...

Page 722: ...ed3 host1 config service session profile statistics volume time host1 config service session profile 2 Apply the service session when you activate the subscriber service session host1 config service m...

Page 723: ...t string external parent grp name policy parameter name The string variable specifies the type of statistics to track Service Manager supports the following strings input stat epg Track input statisti...

Page 724: ...ber of JUNOSe commands in a service definition to specify a service Reference objects in service definitions Referencing commonly used objects is more resource efficient than using unique objects for...

Page 725: ...put stat clacl matchAll endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client1 isp1 com none username tiered 1280000 5120000 1 activate service Sample CLI Command host1 config service man...

Page 726: ...ay MG based service that has upstream and downstream components The IP address and port for both the subscriber and the opposite end of the phone call were originally negotiated with the SBC The VoIP...

Page 727: ...ubscriber might be shown a Web site that offers services such as Predefined services A group of user selectable services that meets a variety of needs of a single subscriber The subscriber might selec...

Page 728: ...ng the HTTP Local Server to Support Guided Entrance on page 690 for information about the HTTP local server RADIUS Dynamic Request Server and CoA messages Enables RADIUS to dynamically activate the ne...

Page 729: ...profile profileName endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client5 isp1 com none username http 192 168 25 2 80 1 activate service Sample CLI Command host1 config service manageme...

Page 730: ...service Tiered Service Selected at Web Site Value Tag RADIUS Attribute client5 isp1 com none username tiered 1280000 5120000 2 activate service http 192 168 25 2 80 deactivate service 720 2 service t...

Page 731: ...cify the maximum number of connections that can exist between one IP address and the HTTP local server host1 west40 config ip http same host limit 20 6 Specify the maximum time that HTTP local servers...

Page 732: ...servers maintain connections host1 west40 config ip http max connection time 1000 7 Enable the HTTP local server to listen for and process IPv6 exception packets host1 west40 config ipv6 http server 8...

Page 733: ...n time ip http port Use to specify the port on which the HTTP local server receives connection attempts for IPv4 exception packets Specify a port number in the range 1 65535 Example host1 config ip ht...

Page 734: ...local server Specify a number in the range 0 1000 Example host1 config ip http same host limit 20 Use the no version to restore the default number of allowed connections 3 See ip http same host limit...

Page 735: ...ion for the subscriber HTTP redirect is per interface use the command in Interface Configuration mode or Subinterface Configuration mode for static interfaces and use the command in Profile Configurat...

Page 736: ...ut must limit the total flow for IPv4 and IPv6 interfaces to 64 Kbps Figure 33 Input Traffic Flow with Rate Limit Profile on an External Parent Group for a Combined IPv4 IPv6 Service VoIP 64 Kbps VoIP...

Page 737: ...ericName vb in destination host VB6G1 n ipv6 classifier list cl46 6 genericName vb out source host VB6G1 n ip policy list pl v4v6 genericName in classifier group cl46 4 genericName vb in external pare...

Page 738: ...ansmit unconditional The conformed action which sets the action for packets not conforming to the committed rate and committed burst size but conforming to the peak rate and peak burst size for a rate...

Page 739: ...ce Manager track statistics associated with the external parent group named vb v4v6 in and the corresponding hierarchical policy named v4v6 and that this external parent group is associated with the p...

Page 740: ...d traffic denoted as inBw in the macro 10 0 0 1 Host IP address for IPv4 subscribers denoted as VBG1 in the macro 2001 1 Host IP address for IPv6 subscribers denoted as VB6G1 in the macro vlan Interfa...

Page 741: ...oring IPv4 and IPv6 Interfaces for Service Manager on page 707 Monitoring Service Definitions on page 717 Monitoring Service Session Profiles on page 718 Monitoring Active Owner Sessions with Service...

Page 742: ...eld Name Maximum time that the HTTP local server maintains an inactive connection in seconds Maximum connection length Number of configured Web servers Current number of http servers Number of Web ser...

Page 743: ...ection Listening port Maximum number of connections allowed between one IP address and the HTTP local server Same host limit Protocols that the HTTP local server is listening for IPv4 IPv6 or IPv4 and...

Page 744: ...s No resource failures Total number of HTTP connections established Http connections created Total number of HTTP connections ended Http connections terminated Total number of HTTP connections that ex...

Page 745: ...g the Default Interval for Interim Accounting of Services Purpose Display the default interval used for interim accounting for services associated with users on the virtual router An entry of 0 indica...

Page 746: ...ng Profiles for Service Manager Purpose Display information about the policies and QoS configurations referenced in profiles Action To display information about a specific profile host1 show profile n...

Page 747: ...hernet 1 1 200 GigabitEthernet1 1 line protocol Ethernet is up ip is not present Network Protocols IP Multipath mode hashed Auto Configure disabled Auto Detect disabled Inactivity Timer disabled Use F...

Page 748: ...tes 0 Unicast Packets 0 Bytes 0 Multicast Packets 0 Bytes 0 In Total Dropped Packets 0 Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Fo...

Page 749: ...put fields Table 159 show ip interface Output Fields Field Description Field Name Interface type and specifier interface Status of the interface interface status Url to which a subscriber s initial we...

Page 750: ...ts received with destination unreachable dst unreach Packets sent with time to live exceeded time excd Packets sent with parameter errors param probs Source quench packets sent src quench Send packets...

Page 751: ...d into an output IP interface In Forwarded Packets Bytes Total number of packets and bytes that were dropped on the interface In Total Dropped Packets Bytes Packets discarded on a receive IP interface...

Page 752: ...kets and bytes dropped by the scheduler because they exceeded the contract Out Scheduler Drops Exceeded Packets Bytes Packets discarded on the egress interface because of rate limiting Out Policed Pac...

Page 753: ...tion unreachable destination unreach Packets received because the destination was administratively unreachable for example the packet encountered a firewall filter admin unreach Packets sent with para...

Page 754: ...eived packet redirects redirects Echo request ping packets echo requests Echo replies received echo replies Number of received router solicitations rtr solicits Number of received router advertisement...

Page 755: ...fixes for neighbor discovery router advertisement ND RA advertising prefixes Total number of packets and bytes received on the IP interface In Received Packets Bytes Unicast packets and bytes received...

Page 756: ...face because of rate limiting Out Policed Packets Packets discarded on the egress interface because of a configuration problem rather than a problem with the packet itself Out Discarded Packets Type i...

Page 757: ...True Service tiered inputbw outputbw Reference Count 0 To display summary information for all service definitions host1 show service management service definition brief Service Definitions Reference F...

Page 758: ...Timestamp Related Topics show service management service definition Monitoring Service Session Profiles Purpose Display information about service session profiles configured on your router Action To d...

Page 759: ...latile Sessions CLIENT1 ISP COM ip192 168 0 3 1 AAA 4194326 Active False 1 CLIENT2 ISP COM ip192 168 0 7 2 AAA 4194327 Active False 1 CLIENT3 ISP COM ip192 168 0 4 3 AAA 4194328 Active False 1 CLIENT4...

Page 760: ...163 show service management owner session Output Fields Field Description Field Name Name of the subscriber or name of the service session Name Type and IP address of the subscriber s interface Interf...

Page 761: ...profile or RADIUS VSA Volume Volume left until the threshold is exceeded this value starts as the volume threshold value and is decremented as the service statistics measure volume Volume Expire Curre...

Page 762: ...192 168 0 1 User Name CLIENT1 ISP COM Interface ip 192 168 0 1 Id 1 Owner AAA 4194326 Non volatile False State Active ServiceSessions Name mutex Owner Id State Operation tiered 2000000 3000000 AAA 41...

Page 763: ...ervice session belongs mutex Method used to activate the subscriber session CLI AAA and ID number generated by the owner Acct Session ID for AAA Owner Id Status of the subscriber session active or ina...

Page 764: ...tistics measure volume Volume Expire Current value of input bytes that the statistics configuration is measuring Input Bytes Current value of output bytes that the statistics configuration is measurin...

Page 765: ...utput Fields Field Description Field Name Number of active subscriber sessions on the router Total Subscriber Sessions Number of active service sessions on the router Total Service Sessions Related To...

Page 766: ...726 Monitoring the Number of Active Subscriber and Service Sessions with Service Manager JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 767: ...Part 7 Index Index on page 729 Index 727...

Page 768: ...728 Index JUNOSe 11 0 x Broadband Access Configuration Guide...

Page 769: ...aaa ipv6 nd ra prefix framed ipv6 prefix 90 aaa local database 41 aaa local select database 41 aaa local username 41 aaa new model 311 319 aaa parse direction 12 aaa parse order 12 aaa profile 63 68...

Page 770: ...k Count RADIUS attribute 51 201 Acct Multi Session Id RADIUS attribute 50 201 Acct Off messages 175 Acct On messages 175 Acct Output Gigapackets RADIUS attribute 26 36 218 Acct Session Id RADIUS attri...

Page 771: ...to domain 57 mapping backup address pool to domain 58 mapping IPv6 local address pool to domain 60 mapping user domain names to a virtual router 8 mapping user requests without a valid domain name 8 w...

Page 772: ...a dual stack activating 665 backward compatibility 665 deactivating 665 example 696 performance impact 665 rate limiting and example 696 service interim accounting 670 statistics collection and extern...

Page 773: ...process 464 local pool selection 464 overview 464 SRC Session and Resource Control software 455 local address pool group 480 551 local pool selection equal access 464 using domain name 465 using frame...

Page 774: ...ls DHCPv6 local server IPv6 483 DHCPv6 Prefix Delegation and IPv6 Neighbor Discovery without configuring Delegated IPv6 Prefix 90 assigned prefix length of 128 in local address pools 103 enabling IPv6...

Page 775: ...AAA access and accounting messages 182 DSLAMs digital subscriber line access multiplexers 4 DSLs digital subscriber lines 4 dual stack combined IPv4 and IPv6 services example of 696 IPv4 and IPv6 serv...

Page 776: ...ion from Access Accept messages 90 Framed Ipv6 Route RADIUS attribute 99 211 Framed MTU RADIUS attribute 12 21 G giaddr 465 489 GRE Generic Routing Encapsulation tunnels dynamic subscriber interfaces...

Page 777: ...s ip dhcp server 458 ip http commands ip http 690 ip http access class 690 ip http max connection time 690 ip http port 690 ip http redirecturl 690 ip http same host limit 690 ip http server 690 IP in...

Page 778: ...DIUS attribute 26 46 219 Ipv6 NdRa Prefix RADIUS attribute 26 46 225 IPv6 NdRa Prefix attribute used for IPv6 Neighbor Discovery from Access Accept messages 90 IPv6 Primary DNS RADIUS attribute 26 47...

Page 779: ...25 428 show l2tp destination profile command 431 l2tp rx connect speed when equal command 360 L2TP transmit connect speed and Transmit TX Speed AVP 24 394 calculation methods how to configure 394 moni...

Page 780: ...enting IP spoofing 607 macros service definitions 636 Service Manager statistics 680 manuals comments on xxxix max sessions command 31 MBS RADIUS attribute 26 17 217 media access control addresses See...

Page 781: ...lifetime for delegated prefixes configuring 105 default 105 setting without expiration 105 Prefix Delegation See DHCPv6 Prefix Delegation prefixes allocated to clients from interface configuration 10...

Page 782: ...radius include access loop parameters 203 radius include acct authentic 197 radius include acct delay time 197 radius include acct link count 197 radius include acct multi session id 197 radius inclu...

Page 783: ...ort format stacked 254 See also show radius commands RADIUS dynamic request server change of authorization messages 239 disconnect messages 237 how it works 237 message exchange 237 239 monitoring 244...

Page 784: ...ovisioning services 671 674 QoS considerations 652 modifying configurations of 647 referencing configurations of 645 removing references of 647 RADIUS dynamic request server 688 RADIUS support 654 RAD...

Page 785: ...al 705 show aaa statistics 125 show aaa subscriber per port limit 127 show aaa subscriber per vr limit 127 show aaa timeout 127 show aaa tunnel group 422 424 show aaa tunnel parameters 424 426 show aa...

Page 786: ...est statistics 305 show radius ethernet port type 301 show radius icr partition accounting 310 show radius nas identifier 299 show radius nas port format 298 show radius override 297 show radius pppoe...

Page 787: ...pport system log messages 33 T TACACS AAA services 311 accounting 311 authentication login process 311 authorization 311 configuring 316 daemon 311 312 host 312 NAS network access server 311 312 privi...

Page 788: ...ain mapping to L2TP tunnel 353 User Name RADIUS attribute 1 10 user name command 588 user prefix command 588 usernames and passwords from a domain configuring 16 using shared tunnel server ports 370 V...

Reviews: