Home
/
Juniper
/
JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010
/
Configuration Manual

Juniper JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010, Configuration Manual

Share

Page: 435 / 794

Juniper JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010 Configuration Manual Download Page 435

■

AAA tunnel groups

■

RADIUS Access-Accept messages

If none of these methods are used, you can apply the L2TP tunnel switch profile as
an AAA default tunnel parameter. The default tunnel switch profile has lower
precedence than the other methods for applying the tunnel switch profile.

For more information about the methods for applying L2TP tunnel switch profiles,
see “Configuration Tasks” on page 396

.

Configuration Guidelines

The following rules apply when you configure L2TP tunnel switch profiles:

■

L2TP tunnel switching must be enabled for tunnel switch profiles to take effect.
For information, see “Enabling Tunnel Switching” on page 384

■

L2TP tunnel switch profiles have no effect when they are assigned to a LAC
session that is not tunnel switched.

■

The router can relay only those AVPs that are accepted at the LNS. Malformed
AVPs are never relayed.

■

If a tunnel grant response specifies a named tunnel switch profile that has not
been configured on the router, the router prohibits connection of the L2TP
tunnel-switched session.

■

If you remove a tunnel switch profile, the router also disconnects all associated
L2TP switched sessions using that profile.

■

In some cases, attributes configured in a tunnel switch profile take precedence
over similar attributes configured globally on the router.

For example, configuring L2TP Calling Number AVP 22 for relay overrides the

l2tp disable calling-number-avp

command issued from Global Configuration

mode to prevent the router from sending AVP 22 in incoming-call-request (ICRQ)
packets. In this scenario, the router relays the Calling Number AVP.

Configuring L2TP AVPs for Relay

Previously, the router did not preserve the values of incoming L2TP AVPs across the
LNS/LAC boundary in an L2TP tunnel-switched network. The router regenerated most
incoming AVPs, such as L2TP Calling Number AVP 22, based on the local policy in
effect. However, some AVPs, such as Cisco NAS Port Info AVP 100, were dropped.

In an L2TP tunnel switch profile, you can define the types of AVPs that the router
can relay unchanged across the LNS/LAC boundary. You can specify that the router
relay one or more of the following AVP types:

■

L2TP Bearer Type AVP 18

■

L2TP Calling Number AVP 22

■

Cisco NAS Port Info AVP 100

Configuring L2TP Tunnel Switch Profiles

■

395

Chapter 13: Configuring an L2TP LNS

«
...
433
434
435
436
437
...
»

Summary of Contents for JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010

Page 1: ...r E Series Broadband Services Routers Broadband Access Configuration Guide Release 11 1 x Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale California 94089 USA 408 745 2000 www juniper net Pu...

Page 2: ...92 051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 578 186 and 6 590 785 JUNOSe Software for E Series Broadband Services Routers Broadband Acc...

Page 3: ...alms devices links ports or transactions or require the purchase of separate licenses to use particular features functionalities services applications operations or capabilities or provide throughput...

Page 4: ...n connection with such withholding taxes by promptly providing Juniper with valid tax receipts and other required documentation showing Customer s payment of any withholding taxes completing appropria...

Page 5: ...nted to in writing by the party to be charged If any portion of this Agreement is held invalid the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement T...

Page 6: ...vi...

Page 7: ...itoring RADIUS 303 Chapter 9 Configuring TACACS 317 Chapter 10 Monitoring TACACS 329 Part 3 Managing L2TP Chapter 11 L2TP Overview 335 Chapter 12 Configuring an L2TP LAC 343 Chapter 13 Configuring an...

Page 8: ...criber Management 599 Chapter 25 Configuring Subscriber Interfaces 603 Chapter 26 Monitoring Subscriber Interfaces 635 Part 6 Managing Subscriber Services Chapter 27 Configuring Service Manager 641 Ch...

Page 9: ...ons 5 B RAS Protocol Support 5 Remote Access References 6 Before You Configure B RAS 6 Remote Access Configuration Tasks 6 Configuring a B RAS License 7 Mapping a User Domain Name to a Virtual Router...

Page 10: ...nd 41 Using the aaa local username Command 41 Assigning a Local User Database to a Virtual Router 42 Enabling Local Authentication on the Virtual Router 42 Configuration Commands 43 Local Authenticati...

Page 11: ...he SRC Client 94 Retrieval of DSL Line Rate Information from Access Nodes Overview 102 DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview 103 DHCPv6 Prefix Delegation Example 105 Orde...

Page 12: ...cs About the COPS Layer 138 Monitoring Local Address Pool Aliases 140 Monitoring Local Address Pools 140 Monitoring Local Address Pool Statistics 142 Monitoring Shared Local Address Pools 142 Monitori...

Page 13: ...ETF Attributes 191 4 NAS IP Address 191 5 NAS Port 192 8 Framed IP Address 195 9 Framed Ip Netmask 195 13 Framed Compression 196 25 Class 197 30 Called Station Id 197 31 Calling Station Id 197 32 NAS...

Page 14: ...tions 228 26 56 DHCP MAC Address 228 26 57 DHCP GI Address 229 26 62 MLPPP Bundle Name 229 26 63 Interface Desc 230 26 81 L2C Information 230 26 92 L2C Up Stream Data 230 26 93 L2C Down Stream Data 23...

Page 15: ...ring RADIUS Relay Server 251 RADIUS Relay Server Overview 251 RADIUS Relay Server Platform Considerations 252 RADIUS Relay Server References 252 How RADIUS Relay Server Works 252 Authentication and Ad...

Page 16: ...RADIUS Dynamic Request Server Statistics 311 Monitoring the Configuration of the RADIUS Dynamic Request Server 312 Setting a Baseline for RADIUS Relay Statistics 313 Monitoring RADIUS Relay Server Sta...

Page 17: ...the Router 346 Preventing Creation of New Tunnels and Sessions at a Destination 347 Preventing Creation of New Sessions for a Tunnel 347 Specifying a Drain Timeout for a Disconnected Tunnel 347 Shutti...

Page 18: ...etting 382 Selecting Service Modules for LNS Sessions Using MLPPP 382 Assigning Bundled Group Identifiers 383 Overriding All Endpoint Discriminators 384 Enabling Tunnel Switching 384 Creating Persiste...

Page 19: ...r Dynamic Speed Timeout 404 Advisory Speed Precedence for VLANs over Bridged Ethernet 404 Using AAA Domain Maps to Configure the Transmit Connect Speed Calculation Method 404 Using AAA Tunnel Groups t...

Page 20: ...onnection 441 Monitoring Detailed Configuration Information about Specified Sessions 442 Monitoring Configured and Operational Summary Status 443 Monitoring Configured Switch Profiles on Router 444 Mo...

Page 21: ...ith the Same Client ID or Hardware Address 480 Logging Out DHCP Local Server Subscribers 481 Clearing an IP DHCP Local Server Binding 482 Using SNMP Traps to Monitor DHCP Local Server Events 482 Using...

Page 22: ...dhcp relay agent sub option Command to Enable Option 82 Suboption Support 511 Configuration Example Using DHCP Relay Option 82 to Pass IEEE 802 1p Values to DHCP Servers 513 Using the set dhcp relay...

Page 23: ...n 546 Monitoring DHCP Binding Host Information 548 Monitoring DHCP Bindings Displaying IP Address to MAC Address Bindings 550 Monitoring DHCP Bindings Displaying DHCP Bindings Based on Binding ID 551...

Page 24: ...Identifier and No Circuit Type 595 Username with VLAN Circuit Identifier and Circuit Type 596 Username with MAC Address 596 Chapter 24 Monitoring Subscriber Management 599 Monitoring IP Service Profil...

Page 25: ...faces 622 Configuring Dynamic Subscriber Interfaces over Ethernet 622 Configuring Dynamic Subscriber Interfaces over VLANs 623 Configuring Dynamic Subscriber Interfaces over Bridged Ethernet 624 Confi...

Page 26: ...to Deactivate Service Sessions 665 Setting Thresholds 665 Using the Deactivate Service Attribute 666 Using Mutex Groups to Activate and Deactivate Subscriber Services 667 Activating and Deactivating M...

Page 27: ...702 Chapter 28 Monitoring Service Manager 707 Setting a Baseline for HTTP Local Server Statistics 707 Monitoring the Connections to the HTTP Local Server 708 Monitoring the Configuration of the HTTP L...

Page 28: ...xxviii Table of Contents JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 29: ...ing the E Series Router as an LAC 336 Figure 8 Using the E Series Router as an LNS 336 Chapter 12 Configuring an L2TP LAC 343 Figure 9 Lockout States 367 Chapter 14 Configuring L2TP Dial Out 411 Figur...

Page 30: ...tion 623 Figure 25 IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration 624 Figure 26 IP over Bridged Ethernet over ATM Dynamic Subscriber Interface Configuration 625 Figure 27 GRE Tu...

Page 31: ...Fields 123 Table 15 show aaa route download Output Fields 124 Table 16 show aaa route download routes Output Fields 126 Table 17 show aaa route download routes global Output Fields 128 Table 18 show...

Page 32: ...ss Request Attributes 253 Table 48 Required RADIUS Accounting Attributes 254 Chapter 6 RADIUS Attribute Descriptions 259 Table 49 RADIUS IETF Attributes Supported by JUNOSe Software 259 Table 50 Junip...

Page 33: ...ers Output Fields 432 Table 83 show l2tp Output Fields 434 Table 84 show l2tp destination Output Fields 436 Table 85 show l2tp destination lockout Output Fields 437 Table 86 show l2tp destination prof...

Page 34: ...p relay proxy statistics Output Fields 568 Table 122 show dhcp relay statistics Output Fields 570 Table 123 show dhcp server statistics Output Fields 572 Table 124 show dhcp server Output Fields 573 T...

Page 35: ...hapter 28 Monitoring Service Manager 707 Table 152 show ip http scalar Output Fields 708 Table 153 show ip http server Output Fields 709 Table 154 show ip http statistics Output Fields 710 Table 155 s...

Page 36: ...xxxvi List of Tables JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 37: ...mation in the latest release notes differs from the information in the documentation follow the JUNOSe Release Notes To obtain the most current version of all Juniper Networks technical documentation...

Page 38: ...2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents information as displayed on your terminal s screen Fixed width text like this There are two levels of a...

Page 39: ...from the Juniper Networks Web site athttp www juniper net Documentation Feedback We encourage you to provide feedback comments and suggestions so that we can improve the documentation to better meet...

Page 40: ...e notes http www juniper net customers csc software Search technical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Network...

Page 41: ...Part 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 113 Managing Remote Access 1...

Page 42: ...2 Managing Remote Access JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 43: ...g Local Authentication Servers on page 40 Configuring Tunnel Subscriber Authentication on page 50 Configuring Name Server Addresses on page 51 Configuring Local Address Servers on page 54 Configuring...

Page 44: ...bscribers into a centralized point so that it can be uploaded to the router over an ATM connection via a DS3 OC3 E3 or OC12 link The router provides the logical termination for PPP sessions as well as...

Page 45: ...ty to limit network services to different users Accounting Tracks what the user did and when they did it You can use accounting for an audit trail or for billing for connection time or resources used...

Page 46: ...Refer to the Release Notes corresponding to your software release for information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers Bef...

Page 47: ...or port 16 Optional Set up the router to notify RADIUS when a user fails AAA 17 Optional Configure a RADIUS download server on the router 18 Optional Configure the Session and Resource Control SRC cl...

Page 48: ...dialog box When the router is configured to require authentication of a PPP user the router checks for the appropriate user domain name to virtual router mapping If it finds a match the router sends...

Page 49: ...the LNS Also the phone number configured in the aaa domain map command must be an exact match to the value passed by L2TP in the called number AVP AVP 21 For example as specified in the following seq...

Page 50: ...ntication of PPP sessions This address is included in the Access Request sent to the authentication server as an IP address hint aaa domain map Use to map a user domain name to a virtual router or a l...

Page 51: ...main map ipv6 router name vroutv6 Use the no version to delete the entry See ipv6 router name local interface Use to map a user domain name to a loopback interface The local interface identifies the i...

Page 52: ...e router searches for the domain name or the realm name To provide these features the router allows you to specify delimiters for the domain name and realm name You can use up to eight one character d...

Page 53: ...cifying the Domain Name or Realm Name Parse Direction You can specify the direction either left to right or right to left in which the router performs the parsing operation when identifying the realm...

Page 54: ...Example host1 config aaa delimiter domainName Use the no version to return to the default See aaa delimiter aaa parse direction Use to specify the direction the router uses to parse the username for...

Page 55: ...bc com the domain name is usEast If no realm name is found the router searches for a domain name Example host1 config aaa parse order domain first Use the no version to return to the default realm fir...

Page 56: ...e Name for Users from a Domain Assigning a single username and a single password for all users associated with a domain provides better compatibility with some RADIUS servers You can use this feature...

Page 57: ...host1 config aaa domain map xyz com host1 config domain map Use the no version to delete the map entry See aaa domain map override user Use to specify a single username and single password for all use...

Page 58: ...ed For example suppose that you have configured the following authentication servers Auth1 Auth2 Auth3 Auth4 and Auth5 Your router attempts to send an authentication request to Auth1 If Auth1 is unava...

Page 59: ...Routers ERX310 ERX710 ERX1410 and E120 Broadband Services Routers RADIUS Request Type 50000 50124 50000 50124 RADIUS authentication 50125 50499 50125 50249 RADIUS accounting 50500 50624 50250 50374 R...

Page 60: ...PPP and an external RADIUS authentication server The JUNOSe software s AAA service accepts and passes EAP messages between the JUNOSe application and the router s internal RADIUS authentication serve...

Page 61: ...If you have enabled duplicate or broadcast accounting the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context Duplicate and Broadca...

Page 62: ...ters in the group host1 vr group config aaa virtual router 1 vrXyz1 host1 vr group config aaa virtual router 2 vrXyz2 host1 vr group config aaa virtual router 3 vrXyz3 host1 vr group config exit host1...

Page 63: ...ers you cansure configure depends on available memory The router has an embedded RADIUS client for authentication and accounting NOTE You can configure B RAS with RADIUS accounting but without RADIUS...

Page 64: ...al Enable duplicate address checking host1 config aaa duplicate address check enable 10 Optional Specify that duplicate accounting records be sent to the accounting server for a virtual router host1 c...

Page 65: ...aa accounting broadcast westVrGroup38 host1 vrSouth25 config exit Use the no version to disable the AAA broadcast accounting See aaa accounting broadcast aaa accounting default Use to specify the acco...

Page 66: ...s be sent to the accounting server on another virtual router Example host1 config aaa accounting duplication routerBoston Use the no version to disable the feature See aaa accounting duplication aaa a...

Page 67: ...to collect only the uptime status of the sessions Collecting only uptime information is more efficient because less data is sent to AAA Example host1 config aaa accounting statistics time Use the no v...

Page 68: ...s of authentication used in the order specified For example radius none specifies that RADIUS authentication is initially used however if RADIUS servers are not available users are granted access with...

Page 69: ...which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval aaa virtual router Use to add virtual routers to a vir...

Page 70: ...available To turn off the deadtime mechanism specify a value of 0 Example host1 config radius authentication server 10 10 0 1 host1 config radius deadtime 10 Use the no version to set the time to the...

Page 71: ...ystem Maximums The same IP address can be used for both an authentication and accounting server but not for multiple servers of the same type The router uses different UDP ports for authentication ser...

Page 72: ...of the show radius servers command see Monitoring RADIUS Server Information on page 145 Example host1 config radius algorithm round robin Use the no version to set the algorithm to the default direct...

Page 73: ...ect Tunnel Link Start Tunnel Link Stop and Tunnel Link Reject as described in RFC 2867 Your router supports tunnel accounting for the L2TP LAC and LNS Example host1 config radius tunnel accounting ena...

Page 74: ...verify RADIUS authentication and accounting and IP address assignment setup You must specify either a PPP or Multilink PPP MLPPP user PPP indicates a regular PPP user MLPPP simulates Multilink PPP so...

Page 75: ...the no version to restore the default value 3 seconds NOTE When a RADIUS server times out or when it has no available RADIUS identifier values the router removes the RADIUS server from the list of av...

Page 76: ...US client will not issue another system log message or SNMP trap regarding this RADIUS server until the deadtime expires if configured or for 3 minutes if deadtime is not configured The E Series RADIU...

Page 77: ...ess Request messages host1 config radius trap auth server not responding enable 2 Optional Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access...

Page 78: ...Use to enable or disable SNMP traps when a particular RADIUS accounting server fails to respond to a RADIUS accounting request The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable E...

Page 79: ...ius trap auth server responding radius trap no acct server responding Use to enable or disable SNMP traps when all of the configured RADIUS accounting servers per VR fail to respond to a RADIUS accoun...

Page 80: ...d by the virtual router Creating Local User Databases When a subscriber connects to an E Series router that is using local authentication the local authentication server uses the entries in the local...

Page 81: ...ers are not supported in the username command However after the user is added to the default local user database you can use the aaa local username command with a database name default to enter Local...

Page 82: ...hentication when the subscriber connects to the E Series router Use the following commands in Global Configuration mode NOTE If you do not specify a local user database the virtual router selects the...

Page 83: ...aaa authentication ppp default local radius Use the no version to restore the default authentication method of radius See aaa authentication default aaa local database Use to create a local user datab...

Page 84: ...username ip address Use to specify the IP address parameter for a user entry in the local user database The address is negotiated with the subscriber after the subscriber is authenticated Example hos...

Page 85: ...al user database The password is used to authenticate a subscriber and is encrypted by means of a two way encryption algorithm NOTE CHAP authentication requires that passwords and secrets be stored in...

Page 86: ...gure a user entry and optional password or secret in the default local user database This command creates the database if it does not already exist Optionally specify a password or secret that is assi...

Page 87: ...create the AAA local authentication environment host1 config aaa local database westfordLocal40 host1 config aaa local username btjones database westfordLocal40 host1 config local user secret 38schil...

Page 88: ...rds to show the configured users and their parameters The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password encryption comma...

Page 89: ...aaa local username btjones database westfordLocal40 secret 5 9s7 4N WK2 2 6 operational virtual router boston2 no ip address ip address pool addressPoolA aaa local username maryrdavis database westfo...

Page 90: ...out sending access requests to the configured RADIUS server Because of this behavior these subscribers cannot get any additional control attributes from the authentication server This reduces your abi...

Page 91: ...PPP Internet Protocol Control Protocol IPCP specifically the remote client may request the DNS and WINS server IP addresses If the IP addresses passed to the router by the remote PC client are differe...

Page 92: ...PP clients and not for domain name server resolution aaa dns primary Use to specify the IP address of the DNS primary name server Example host1 config aaa dns primary 10 10 10 5 Use the no version to...

Page 93: ...2 Specify the IP address of the WINS secondary name server host1 config aaa wins secondary 192 168 10 40 NOTE The router uses name server addresses exclusively for PPP clients and not for domain name...

Page 94: ...f IP addresses that are available for allocation and used by clients such as PPP sessions Figure 1 Local Address Pool Hierarchy Local Address Pool Ranges As shown in Figure 1 on page 54 each local add...

Page 95: ...ols within the same virtual router The addresses are configured and managed within DHCP Therefore thresholds are not configured on the shared pool but are instead managed by the referenced DHCP local...

Page 96: ...the local address server to signal SNMP traps when certain conditions exist These thresholds include high utilization threshold and abated utilization threshold If a pool s outstanding addresses exce...

Page 97: ..._LAS_Pool_A DHCP_Pool_1 Delete a shared local address pool host1 config no ip local shared pool Shared_LAS_Pool_C Set SNMP variables by specifying an existing pool name and values host1 config ip loca...

Page 98: ...ls The backup pool name is a character string up to 16 characters long Example host1 config aaa domain map westford com host1 config domain map backup address pool name backup_poolB Use the no version...

Page 99: ...all ranges or the specified range See ip local pool ip local pool snmpTrap Use to enable SNMP pool utilization traps Example host 1 config ip local pool addr_test snmpTrap Use the no version to disabl...

Page 100: ...ss Accept message takes priority over the local prefix pool name configured for the domain map If the pool name or prefix is not present in the RADIUS Access Accept message the IPv6 local address pool...

Page 101: ...s per ATM Subinterface Configure an ATM interface by entering Configuration mode and performing the following tasks For more information about configuring ATM interfaces see JUNOSe Link Layer Configur...

Page 102: ...nfiguring ATM interfaces see JUNOSe Link Layer Configuration Guide 1 Configure a physical interface host1 config interface atm 0 1 2 Configure the subinterface host1 config if interface atm 0 1 20 3 C...

Page 103: ...Once you create an AAA profile you can map it between a PPP client s domain name and certain AAA services on given interfaces Using AAA profiles you can Allow or deny a domain name access to AAA authe...

Page 104: ...e administrator wants to restrict access of a PPP interface to the specific domain abc com 1 Create an AAA profile host1 config aaa profile restrictToABC 2 Specify the domain name you want to allow ho...

Page 105: ...is example an administrator wants to associate all subscribers of a PPP interface with a specific domain name 1 Create an AAA profile host1 config aaa profile forwardToXyz 2 Map the original domain na...

Page 106: ...specific domain name and not allow other domain names 1 Create an AAA profile host1 config aaa profile toAbc 2 Map the original domain name to the mapped domain name for domain map lookup host1 confi...

Page 107: ...ontinues processing as if there were no AAA profile aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delete the AAA profile See aaa profi...

Page 108: ...gned NOTE Although an AAA profile and an interface profile have similar functionality they are not related and should be treated differently Example host1 config if ppp aaa profile westford24 Use the...

Page 109: ...faces host1 config aaa profile nas port type ethernet wireless cable aaa profile Use to create and configure a AAA profile Example host1 config aaa profile nasPortType Use the no version to delete the...

Page 110: ...1 wireless cdma Wireless CDMA wireless other wireless umts Wireless UMTS Example host1 config aaa profile nas port type ethernet wireless 80211 Use the no version to remove the NAS Port Type setting f...

Page 111: ...access routes before they are assigned to clients Using the route download server helps eliminate routing protocol storms and other delays in client service activation that can be caused by protocol c...

Page 112: ...route download server is enabled as soon as IP is established in the virtual router in which the download is performed After the initial route download process is established the router repeats the ro...

Page 113: ...ry interval 25 password dl1456atl synchronization 03 45 00 4 Optional Verify your route download configuration host1 config exit host1 show aaa route download AAA Route Downloader configured in virtua...

Page 114: ...sed in RADIUS Access Request messages for route download requests You can specify from 1 through 32 alphanumeric characters The default password is juniper synchronization The time that the server sta...

Page 115: ...outes that you want cleared in the routing table of the current virtual router or in the specified VRF Use the wildcard character to clear all downloaded routes in the routing table of the current vir...

Page 116: ...eature enables service providers to track subscribers on the basis of a virtual port known as the logical line ID LLID The LLID is an alphanumeric string that logically identifies a subscriber line Th...

Page 117: ...he LLID to the router in the Calling Station Id RADIUS attribute 31 of an Access Accept message The router ignores any RADIUS attributes other than the Calling Station Id that are returned in the prea...

Page 118: ...r for example atm 4 1 104 2 104 NAS Port Id 87 The use of radius commands such as radius calling station format or radius override calling station id to control or change the inclusion of these attrib...

Page 119: ...the Router to Obtain the LLID for a Subscriber To configure the router to obtain the LLID for a subscriber 1 Create an AAA profile that supports subscriber preauthentication host1 config aaa profile p...

Page 120: ...istics command For information see Setting Baselines for Remote Access on page 114 aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delet...

Page 121: ...authenticate radius pre authentication server Use to specify the IP address of a RADIUS preauthentication server This command accesses RADIUS Configuration mode from which you can configure additiona...

Page 122: ...collected on input Ingress Statistics integer 0 disable 1 enable 6 13 12 26 Indicates whether statistics are collected on output Egress Statistics string qos profile name sublen 26 len 26 Specifies t...

Page 123: ...RADIUS appear in RADIUS Acct Start messages RADIUS attributes specified by a profile for dynamic interfaces do not appear in RADIUS Acct Start messages because the profile is not active when the Acct...

Page 124: ...e Cause attribute these mappings enable you to provide different information about the cause of a termination When a subscriber s L2TP or PPP session is terminated the router logs a message for the in...

Page 125: ...low threshold for example the bandwidth on demand algorithm determined that the port was no longer needed Port Unneeded 12 NAS ended the session to allocate the port to a higher priority use Port Pree...

Page 126: ...eer 17 ppp authenticate inactivity ti authenticate inactivity ti 4 meout meout More 3 Optional Display all PPP terminate reasons host1 config terminate code ppp authenticate authenticator timeout Conf...

Page 127: ...ude acct terminate cause acct off disable Use the no version to restore the default enable See radius include terminate code Use to configure a customized mapping relationship between an application s...

Page 128: ...timeout is useful for networks in which the PPP keepalive timer is disabled for wireless subscribers Without the keepalive timer the router cannot detect whether a wireless subscriber has been discon...

Page 129: ...timeout is reached the router terminates the user session Example 1 Sets the idle timeout to 1200 seconds and enables the router to monitor only ingress traffic for this idle timeout period to determi...

Page 130: ...ls AAA aaa accounting acct stop on aaa failure Use to cause the router to send an Acct Stop message if a user fails AAA but RADIUS grants access Example host1 vr17 config aaa accounting acct stop on a...

Page 131: ...Access Accept message was used for DHCPv6 Prefix Delegation In this release you can control the RADIUS IETF attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements and DHCPv6 Pre...

Page 132: ...ix Propagation of LAG Subscriber Information to AAA and RADIUS The RADIUS application sends the link aggregation group LAG interface ID to the RADIUS server when the subscriber is connected over LAG i...

Page 133: ...ribute The radius nas port format radius vlan nas port format stacked and radius pppoe nas port format commands do not affect the value of the Nas Port attribute 87 Nas Port Id The radius override nas...

Page 134: ...are functions as the COPS server or policy decision point PDP Table 10 on page 94 provides common terms used in the COPS environment Table 10 SRC Client and COPS Terminology Description Term Common Op...

Page 135: ...ed in bulk for example an entire QoS configuration or in smaller segments for example updating a marking filter The following list shows the interaction between the PEP and the PDP during the COPS PR...

Page 136: ...ware and the SRC client use Previously you disabled the SRC client and reenabled it to start synchronization The disabling of the SRC client s COPS support was undesirable for the applications that re...

Page 137: ...or LAC host1 config sscc protocol lac 5 Optional Specify on which router the TCP COPS connection is to be established host1 config sscc transportRouter chicago 6 Optional Specify a fixed source addres...

Page 138: ...r keyword to enable COPS PR support Example host1 config sscc enable cops pr Use the no version to disable the feature See sscc enable sscc protocol ipv6 Use to configure IPv6 support on the SRC clien...

Page 139: ...ported as L2TP interfaces to the SRC software Example host1 config sscc protocol lac Use the no version to restore the default which is to disable L2TP LAC support on the SRC client See sscc protocol...

Page 140: ...local address If you do not specify a source address the TCP COPS connection is not bound to a specific source that is local address Example host1 config sscc sourceAddress 10 9 123 8 Use the no vers...

Page 141: ...mation from the access node and transfers it to the COPS sever both during connection establishment between a subscriber and an access node and when any of the values of the line rate parameters chang...

Page 142: ...age to the router that functions as the network access server NAS Typically a COPS interface request is sent from the access node to the SRC client whenever an interface becomes operational You can co...

Page 143: ...that is running a release of SRC software earlier than Release 3 0 0 ignores the updated line rate details that it receives and processes only the other information in the COPS messages The Policy In...

Page 144: ...h of time the requesting router can use the prefix You can configure multiple prefix ranges in an IPv6 local pool The ranges can have the same or different assigned prefix lengths You cannot configure...

Page 145: ...Series router functioning as a remote access server the subscriber is first authenticated using the RADIUS protocol The Access Accept message returned from the RADIUS server can contain different IPv6...

Page 146: ...prefix delegation configurations is crucial The delegating router uses the following order of preference to determine the source from which the DHCPv6 prefix is delegated to the requesting router fro...

Page 147: ...gns prefixes to the DHCPv6 client or requesting router host1 config ipv6 local pool dhcpv6pd_pool NOTE You must enable the IPv6 local address pool feature to be able to configure IPv6 local address po...

Page 148: ...d lifetime is set to 1 day by default 5 Specify the IPv6 address of the DNS servers to be returned to the client You can configure a primary and secondary DNS server The DNS server addresses are retur...

Page 149: ...in an IPv6 local address pool the number of prefixes that can be used from that range by DHCPv6 clients is limited to 1048576 Consider the following example in which an IPv6 local address pool largePr...

Page 150: ...ient requests over non PPP links Configure an IPv6 local address pool named example Specify the IPv6 prefix range from which prefixes can be delegated to DHCPv6 clients by specifying an IPv6 prefix an...

Page 151: ...1 4 100 prefixes are allocated to the client from the example local pool In this example the local pool to use for allocation of prefixes is selected based on the IPv6 address of the interface over wh...

Page 152: ...112 Using DHCPv6 Local Address Pools for Prefix Delegation over non PPP Links Example JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 153: ...g Routing Table Address Lookup on page 122 Monitoring the AAA Model on page 122 Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers on page 122 Monitoring AAA Profile Configurat...

Page 154: ...nitoring RADIUS Server IP Addresses on page 152 Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router Advertisements on page 152 Monitoring the RADIUS Attribute Used for DHCPv6 Prefi...

Page 155: ...baseline aaa command host1 baseline aaa There is no no version Setting a Baseline for AAA Route Downloads Purpose Set a baseline for route downloads Action Issue the baseline aaa route download comman...

Page 156: ...se the following commands show ppp interface summary show ppp interface selective control For details on the show ppp commands see JUNOSe Link Layer Configuration Guide You can use the output filterin...

Page 157: ...ounting records are sent to the accounting server Broadcast accounting Enabled disabled send acct stop on AAA access deny Enabled disabled send acct stop on authentication server access deny Number of...

Page 158: ...splay the names of a specific virtual router group or of all virtual router groups configured on the router Display the virtual routers making up the groups host1 show aaa accounting vr group vr group...

Page 159: ...se direction configured on the router Action To display the domain and realm name delimiters parse order and parse direction configured on the router host1 show aaa delimiters domain delimiters realm...

Page 160: ...mapped router name Name of the tunnel group assigned to the domain map tunnel group IPv6 virtual router to which user domain name is mapped ipv6 router name Interface information to use on the local E...

Page 161: ...r which is indicated by system chooses Tunnel RWS Name of the virtual router to map to the user domain name Tunnel Virtual Router L2TP peer resynchronization method Tunnel Failover Resync Name of the...

Page 162: ...a duplicate address check Monitoring the AAA Model Purpose Display the AAA model Action To display the AAA model host1 show aaa model aaa model old model Related Topics show aaa model Monitoring IP Ad...

Page 163: ...command output fields Table 14 show aaa profile Output Fields Field Description Field Name Configuration of NAS Port Type attribute for ATM interfaces atm nas port type Configuration of NAS Port Type...

Page 164: ...d Success TUE DEC 19 22 46 47 2006 Last Regular Download complete Next Download Scheduled WED DEC 20 10 46 47 2006 Next Regular Download WED DEC 20 10 46 47 2006 To display information about the RADIU...

Page 165: ...ER or the day date and time of attempt Last Download Attempt Either NEVER or the day date and time of success Last Download Success Status of last regular download either complete or not complete Last...

Page 166: ...255 255 254 2 null0 0 192 168 1 9 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 13 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 17 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 21...

Page 167: ...fy the first router context that you want to display in the output For example aaa a2 specifies that the display shows a list of router contexts starting with VRF a2 in virtual router aaa Action To di...

Page 168: ...192 168 40 7 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 8 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 9 32 Access P 255 255 255 255 0 2 null0 0 To specify the...

Page 169: ...equests 109 incoming disconnect requests 7 outgoing grant tunnel responses 3 outgoing grant responses 6 outgoing deny responses 0 outgoing error responses 0 outgoing Authentication requests 9 incoming...

Page 170: ...ing Re Authentication responses Number of preauthentication requests from AAA to the preauthentication task outgoing Pre Authentication requests Number of preauthentication responses from the preauthe...

Page 171: ...ubscriber Port Limits Port Limit 0 2 5 0 3 2 3 2 2 Related Topics show aaa subscriber per port limit Monitoring the Maximum Number of Active Subscribers Per Virtual Router Purpose Display the maximum...

Page 172: ...guration Guide Action To display the virtual router groups that are configured for AAA broadcast accounting host1 show configuration category aaa global attributes Configuration script being generated...

Page 173: ...for local authentication For additional information about the show configuration command see JUNOSe System Basics Configuration Guide Action To display the configuration information for AAA local aut...

Page 174: ...router virtual router Related Topics show configuration category aaa local authentication Monitoring AAA Server Attributes Purpose Display status of the attributes on the AAA server including AAA acc...

Page 175: ...tual router isp no aaa accounting duplication no aaa accounting broadcast aaa duplicate address check enable aaa accounting acct stop on aaa failure enable aaa accounting acct stop on access deny disa...

Page 176: ...n Purpose Display information about the COPS layer over which the SRC connection is made Action To display information about the COPS layer over which the SRC connection is made host1 show cops info G...

Page 177: ...ess of the remote pee Remote IP Address TCP port number of the remote peer Remote TCP Port Type of client for the session For this release the client type must be 16640 SRC client Client Type Number o...

Page 178: ...COPS layer over which the SRC connection is made Action To display statistics about the COPS layer host1 show cops statistics General Cops Information Sessions Created 0 Sessions Deleted 0 Current Se...

Page 179: ...umber of bytes received for this COPS session Bytes Received Number of packets received for this COPS session Packets Received Number of bytes sent on this COPS session Bytes Sent Number of packets se...

Page 180: ...al alias Alias Pool alias1 poolA alias2 poolB alias3 poolC poolA poolD poolB poolD poolC poolD Meaning Table 24 on page 140 lists the show ip local alias command output fields Table 24 show ip local a...

Page 181: ...0 10 2 2 1 10 2 2 10 10 0 High Abated Pool Thresh Thresh Trap Group poolC 85 75 N Aliases alias3 In Begin End Free Use 10 3 1 1 10 3 1 10 10 0 High Abated Pool Thresh Thresh Trap Group poolD 85 75 N...

Page 182: ...tistics Purpose Display local address pool statistics Use the optional delta keyword to specify that baselined statistics are to be shown Action To display local address pool statistics host1 show ip...

Page 183: ...Protocol Route type codes I1 ISIS level 1 I2 ISIS level2 I route type intra IA route type inter E route type external i metric type internal e metric type external P periodic download O OSPF E1 extern...

Page 184: ...radius algorithm Monitoring RADIUS Override Settings Purpose Display the current RADIUS override settings Action To display the RADIUS override settings host1 vrXyz7 show radius override nas ip addr...

Page 185: ...Related Topics show radius rollover on reject Monitoring RADIUS Server Information Purpose Display RADIUS server information Use with the optional accounting authentication dynamic request route down...

Page 186: ...ow radius servers no radius servers configured If a RADIUS server was configured previously and then removed on the virtual router the command displays the following information host1 show radius serv...

Page 187: ...e status displayed of the earliest configured non dead server if the server is accessed using the direct algorithm The status displayed of all non dead servers if the server is accessed using the roun...

Page 188: ...ct Requests 0 Rollover Requests 0 Retransmissions 3 Responses 1 Start Responses 1 Interim Responses 0 Stop Responses 0 Reject Responses 0 Malformed Responses 0 Bad Authenticators 0 Requests Pending 0...

Page 189: ...criptions apply to the primary secondary and tertiary RADIUS authentication and accounting servers Table 29 show radius statistics Output Fields Field Description Field Name Number of the UDP port of...

Page 190: ...sends a response to the first request after the router removes the request the packet is dropped Packets Dropped Total number of accounting requests sent which is the combined total of Start Requests...

Page 191: ...or no auth server responding disabled trap for auth server responding enabled trap for acct server not responding enabled trap for no acct server responding disabled trap for acct server responding di...

Page 192: ...IUS servers Action To display the RADIUS server IP address host1 show radius update source address 192 168 1 228 Related Topics show radius update source addr Monitoring the RADIUS Attribute Used for...

Page 193: ...nconnected The SSC Client configured servers are Primary 10 10 2 2 3 Secondary 0 0 0 0 0 Tertiary 0 0 0 0 0 Local Source FastEthernet 0 0 Local Source Address 10 13 5 61 The configured transport route...

Page 194: ...ed servers Fixed source interface for the TCP COPS connection Local Source Fixed source address for the TCP COPS connection Local Source Address Router on which is TCP COPS connection is established T...

Page 195: ...Number of connections that were closed by the remote SAE Create Interfaces sent Number of create interface indications sent to the SAE Delete Interfaces sent Number of delete interface indications se...

Page 196: ...Addresses 3274 Address Transitions 3280 Create Addresses Sent 3277 Delete Addresses Sent 3 Meaning Table 31 on page 156 lists the show sscc statistics command output fields Table 31 show sscc statist...

Page 197: ...om the SAE Synchronizes received Number of synchronization complete indications sent Synchronize Complete sent Number of internal errors Internal Errors Number of errors with lower layer communication...

Page 198: ...when the aaa intf desc format include sub intf enable command has been issued the subinterface is included in the subscriber s interface field at login and is displayed in the output When the aaa intf...

Page 199: ...st1 show subscribers interface ethernet 5 2 Subscriber List Virtual User Name Type Addr Endpt Router bert tst 192 168 10 3 user default User Name Interface bert FastEthernet 5 2 4 User Name Login Time...

Page 200: ...ubscribers summary Virtual Router Subscribers Ppp Ip Tnl Total default 1 1 0 0 1 Total Subscribers 10 chassis wide total Peak Subscribers 15 chassis wide total To display the number of subscribers on...

Page 201: ...Table 32 show subscribers Output Fields Field Description Field Name Name of the subscriber User Name Type of subscriber atm ip ipsec ppp tnl tunnel tst test Type IP or IPv6 address and source of the...

Page 202: ...ionName command ICR Partition location id Number of subscribers Count Number of slot in the chassis Slot Related Topics show subscribers Monitoring Application Terminate Reason Mappings Purpose Displa...

Page 203: ...asons This example uses aaa as the application host1 config run show terminate code aaa Radius Apps Terminate Reason Description Code aaa deny server not available deny server not available 17 aaa den...

Page 204: ...l number of prefixes that can be allocated to clients and the number of prefixes that are in use by clients Action To display information about all the IPv6 local address pools configured on a virtual...

Page 205: ...ion for a specific IPv6 local address pool host1 show ipv6 local pool example Pool example Utilization 24 Start End Total In Use Exclude Util Preferred Valid Lifetime Lifetime 4004 4004 48 4004 4004 f...

Page 206: ...fetime Prefix length or prefix range excluded from allocation to the requesting router Exclude Percentage of prefixes currently allocated to clients from a particular prefix range in the pool Util Lis...

Page 207: ...ts from the local address pool Allocations Number of errors encountered during the allocation of prefixes Allocation Errors Number of prefixes released back to the pool Releases Number of errors encou...

Page 208: ...168 Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 209: ...DIUS Dynamic Request Server on page 241 Configuring RADIUS Relay Server on page 251 RADIUS Attribute Descriptions on page 259 Application Terminate Reasons on page 279 Monitoring RADIUS on page 303 Co...

Page 210: ...170 Managing RADIUS and TACACS JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 211: ...s running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server You can access the RADIUS server through either a subscriber line or the CLI...

Page 212: ...ing Tracks service use by subscribers RADIUS Attributes JUNOSe software supports the RADIUS attributes and vendor specific attributes VSAs listed in this chapter These attributes define specific authe...

Page 213: ...es When an application requests user authentication the request must have certain authenticating attributes such as a user s name password and the particular type of service the user is requesting Thi...

Page 214: ...eout used for EAP request packets Table 37 on page 174 lists the RADIUS IETF attributes supported for Access Request Access Accept Access Reject CoA Request and Disconnect Request messages Table 37 AA...

Page 215: ...ifier 32 Proxy State 33 Acct Session Id 44 Acct Multi Session Id 50 CHAP Challenge 60 NAS Port Type 61 Port Limit 62 Tunnel Type See Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint S...

Page 216: ...nd Primary Dns 135 Ascend Secondary Dns 136 Ascend Num In Multilink 188 Ascend Data Filter 242 Supported Juniper Networks VSAs Table 38 on page 176 lists the Juniper Networks Vendor ID 4874 VSAs suppo...

Page 217: ...10 Egress Policy Name 26 11 Ingress Statistics 26 12 Egress Statistics 26 13 Service Category 26 14 PCR 26 15 SCR 26 16 Mbs 26 17 Sa Validate 26 22 IGMP Enable 26 23 Pppoe Description 26 24 Redirect V...

Page 218: ...56 DHCP GI Address 26 57 LI Action 26 58 Med Dev Handle 26 59 Med Ip Address 26 60 Med Port Number 26 61 MLPPP Bundle Name 26 62 Interface Desc 26 63 Tunnel Group 26 64 Activate Service 26 65 Deactiv...

Page 219: ...e IP SPI 26 85 Mobile IP Key 26 86 Mobile IP Replay 26 87 Mobile IP Access Control List 26 88 Mobile IP Lifetime 26 89 L2TP Resynch Method 26 90 Tunnel Switch Profile 26 91 L2C Up Stream Data 26 92 L2...

Page 220: ...LP Data Rate Up 26 121 Min LP Data Rate Dn 26 122 Max Interlv Delay Up 26 123 Act Interlv Delay Up 26 124 Max Interlv Delay Dn 26 125 Act Interlv Delay Dn 26 126 DSL Line State 26 127 DSL Type 26 128...

Page 221: ...S IETF Attributes Table 39 on page 182 lists the RADIUS IETF attributes supported for Acct Start Acct Stop Interim Acct Acct On and Acct Off messages The following notes are referred to in Table 39 on...

Page 222: ...User Name 1 NAS IP Address 4 NAS Port 5 Service Type 6 Framed Protocol See Note 3 7 Framed IP Address See Note 2 8 Framed IP Netmask 9 Framed Compression See Note 3 13 Class 25 Called Station Id 30 Ca...

Page 223: ...ee Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint See Note 1 66 Tunnel Server Endpoint See Note 1 67 Acct Tunnel Connection See Note 1 68 Connect Info 77 Tunnel Assignment Id LAC on...

Page 224: ...ication server 2 ERX routers send IPv6 accounting attributes in the Acct Stop and Interim Acct messages stop interim when they are configured to return these attributes and when the subscriber is eith...

Page 225: ...ons see the Managing Interchassis Redundancy chapter in the JUNOSe Services Availability Configuration Guide Table 40 AAA Accounting Message Juniper Network Vendor ID 4874 VSAs Supported Partition Acc...

Page 226: ...Data Rate Up 26 113 Act Data Rate Dn 26 114 Min Data Rate Up 26 115 Min Data Rate Dn 26 116 Att Data Rate Up 26 117 Att Data Rate Dn 26 118 Max Data Rate Up 26 119 Max Data Rate Dn 26 120 Min LP Data...

Page 227: ...Tunnel Accounting Messages Table 41 on page 187 lists RADIUS attributes supported by the following tunnel related accounting messages Acct Tunnel Start Acct Tunnel Stop Acct Tunnel Reject Acct Tunnel...

Page 228: ...nnel Preference LAC only 83 Acct Tunnel Packets Lost 86 Tunnel Client Auth Id 90 Tunnel Server Auth Id 91 DSL Forum VSAs in AAA Access and Accounting Messages JUNOSe Software supports the inclusion of...

Page 229: ...out configuring inclusion of the DSL Forum VSAs see DSL Forum Vendor Specific Attributes on page 237 For a detailed description of the DSL Forum VSAs supported by JUNOSe Software see DSL Forum VSAs on...

Page 230: ...ly to CLI telnet users Access Request Access Accept Access Challenge Access Reject Table 43 on page 190 lists the RADIUS attributes supported for CLI AAA messages Table 43 CLI AAA Access Message RADIU...

Page 231: ...t Messages on page 239 For a complete list of RADIUS attributes supported by JUNOSe software see RADIUS IETF Attributes on page 259 RADIUS IETF Attributes This section describes the RADIUS IETF attrib...

Page 232: ...rt Use the following commands to manage and display information for the NAS Port RADIUS attribute radius include nas port radius nas port format radius nas port format extended radius pppoe nas port f...

Page 233: ...us nas port format Ossssppp Use the no version to restore the default radius nas port format extended atm radius nas port format extended ethernet Use to set the NAS Port format attribute for ATM Giga...

Page 234: ...the number of bits is set to 0 See radius nas port format extended Example 1 Sets the field widths for ATM interfaces host1 config radius nas port format extended atm field widths slot 4 adapter 1 vp...

Page 235: ...rt Format RADIUS Attribute on page 304 8 Framed IP Address Use the following command to manage the Framed IP Address RADIUS attribute radius include framed ip addr radius include framed ip addr Use to...

Page 236: ...ns When this command is enabled the default subnet mask 255 255 255 255 is provided by AAA and used for IPCP negotiations Enabling the command guards against any breaks in the negotiation See radius i...

Page 237: ...radius include called station id Use to include the Called Station Id attribute in Access Request Acct Start or Acct Stop messages You can control inclusion of the Called Station Id attribute by enabl...

Page 238: ...router use the delimited keyword Format for ATM interfaces delimiter system name delimiter interface delimiter VPI delimiter VCI delimiter Format for Ethernet interfaces delimiter system name delimit...

Page 239: ...e 4 slot 1 adapter 1 port 1 0 8 Where the final 8 byte field is always 0 zero For E120 and E320 routers adapter is the number of the bay in which the I O adapter IOA resides either 0 representing the...

Page 240: ...o specify that the format of the Calling Station Id 31 attribute include a 4 byte stacked VLAN S VLAN ID for Ethernet interfaces when the RADIUS client uses the fixed format fixed format adapter embed...

Page 241: ...r an ATM interface on system name eastern slot 14 adapter 1 port 2 VCI 3 and VPI 4 the virtual router displays the format in ASCII as 14 2 003 00004 The adapter number does not appear in this format E...

Page 242: ...ing this command See radius include Example host1 config radius include calling station id acct start disable Use the no version to restore the default enable radius override calling station id remote...

Page 243: ...Acct Start Acct Stop Acct On and Acct Off messages You can control inclusion of the attribute by enabling or disabling this command See radius include Example host1 config radius include nas identifi...

Page 244: ...cal Report TR 101 Migration to Ethernet Based DSL Aggregation April 2006 For more information about how to use this command see the Using the PPPoE Remote Circuit ID to Identify Subscribers and Config...

Page 245: ...dius include Example host1 config radius include acct delay time acct on enable Use the no version to restore the default enable 44 Acct Session Id Use the following commands to manage and display inf...

Page 246: ...ID is used as the interface identifier For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode see Propagation of LAG Subscriber Information to AA...

Page 247: ...lt enable 50 Acct Multi Session Id Use the following command to manage the Acct Multi Session Id RADIUS attribute radius include acct multi session id radius include acct multi session id Use to inclu...

Page 248: ...the Acct Input Gigawords attribute in Acct Stop messages You can control inclusion of the Acct Input Gigawords attribute by enabling or disabling this command See radius include Example host1 config r...

Page 249: ...ADIUS attribute radius dsl port type radius ethernet port type radius include nas port type NOTE For subscribers connected over the LAG interface in DHCP standalone authenticate mode RADIUS calculates...

Page 250: ...ethernet port type virtual Use the no version to restore the default ethernet radius include nas port type Use to include the NAS Port Type attribute in Access Request Acct Start and Acct Stop messag...

Page 251: ...in Access Request Acct Start and Acct Stop messages You can control inclusion of the Tunnel Medium Type attribute by enabling or disabling this command See radius include Example host1 config radius...

Page 252: ...disable Use the no version to restore the default enable 68 Acct Tunnel Connection Use the following command to manage the Acct Tunnel Connection RADIUS attribute radius include acct tunnel connection...

Page 253: ...onnect speed keyword to specify that the RX speed is only included when it is not zero and differs from the TX speed Example host1 config radius connect info format l2tp connect speed Use the l2tp con...

Page 254: ...fault enable 83 Tunnel Preference Use the following command to manage the Tunnel Preference RADIUS attribute radius include tunnel preference radius include tunnel preference Use to include the Tunnel...

Page 255: ...b intf disable host1 aaa intf desc format include adapter enable Use the no version to remove the configuration See aaa intf desc format include radius include nas port id Use to include the NAS Port...

Page 256: ...e by enabling or disabling this command See radius include Example host1 config radius include tunnel client auth id access request disable Use the no version to restore the default enable 91 Tunnel S...

Page 257: ...disable 97 Framed Ipv6 Prefix Use the following command to manage the Framed Ipv6 Prefix RADIUS attribute radius include framed ipv6 prefix radius include framed ipv6 prefix Use to include the Framed...

Page 258: ...ge the Framed Ipv6 Pool RADIUS attribute radius include framed ipv6 pool radius include framed ipv6 pool Use to include the Framed Ipv6 Pool attribute in Acct Start or Acct Stop messages You can contr...

Page 259: ...refix command is not configured the delegated prefix is sent to the RADIUS server in the Framed Ipv6 Prefix attribute in the immediate accounting Acct Stop or Interim Acct messages For static interfac...

Page 260: ...ude Example host1 config radius include tunnel server attributes access request enable Use the no version to restore the default disable Juniper Networks Vendor Specific Attributes This section descri...

Page 261: ...ius include ingress policy name acct start enable Use the no version to restore the default radius ignore ingress policy name Use to cause the Ingress Policy Name attribute to be ignored in Access Acc...

Page 262: ...t1 config radius ignore egress policy name enable Use the no version to restore the default disable 26 14 Service Category Use the following command to manage the Service Category RADIUS attribute rad...

Page 263: ...ess Accept messages You can control this behavior by enabling or disabling this command See radius ignore Example host1 config radius ignore atm scr enable Use the no version to restore the default di...

Page 264: ...US attribute radius include input gigapkts radius include input gigapkts Use to include Acct Input Gigapackets in Acct Stop messages You can control inclusion of the attribute by enabling or disabling...

Page 265: ...lude ipv6 virtual router Use to include the Ipv6 Virtual Router attribute in Acct Start or Acct Stop messages You can control inclusion of the attribute by enabling or disabling this command For this...

Page 266: ...value configured in the domain map See radius include Example host1 config radius include ipv6 local interface acct start enable Use the no version to restore the default disable 26 47 Ipv6 Primary DN...

Page 267: ...turned from the RADIUS server the Acct Start Acct Stop or Interim Acct messages report the value configured in the AAA domain map See radius include Example host1 config radius include ipv6 secondary...

Page 268: ...e radius include dhcp options radius include dhcp options Use to include the DHCP Options attribute in Access Request Acct Start and Acct Stop messages You can control inclusion of the attribute by en...

Page 269: ...PPP Bundle Name Use the following command to manage the MLPPP Bundle Name RADIUS attribute radius include mlppp bundle name radius include mlppp bundle name Use to include the MLPPP Bundle Name attrib...

Page 270: ...t1 config radius include interface description acct start enable Use the no version to restore the default disable 26 81 L2C Information Use the following command to manage the L2C Information RADIUS...

Page 271: ...d Inclusion is disabled by default Example host1 config radius include l2c downstream data access request enable Use the no version to restore the default disable See radius include 26 129 Ipv6 NdRa P...

Page 272: ...nd Acct Stop messages You can control inclusion of the Downstream Calculated Qos Rate attribute by enabling or disabling this command Inclusion is disabled by default Example host1 config radius inclu...

Page 273: ...Use the following command to manage the Max Clients Per Interface RADIUS attribute radius ignore pppoe max session radius ignore pppoe max session Use to cause the Max Clients Per Interface attribute...

Page 274: ...ges include the ICR Partition Id VSA Also both these messages are sent to the RADIUS accounting server configured on the virtual router where the ICR partition is configured or the virtual router on w...

Page 275: ...adius include Example host1 config radius include dhcp option 82 Use the no version to restore the default disable ANCP Related Juniper Networks VSAs You use the radius include command to specify info...

Page 276: ...Acc Loop Cir Id 26 110 l2cd acc loop cir id 2 Acc Aggr Cir Id Bin 26 111 l2cd acc aggr cir id bin 3 Acc Aggr Cir Id Asc 26 112 l2cd acc aggr cir id asc 129 4 Act Data Rate Up 26 113 l2cd act data rat...

Page 277: ...the DSL A service provider might find it useful to enable inclusion of the DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of th...

Page 278: ...m VSAs see DSL Forum VSAs on page 276 radius include dsl forum attributes Use to include the set of DSL Forum VSAs in Access Request Acct Start and Acct Stop messages that the router sends to RADIUS I...

Page 279: ...nfigure the router to ignore or use many attributes that it receives in Access Accept messages radius ignore Use to specify that a RADIUS attribute be ignored or be accepted from Access Accept message...

Page 280: ...240 CLI Commands Used to Modify RADIUS Attributes JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 281: ...namic Request Server Overview The E Series router s RADIUS dynamic request server feature provides an efficient way for you to use RADIUS servers to centrally manage user sessions The RADIUS dynamic r...

Page 282: ...rization and accounting information Having a common database allows any server to view who is currently valid and connected and allows service providers to manage the disconnection of users Figure 5 S...

Page 283: ...es from RADIUS servers The RADIUS initiated disconnect feature uses the existing format of RADIUS disconnect request and response messages The RADIUS initiated disconnect feature uses the following co...

Page 284: ...the disconnect request is owned by a component that does not support RADIUS initiated disconnect for example IP LAC subscribers cannot be disconnected Session context not removable 504 A request coul...

Page 285: ...config radius subscriber disconnect 3 Define the secret used in the RADIUS Authenticator field during exchanges between the RADIUS dynamic request server and the RADIUS server host1 config radius key...

Page 286: ...uter sends the CoA NAK without an error cause attribute Table 46 on page 246 lists the supported error cause codes Table 46 Error Cause Codes RADIUS Attribute 101 Description Value Code The request co...

Page 287: ...e is no RADIUS override setting Security Authentication For change of authorization operations the RADIUS server calculates the authenticator as specified for an Accounting Request message in RFC 2866...

Page 288: ...68 5 3 host1 config radius authorization change Use the no version to disable receipt of the messages any currently configured operations will continue See authorization change key Use to define the k...

Page 289: ...server See radius dynamic request server subscriber disconnect Use to enable the RADIUS dynamic request server to receive RADIUS disconnect messages from a RADIUS server Example host1 config radius s...

Page 290: ...seline for RADIUS Dynamic Request Server Statistics on page 310 Monitoring RADIUS Dynamic Request Server Statistics on page 311 Monitoring the Configuration of the RADIUS Dynamic Request Server on pag...

Page 291: ...ubscriber to be authenticated by a central authority The standard uses the Extensible Authentication Protocol EAP for message exchange during the authentication process The E Series router s RADIUS re...

Page 292: ...IUS Extensions June 2000 RFC 2284 PPP Extensible Authentication Protocol EAP March 1998 RFC 3539 Authentication Authorization and Accounting AAA Transport Profile June 2003 How RADIUS Relay Server Wor...

Page 293: ...outer s RADIUS relay server creates a RADIUS Access Accept message and sends the message back to the subscriber The router s DHCP server either the router s DHCP local server or an external DHCP serve...

Page 294: ...are received for this subscriber for more than 24 hours RADIUS Relay Server and the SRC Software The SRC software is an advanced subscriber configuration and management service The RADIUS relay server...

Page 295: ...E Series router supports one instance of the RADIUS relay server per virtual router The instance can provide authentication authorization and accounting support 1 Enable RADIUS relay server support on...

Page 296: ...ret3Clientkey Use the no version to delete the secret See key radius relay server Use to configure a RADIUS relay authentication or accounting server and enter RADIUS Relay Configuration mode Example...

Page 297: ...ort Monitoring RADIUS Relay Server To monitor RADIUS relay server see Setting the Baseline for RADIUS Dynamic Request Server Statistics on page 310 Monitoring RADIUS Dynamic Request Server Statistics...

Page 298: ...258 Monitoring RADIUS Relay Server JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 299: ...erences on page 278 RADIUS IETF Attributes Table 49 on page 259 describes the RADIUS IETF attributes supported by JUNOSe software The attributes are sorted by standard number Table 49 RADIUS IETF Attr...

Page 300: ...55 255 255 Framed IP Netmask 9 Name of the filter list for the user Interpreted as input policy name Filter Id 11 The maximum transmission unit to be configured for the user when it is not negotiated...

Page 301: ...2 E Series router s port ID and IP address Proxy State 33 Indicates whether this Accounting Request marks the beginning of the user service Start the end Stop or the interim Interim Update Acct Status...

Page 302: ...or 8 PVC failed no hardware or no interface NAS Error 9 Negotiation failures connection failures or address lease expiration NAS Request 10 PPP challenge timeout PPP request timeout tunnel establishme...

Page 303: ...o use in the case of a tunnel initiator or the tunneling protocol in use in the case of a tunnel terminator Only L2TP tunnels supported at this time Tunnel Type 64 Transport medium to use when creatin...

Page 304: ...1 1 98 172 81 1 99 18d cb8 ce6 9f4 6 In this case the local information refers to the LNS and the peer information refers to the LAC NAS Port Id usually contains one of the following atm slot port sub...

Page 305: ...Num In Multilink 188 RADIUS policy definitions used to configure a policy to classify packet flows and perform filter forward packet marking rate limit profile and traffic class actions Ascend Data Fi...

Page 306: ...te primary wins address 6 12 B RAS user s WINS NBNS address negotiated during IPCP 4 octet IP address Primary WINS NBNS 26 6 integer 4 byte secondary wins address 6 12 B RAS user s WINS NBNS address n...

Page 307: ...See the enable command in the Passwords and Security chapter in JUNOSe System Basics Configuration Guide Allow All VR Access 26 19 single attribute enter 0 1 5 10 or 15 sublen len Specifies other leve...

Page 308: ...Sessions 26 33 integer 4 octet 6 12 Route tag to apply to returned framed ip address Framed Ip Route Tag 26 34 string dial out number sublen len Dial number in L2TP dial out Tunnel Dialout Number 26...

Page 309: ...y DNS 26 48 string l2tp ppp disconnect cause sublen len L2TP PPP disconnect cause information received by the LAC Disconnect Cause 26 51 integer 4 octet 6 12 RADIUS relay server s IP address Radius Cl...

Page 310: ...volume is exceeded Service Volume tagX 26 67 integer time in seconds 0 no timeout 6 12 Number of seconds that the service can be active service is deactivated when the timeout expires Service Timeout...

Page 311: ...e ASCII representation of 0 21474836470 multiple instances of this VSA can be returned from RADIUS using this format sublen len Name of the QoS parameter instance to create on the user s interface fol...

Page 312: ...Data 26 92 string actual downstream rate access loop parameter ASCII encoded sublen len Actual downstream rate access loop parameter ASCII encoded as defined in GSMP extensions for layer2 control L2C...

Page 313: ...tion atm slot port vpi vci Acc Aggr Cir Id Asc 26 112 integer 4 octet 6 12 Actual upstream data rate of the subscriber s synchronized DSL link Act Data Rate Up 26 113 integer 4 octet 6 12 Actual downs...

Page 314: ...le 3 Silent 6 12 State of the DSL line DSL Line State 26 127 string 3 byte 5 11 Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated DSL Type 26 1...

Page 315: ...hat can be used to assign addresses to users being authenticated by a RADIUS server when the existing addresses in the primary local address pool are fully exhausted The authentication server override...

Page 316: ...for RADIUS JUNOSe software uses the vendor ID assigned to the DSL Forum 3561 or DE9 in hexadecimal format by the Internet Assigned Numbers Authority IANA Table 51 JUNOSe Software DSL Forum Vendor ID...

Page 317: ...y upstream interleaving delay configured for the subscriber Maximum Interleaving Delay Upstream 26 139 integer 4 octet 6 12 Subscriber s actual one way upstream interleaving delay Actual Interleaving...

Page 318: ...RADIUS Accounting June 2000 RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support June 2000 RFC 2868 RADIUS Attributes for Tunnel Protocol Support June 2000 RFC 2869 RADIUS Extensions...

Page 319: ...Cause attributes AAA Terminate Reasons on page 279 L2TP Terminate Reasons on page 280 PPP Terminate Reasons on page 295 RADIUS Client Terminate Reasons on page 301 AAA Terminate Reasons Table 53 on p...

Page 320: ...ror 17 deny unknown subscriber user error 17 deny user termination nas request 10 shutdown address lease expiration admin reset 6 shutdown administrative reset L2TP Terminate Reasons Table 54 on page...

Page 321: ...assigned session id nas request 10 session rx cdn avp malformed bad length nas request 10 session rx cdn avp malformed truncated nas request 10 session rx cdn avp missing mandatory assigned session i...

Page 322: ...session rx iccn no resources nas request 10 session rx iccn unexpected nas request 10 session rx icrp avp bad hidden nas request 10 session rx icrp avp bad value assigned session id nas request 10 se...

Page 323: ...p missing secret nas request 10 session rx icrq avp unknown nas request 10 session rx icrq no resources nas request 10 session rx icrq unexpected nas request 10 session rx occn avp bad hidden nas requ...

Page 324: ...0 session rx ocrq avp bad value assigned session id nas request 10 session rx ocrq avp bad value bearer type nas request 10 session rx ocrq avp bad value framing type nas request 10 session rx ocrq av...

Page 325: ...r nas request 10 session rx sli avp missing secret nas request 10 session rx sli avp unknown nas request 10 session rx sli no resources nas request 10 session rx unexpected packet lac incoming nas req...

Page 326: ...vice unavailable 15 session upper removed service unavailable 15 session warmstart not operational service unavailable 15 session warmstart recovery error nas request 10 session warmstart upper not re...

Page 327: ...bad length service unavailable 15 tunnel rx scccn avp malformed truncated user error 17 tunnel rx scccn avp missing challenge response service unavailable 15 tunnel rx scccn avp missing random vector...

Page 328: ...avp missing mandatory framing capabilities service unavailable 15 tunnel rx sccrp avp missing mandatory host name service unavailable 15 tunnel rx sccrp avp missing mandatory protocol version service...

Page 329: ...ilable 15 tunnel rx sccrq avp missing mandatory host name service unavailable 15 tunnel rx sccrq avp missing mandatory protocol version service unavailable 15 tunnel rx sccrq avp missing random vector...

Page 330: ...able 15 tunnel rx frs avp missing random vector service unavailable 15 tunnel rx frs avp missing secret service unavailable 15 tunnel rx frs avp unknown service unavailable 15 tunnel rx frs no resourc...

Page 331: ...ing secret service unavailable 15 tunnel rx recovery scccn avp unexpected challenge response service unavailable 15 tunnel rx recovery scccn avp unknown service unavailable 15 tunnel rx recovery scccn...

Page 332: ...version service unavailable 15 tunnel rx recovery sccrp avp missing random vector service unavailable 15 tunnel rx recovery sccrp avp missing secret service unavailable 15 tunnel rx recovery sccrp avp...

Page 333: ...vp missing mandatory framing capabilities service unavailable 15 tunnel rx recovery sccrq avp missing mandatory host name service unavailable 15 tunnel rx recovery sccrq avp missing mandatory protocol...

Page 334: ...ry stopccn avp unknown service unavailable 15 tunnel rx recovery stopccn no resources service unavailable 15 tunnel rx recovery stopccn session id not null service unavailable 15 tunnel rx recovery un...

Page 335: ...uest 10 authenticate max requests nas request 10 authenticate no authenticator user error 17 authenticate pap peer authenticator timeout nas request 10 authenticate pap request timeout session timeout...

Page 336: ...n disable lost carrier 2 interface down port error 8 interface no hardware nas request 10 ip admin disable nas request 10 ip inhibited by authentication nas request 10 ip link down nas request 10 ip m...

Page 337: ...request 10 ip service disable nas request 10 ip stale stacking nas request 10 ipv6 admin disable nas request 10 ipv6 inhibited by authentication nas request 10 ipv6 link down nas request 10 ipv6 local...

Page 338: ...k rx conf req nas request 10 lcp loopback rx echo reply nas request 10 lcp loopback rx echo req nas request 10 lcp max configure exceeded nas request 10 lcp mru changed nas request 10 lcp negotiation...

Page 339: ...t 1 lcp peer renegotiate rx conf rej user request 1 lcp peer renegotiate rx conf req nas request 10 lcp tunnel disconnected nas request 10 lcp tunnel failed port error 8 link interface no hardware los...

Page 340: ...terface nas request 10 osi admin disable nas request 10 osi link down nas request 10 osi max configure exceeded nas request 10 osi no local align npdu nas request 10 osi no peer align npdu nas request...

Page 341: ...s and the RADIUS Acct Terminate Cause attributes they are mapped to by default Table 56 Default RADIUS Client Mappings RADIUS Acct Terminate Cause RADIUS Client Terminate Reason Description Code nas r...

Page 342: ...302 RADIUS Client Terminate Reasons JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 343: ...toring the NAS Port ID RADIUS Attribute on page 307 Monitoring Included RADIUS Attributes on page 308 Monitoring Ignored RADIUS Attributes on page 310 Setting the Baseline for RADIUS Dynamic Request S...

Page 344: ...ide nas port id remote circuit id command to override the standard NAS Port Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM nas port id Displays the current setting for the Ca...

Page 345: ...radius vlan nas port format Monitoring the Calling Station Id RADIUS Attribute Purpose Display the format and delimiter used for the Calling Station Id 31 attribute Action To display the format config...

Page 346: ...fect Action To display the format configured for the PPPoE remote circuit ID value captured from a DSLAM host1 show radius remote circuit id format nas identifier agent circuit id agent remote id Rela...

Page 347: ...ow radius dsl port type show radius ethernet port type Monitoring the Connect Info RADIUS Attribute Purpose Display the format for the Connect Info attribute Action To display the format for the Conne...

Page 348: ...n c n c disabled disabled dhcp options n c n c disabled disabled disabled dhcp option 82 vsa n c n c disabled disabled disabled dhcp mac address n c n c disabled disabled disabled dhcp gi address n c...

Page 349: ...bled disabled l2cd max interlv delay dn vsa n c n c disabled disabled disabled l2cd act interlv delay dn vsa n c n c disabled disabled disabled l2cd dsl line state vsa n c n c disabled disabled disabl...

Page 350: ...d attribute framed ip netmask ignored from RADIUS server attribute atm service category vsa accepted from RADIUS server attribute atm mbs vsa accepted from RADIUS server attribute atm pcr vsa accepted...

Page 351: ...nnect Packets Dropped 0 CoA Requests 0 CoA Accepts 0 CoA Rejects 0 CoA No Session ID 0 CoA Bad Authenticators 0 CoA Packets Dropped 0 No Secret 0 Unknown Request 0 Invalid Addresses Received 0 Meaning...

Page 352: ...invalid addresses received Invalid Addresses Received Related Topics Setting the Baseline for RADIUS Dynamic Request Server Statistics on page 310 show radius statistics Monitoring the Configuration o...

Page 353: ...eyword with the show radius relay command To set a baseline for RADIUS relay statistics Issue the baseline radius relay command host1 baseline radius relay There is no no version Related Topics Monito...

Page 354: ...me Number of access requests received Access Requests Number of access accepts received Access Accepts Number of access challenges received Access Challenges Number of access rejects received Access R...

Page 355: ...Relay Authentication Server Configuration IP Address IP Mask Secret 10 10 8 15 255 255 255 255 newsecret 192 168 102 5 255 255 255 255 999Y2K Udp Port 1812 RADIUS Relay Accounting Server Configuratio...

Page 356: ...Output Fields Field Description Field Name Status of UDP checksums enabled or disabled udp checksums Related Topics show radius relay udp checksum Monitoring the Status of ICR Partition Accounting Pu...

Page 357: ...o are attempting to gain access to a router or NAS TACACS a more recent version of the original TACACS protocol provides separate authentication authorization and accounting AAA services NOTE TACACS i...

Page 358: ...d passwords Authorization Determines what an authenticated user is allowed to do Authorization gives the network manager the ability to limit network services to different users Also the network manag...

Page 359: ...To allow login authorization through the TACACS server you can use the following commands aaa authorization aaa authorization config commands and authorization For information about using these comma...

Page 360: ...mode Specifies the type of accounting records that are recorded on the TACACS server Accounting records track user actions and resource usage You can analyze and use the records for network managemen...

Page 361: ...AVP timezone TACACS Platform Considerations TACACS is supported on all E Series routers For information about the modules supported on E Series routers See the ERX Module Guide for modules supported...

Page 362: ...imary 2 Optional Set the authentication and encryption key value shared by all TACACS servers that do not have a server specific key set up by the tacacs server host command host1 config tacacs server...

Page 363: ...cs host1 config aaa accounting commands 1 listX stop only tacacs host1 config aaa accounting commands 13 listY stop only tacacs host1 config aaa accounting commands 14 default stop only tacacs host1 c...

Page 364: ...on the router and to create accounting method lists Specify default to configure the default method list or configure a named method list The default method list is used by lines and consoles unless...

Page 365: ...r vty lines an authentication list called default is automatically assigned to the vty lines To allow users to access the vty lines you must create an authentication list and either Name the list defa...

Page 366: ...commands to capture accounting information for User Exec mode commands at the indicated JUNOSe privilege level 0 through 15 Specify the name of the method list to be applied to the line or console To...

Page 367: ...nated primary host is always the first in the search order the remaining hosts are contacted in the order in which they were created If the primary host is deleted or if you modify the primary host wi...

Page 368: ...version to remove the address See tacacs server source address tacacs server timeout Use to set the interval in seconds that the server waits for the server host to reply The specified interval is sha...

Page 369: ...CACS Statistics You can set a baseline for TACACS statistics To set the baseline Issue the baseline tacacs command host1 baseline tacacs There is no no version Related Topics baseline tacacs Monitorin...

Page 370: ...m the host Auth Replies Number of expected but not received authentication replies from the host Auth Pending Number of authentication timeouts for the host Auth Timeouts Number of authorization reque...

Page 371: ...ted for the pending statistics host1 show tacacs delta Meaning Table 67 on page 331 lists the show tacacs command output fields Table 67 show tacacs Output Fields Field Description Field Name Authenti...

Page 372: ...ntinued Field Description Field Name The order in which requests are sent to hosts until a response is received Search Order Related Topics show tacacs 332 Monitoring TACACS Information JUNOSe 11 1 x...

Page 373: ...view on page 335 Configuring an L2TP LAC on page 343 Configuring an L2TP LNS on page 375 Configuring L2TP Dial Out on page 411 L2TP Disconnect Cause Codes on page 423 Monitoring L2TP and L2TP Dial Out...

Page 374: ...334 Managing L2TP JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 375: ...s PPP for transmission across a network An L2TP access concentrator LAC configured on an access device such as an E Series router receives packets from a remote client and forwards them to an L2TP net...

Page 376: ...rm Combination of a unique attribute represented by an integer and a value containing the actual value identified by the attribute Attribute value pair AVP L2TP access concentrator LAC a node that act...

Page 377: ...t of a call Remote system A logical connection created between the LAC and the LNS when an end to end PPP connection is established between a remote system and the LNS NOTE There is a one to one relat...

Page 378: ...too large The router always supports packets that have an offset pad field of up to 16 bytes and may support larger offset pad fields depending on other information in the header This restriction is a...

Page 379: ...ore even if PPP in the LNS chooses to renegotiate the MRU it has no way to determine the proper MRU since it does not know the minimum MRU on all of the intervening links between it and the LAC To ove...

Page 380: ...talled in the ERX router For information about installing modules in the ERX router see the ERX Hardware Guide SMs provide dedicated tunnel server ports that are always configured on the module Unlike...

Page 381: ...the ERX1440 router supports 32 000 L2TP sessions and all other E Series routers support a maximum of 16 000 L2TP sessions The following guidelines apply On all E Series routers The SM and the ES2 S1...

Page 382: ...formation July 2001 Fail Over extensions for L2TP failover draft ietf l2tpext failover 06 txt April 2006 expiration RFC 4951 Fail Over Extensions for Layer 2 Tunneling Protocol L2TP failover August 20...

Page 383: ...nnels and Sessions on page 346 Shutting Down Destinations Tunnels and Sessions on page 348 Specifying the Number of Retransmission Attempts on page 349 Configuring Calling Number AVP Formats on page 3...

Page 384: ...using shared tunnel server ports you must configure the shared tunnel server ports before you configure Layer 2 Tunneling Protocol L2TP network server LNS support You use the tunnel server command in...

Page 385: ...46 Shutting Down Destinations Tunnels and Sessions on page 348 Specifying the Number of Retransmission Attempts on page 349 Generating UDP Checksums in Packets to L2TP Peers You can configure the rout...

Page 386: ...meout 1200 Related Topics l2tp destruct timeout Preventing Creation of New Destinations Tunnels and Sessions You can configure several L2TP drain operations which determine how the router creates new...

Page 387: ...n tunnel command both affect the administrative state of L2TP for the tunnel Although each command has a different effect the no version of each command is equivalent Each command s no version leaves...

Page 388: ...each command is equivalent Each command s no version leaves L2TP in the enabled state To close all destinations tunnels and sessions on the router host1 config l2tp shutdown Closing Existing and Preve...

Page 389: ...router uses a retry count of 5 Use the established keyword to apply the retry count only to established tunnels Use the not established keyword to apply the retry count only to tunnels that are not es...

Page 390: ...lar to the fixed format of RADIUS attribute 31 Calling Station Id If you set up the router to generate the Calling Number AVP in fixed format the router formats the AVP to use a fixed format of up to...

Page 391: ...outer For ERX7xx models ERX14xx models and ERX310 Broadband Services Routers which do not use IOAs adapter is always shown as 0 Slot numbers 0 through 16 are shown as ASCII characters in the 1 byte sl...

Page 392: ...ter new field format host1 config aaa tunnel calling number format fixed adapter new field For example when you configure this L2TP Calling Number AVP format on an E320 router for an ATM interface on...

Page 393: ...specify the optional stacked keyword but the Ethernet interface does not have an S VLAN ID Example The following command configures the L2TP Calling Number AVP in fixed adapter new field format for an...

Page 394: ...ured calling number format includes either or both of the agent circuit id and agent remote id suboptions The calling number format determines what element triggers use of the fallback format as shown...

Page 395: ...P to use a fixed format of up to 15 characters consisting of all ASCII fields with a 1 byte slot field 1 byte adapter field and 1 byte port field Fallback format for ATM interfaces systemName up to 4...

Page 396: ...new field format the router formats the AVP to use a fixed format of up to 17 characters consisting of all ASCII fields with a 2 byte slot field 1 byte adapter field and 2 byte port field Fallback for...

Page 397: ...bytes VLAN 4 bytes Fallback format for Ethernet interfaces that use fixed adapter embedded systemName up to 4 bytes slot 1 byte adapter 1 byte port 1 byte S VLAN 4 bytes VLAN 4 bytes Fallback format...

Page 398: ...that the fixed format is used when both PPPoE agent circuit id and agent remote id are unavailable issue the following commands host1 config radius calling station format fixed format host1 config ra...

Page 399: ...el locally on the router from Domain Map Tunnel mode perform the following steps 1 Specify a domain name and enter Domain Map Configuration mode host1 config aaa domain map westford com host1 config d...

Page 400: ...onfig domain map tunnel server name boston 10 Optional Specify a source IP address for the LAC tunnel endpoint All L2TP packets sent to the peer use this source address host1 config domain map tunnel...

Page 401: ...D If you do not set a tunnel assignment ID the software sets it to the default assignmentID This parameter is only generated and used by the L2TP LAC device 17 Optional Specify whether or not to use t...

Page 402: ...Sessions Tunnel RWS Router 3 boston 5 0 system chooses vr2 host1 show aaa tunnel parameters Tunnel password is 3 92k b q4 Tunnel client name is NULL Tunnel nas port method is none Tunnel nas port igno...

Page 403: ...tunnel group tunnel router name default 4 Specify the LNS endpoint address of a tunnel host1 config tunnel group tunnel address 192 0 2 13 5 Specify a preference for the tunnel You can specify up to e...

Page 404: ...table IP interface for example a loopback interface Make sure that the address is configured in the virtual router for this domain map and that the address is reachable by the peer host1 config tunnel...

Page 405: ...and preference command router name server name source address tunnel type Configuring the RX Speed on the LAC You can configure the E Series LAC to always generate L2TP Receive RX Speed AVP 38 If you...

Page 406: ...a Locked Out Destination Is Available on page 368 3 Configuring a Lockout Timeout on page 368 4 Unlocking a Destination that is Currently Locked Out on page 368 5 Starting an Immediate Lockout Test on...

Page 407: ...the following commands to manage L2TP destination lockout and configure a lockout process that meets the needs of your network environment Use the l2tp destination lockout timeout command to modify t...

Page 408: ...out expires all information about the locked out destination is deleted including the time remaining on the destination s lockout timeout and the requirement to run a lockout test prior to returning t...

Page 409: ...nels with separate receive and transmit addresses and to avoid problems due to a misconfiguration Three possible configurations are available Default configuration The E Series LAC accepts the change...

Page 410: ...l from a set of tunnels associated with either the PPP user or the PPP user s domain The router provides the following methods for selecting tunnels Tunnel selection failover between preference levels...

Page 411: ...ect to every destination available for the domain Support for multiple destinations affects the procedure for mapping a user domain name to an L2TP tunnel To learn how to complete this mapping see Map...

Page 412: ...vel the router drops to the next lower preference level to make the next selection This process is consistent regardless of which fail over scheme is currently running on the router A tunnel without a...

Page 413: ...host1 config l2tp weighted load balancing Configuring the Weighted Load Balancing Method 373 Chapter 12 Configuring an L2TP LAC...

Page 414: ...374 Configuring the Weighted Load Balancing Method JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 415: ...the RADIUS Connect Info Attribute on the LNS on page 380 Overriding LNS Out of Resource Result Codes 4 and 5 on page 381 Selecting Service Modules for LNS Sessions Using MLPPP on page 382 Enabling Tun...

Page 416: ...configure an LNS you can configure it to accept calls from any LAC NOTE If there is no explicit LNS configuration on the router the UDP port used for L2TP traffic is closed and no tunnels or sessions...

Page 417: ...ame to be used in any hostname AVP sends to the LAC By default the router name is used as the local hostname host1 config l2tp dest profile host local host andy 7 Optional Specify the local IP address...

Page 418: ...nfo Attribute on the LNS on page 380 Overriding LNS Out of Resource Result Codes 4 and 5 on page 381 Selecting Service Modules for LNS Sessions Using MLPPP on page 382 bundled group id bundled group i...

Page 419: ...t profile and access L2TP Destination Profile Host Configuration mode Each L2TP destination profile can have multiple L2TP host profiles For an LAC to connect to an LNS the appropriate L2TP destinatio...

Page 420: ...rofile or host profile maximum session limit is not exceeded For information about the maximum number of L2TP sessions supported per chassis see JUNOSe Release Notes Appendix A System Maximums To set...

Page 421: ...CDN Call Disconnect Notify message to the LAC This signals the LAC to fail over to another LNS that has the resources for more sessions Some third party LAC implementations fail over only when they r...

Page 422: ...ession out of resource result code override show l2tp destination profile Selecting Service Modules for LNS Sessions Using MLPPP You can install multiple service modules in an E Series router deployed...

Page 423: ...include a endpoint discriminator option in the LCP proxy AVPs The router places all bundled sessions without endpoint discriminators on the same SM However if there are many such bundled sessions the...

Page 424: ...opics bundled group id bundled group id overrides mlppp ed Enabling Tunnel Switching L2TP tunnel switching allows you to switch packets between one session terminating at an L2TP LNS and another sessi...

Page 425: ...ou to verify both the tunnel configuration and connectivity This command supports tunnel initiation incoming calls on the LAC outgoing calls on the LNS The command does not support tunnel respondent o...

Page 426: ...nt all PPP signaling for the tunnel session takes place between the LNS and the client without active participation of the LAC As a result the LAC is not aware of the reason that a session has disconn...

Page 427: ...st profile host disconnect cause Enabling RADIUS Accounting for Disconnect Cause You use the radius include l2tp ppp disconnect cause acct stop enable command to specify that the Disconnect Cause RADI...

Page 428: ...ndow command in L2TP Destination Profile Host Configuration mode 1 Configuring the Default Receive Window Size on page 388 2 Configuring the Receive Window Size on the LAC on page 389 3 Configuring th...

Page 429: ...ndow command TIP The RWS setting must be the same for all users of the same tunnel If you modify the RWS setting for an existing tunnel subsequent tunnel users might be not be able to log in if their...

Page 430: ...he LNS 1 Access L2TP Destination Profile Host Configuration mode For example host1 config virtual router fms02 host1 fms02 config l2tp destination profile fms02 ip address 192 168 5 61 host1 fms02 con...

Page 431: ...ocol method as the primary peer resynchronization method but then fall back to the silent failover method if the peer does not support the failover protocol method The following list highlights differ...

Page 432: ...ailover forces disconnection of the tunnel and all of its sessions failover protocol fallback to silent failover The tunnel uses the L2TP failover protocol method however if the peer non failed endpoi...

Page 433: ...e the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration failover protocol Tunnels use the L2TP failover protocol method If the peer non...

Page 434: ...r protocol 2 silent failover 3 failover protocol with silent failover as backup 6 12 L2TP peer resynchronization method L2TP Resynch Method 26 90 Configuring L2TP Tunnel Switch Profiles You can use th...

Page 435: ...l switch profile the router also disconnects all associated L2TP switched sessions using that profile In some cases attributes configured in a tunnel switch profile take precedence over similar attrib...

Page 436: ...ing AAA Tunnel Groups on page 398 To apply a named tunnel switch profile through RADIUS include the Tunnel Switch Profile RADIUS attribute VSA 26 91 in RADIUS Access Accept messages For details see Ap...

Page 437: ...to relay the Bearer Type Calling Number and Cisco NAS Port Info AVP types across the LNS LAC boundary host1 config l2tp tunnel switch profile avp bearer type relay host1 config l2tp tunnel switch pro...

Page 438: ...nel RWS Router Profile 3 null 2000 0 system chooses null concord Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups To apply an L2TP tunnel switch profile to sessions associated with an A...

Page 439: ...pply a different default tunnel switch profile to each virtual router configured To apply a default L2TP tunnel switch profile to a virtual router 1 Create the virtual router to which you want to appl...

Page 440: ...the establishment of an L2TP tunnel session the LAC sends AVP 24 to the LNS to convey the transmit speed of the subscriber s access interface You can configure the calculation method for the transmit...

Page 441: ...alculation methods NOTE Configuring the transmit connect speed calculation method has no effect on the operation of the L2TP Receive RX Speed AVP 38 or the Connect Info RADIUS attribute 77 at the LAC...

Page 442: ...f any logical interface in the interface column For those logical interfaces with a rate controlled by QoS QoS reports this configured rate as the transmit connect speed for that interface For those l...

Page 443: ...speed 5 Mbps 5 Mbps Actual Example 2 L2TP Session over Ethernet VLAN Interface In this example an L2TP session is established over a PPPoE subinterface over an Ethernet VLAN subinterface The configur...

Page 444: ...e information about supported L2TP terminate reasons see AAA Terminate Reasons on page 279 Advisory Speed Precedence for VLANs over Bridged Ethernet For interface columns that consist of an L2TP sessi...

Page 445: ...ystem chooses null Tunnel Tunnel Tunnel Tunnel Failover Switch Tx Tag Resync Profile Speed Method 5 null null dynamic layer2 Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation...

Page 446: ...Configuring the calculation method as a default AAA tunnel parameter for a virtual router has lower precedence than using AAA domain maps AAA tunnel groups or RADIUS to configure the transmit connect...

Page 447: ...rmat is assignmentId Tunnel calling number format is fixed Using RADIUS to Configure the Transmit Connect Speed Calculation Method On the LAC the router can receive tunnel configuration attributes thr...

Page 448: ...lation Method on page 405 Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method on page 406 Using RADIUS to Configure the Transmit Connect Speed Calculation Me...

Page 449: ...en proxy LCP is disabled or required to renegotiate at the LNS All PPP LCP echo requests and their responses PPP LCP terminate request or terminate acknowledgement packets from the client or LNS when...

Page 450: ...410 PPP Accounting Statistics JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 451: ...work server LNS function is deployed in networks that have a combination of broadband and narrowband access A remote site can communicate on demand with the home site with a normal L2TP access concent...

Page 452: ...Protocol PPP stack for the dial out session Dial out route Network Model for Dial Out In Figure 10 on page 412 the home site connects to the Internet over a permanent leased line to the Internet serv...

Page 453: ...5 Once the LNS successfully completes a control connection and session with the LAC the LAC performs the actual narrowband dial out operation to the remote site using the information passed by the LN...

Page 454: ...e not functional down Targets Table 76 on page 414 describes the operational states of the targets Table 76 Target Operational States Description State Dial out route is up and operational inService D...

Page 455: ...was unsuccessful This state prevents the router from thrashing on an outgoing call that cannot be completed When in this state the router discards all trigger packets received for the session The inhi...

Page 456: ...cannot be routed successfully by the new access route the router detects this discrepancy as a configuration error because trigger packets that arrive are not forwarded into the outgoing call rather...

Page 457: ...sed in PPP L2TP dial out sessions at the LNS PPP Username Juniper VSA 26 36 Password used in PPP L2TP dial out sessions at the LNS PPP Password Juniper VSA 26 37 Authentication protocol used for L2TP...

Page 458: ...e route does not need to be identical to the one specified in the dial out route but it must be able to forward packets that have the same destination address as the trigger packet However if the acce...

Page 459: ...Dial Out To configure L2TP dial out 1 Enable the creation of a dial out session host1 config l2tp dial out target 10 10 0 0 255 255 0 0 L2TP dial out de dt profile dialOut 2 Optional Set the maximum...

Page 460: ...P outgoing call ends If no trigger is received before the dormant timer expires the dial out session is deleted The range is 0 3600 seconds Example host1 config l2tp dial out dormant timer value 300 U...

Page 461: ...dial out target Use to define an L2TP dial out target When the router receives packets destined for the target it creates a dial out session When you create a target you must specify the following ip...

Page 462: ...nitoring Status of Dial out Sessions on page 453 Monitoring Dial out Targets within the Current VR Context on page 454 Monitoring Operational Status within the Current VR Context on page 456 422 Monit...

Page 463: ...e cause of the disconnection The following list shows current disconnection causes on an E Series LNS that do not have a specific disconnect cause codes The peer initiated termination of LCP after the...

Page 464: ...beyond the completion of LCP negotiation and Prior to receiving the terminate request from the peer the local LCP has sent a Protocol Reject in response to any packet for Encryption Control Protocol E...

Page 465: ...PPP L2TP uses the authenticated name as part of the key for bundle selection Therefore there will never be an unexpected authenticated name for an existing MLPPP bundle authenticate mlppp name mismatc...

Page 466: ...within the time allowed for upper layer negotiation Code 19 with direction 1 is generated if the peer denies address parameters requested by the local NCP Code 19 with direction 2 is generated if the...

Page 467: ...cked Out Destinations on page 437 Monitoring Configured Destination Profiles or Host Profiles on page 437 Monitoring Configured and Operational Status of all Destinations on page 440 Monitoring Statis...

Page 468: ...page 428 lists the show aaa domain map command output fields Table 80 show aaa domain map Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user domain name...

Page 469: ...expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tunnel Tunnel Max Sessions L2TP r...

Page 470: ...e 81 on page 430 lists the show aaa tunnel group command output fields Table 81 show aaa tunnel group Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user...

Page 471: ...l Tunnel Client Name Host name expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tu...

Page 472: ...the show aaa tunnel parameters command output fields Table 82 show aaa tunnel parameters Output Fields Field Description Field Name Default tunnel password Tunnel password Hostname that the LAC sends...

Page 473: ...ission retries for established tunnels is 5 Retransmission retries for not established tunnels is 5 Tunnel idle timeout is 60 seconds Failover within a preference level is disabled Weighted load balan...

Page 474: ...timeout Enabled or disabled Failover within a preference level Enabled or disabled Weighted load balancing Enabled or disabled Tunnel authentication challenge Whether the E Series LAC sends Calling S...

Page 475: ...nformation about specified destinations To display information about a specific destination host1 show l2tp destination ip 172 31 1 98 L2TP destination 1 is Up with 5 active tunnels and 64 active sess...

Page 476: ...uter on which the tunnel is configured Virtual Addresses of the local and remote interfaces Local and peer addresses Effective administrative state The more restrictive of the router and destination a...

Page 477: ...destination is waiting for the lockout timeout to expire and how much time is left or waiting for the lockout test to start or finish L2TP destination waiting Number of destinations that are currentl...

Page 478: ...ssword is 222 Interface profile is ascints Default upper binding type mlppp Maximum sessions is 250 Failover resync is failover protocol Statistics Current session count is 2 Remote host is mexico Con...

Page 479: ...t Local IP address Identifier for bundled sessions Bundled group id Password for the tunnel Tunnel password Name of the host profile Interface profile Status of proxy LCP for the remote host Proxy lcp...

Page 480: ...strative status of the L2TP destination enabled No restrictions on creation and operation of sessions and tunnels for this destination drain Router will not create new sessions or tunnels for this des...

Page 481: ...lppp endpoint discriminator mismatch 9 0 0 0 lcp mlppp peer mrru not valid 10 0 0 0 lcp mlppp peer ssn invalid 11 0 0 0 lcp callback refused 12 0 0 0 authenticate timed out 13 0 0 0 authenticate mlppp...

Page 482: ...session id is 2 Statistics packets octets discards errors Data rx 7 237 1 0 Data tx 6 160 0 0 Session operational configuration User name is t1 s1 local Tunneling PPP interface atm 0 0 1 Call type is...

Page 483: ...ify the session locally and remotely Local and peer session id Information about the traffic for this session Statistics Information received from the peer when the session was created Session operati...

Page 484: ...profiles configured on the router Action To display only the names of the L2TP tunnel switch profiles configured on the router host1 show l2tp switch profile L2TP tunnel switch profile concord L2TP tu...

Page 485: ...p with 12 active sessions 5 L2TP tunnels found To display detailed configuration information about specified tunnel host1 show l2tp tunnel detail 1 xyz L2TP tunnel 1 xyz is Up with 13 active sessions...

Page 486: ...ps Tunnel address information Tunnel address Method used to transfer traffic Transport Name of the virtual router on which the tunnel is configured Virtual router IP addresses of the local and remote...

Page 487: ...n acknowledgment from the router Receive window size Number of acknowledgments that the router has received from the peer Receive ZLB Number of received control packets that were out of order Receive...

Page 488: ...creation and operation of sessions for this tunnel drain Router will not create new sessions for this tunnel disabled Router disabled existing sessions and will not create new sessions for this tunne...

Page 489: ...nhibited 0 Maximum targets inhibited 0 Authentication grant for nonexistent session 0 Authentication deny for nonexistent session 0 Dial out Virtual router statistics Virtual routers active 0 Virtual...

Page 490: ...state 0 Sessions in connecting state 0 Sessions in inService state 0 Sessions in inhibited state 0 Sessions in postInhibited state 0 Sessions in failed state 0 To display information about the operati...

Page 491: ...al router statistics VRs in use by the state machine Virtual routers active VRs that have been used by the state machine Virtual routers created VRs no longer used by the state machine Virtual routers...

Page 492: ...tics Currently active sessions Sessions active All sessions created Sessions created Sessions deleted Sessions removed Sessions reset using the l2tp dial out session reset command Sessions reset Trigg...

Page 493: ...aspects of the dial out state machine and details about the dial out routes themselves This section presents sample output The actual output on your router may differ significantly Action To display...

Page 494: ...Session Current status of the session Status Current operational status of session Operational status Related Topics For detailed information about operational states see Dial Out Operational States...

Page 495: ...virtual routers host1 dialout show l2tp dial out target allVirtualRouters NOTE The level of a user s permission determines the use of the allVirtualRouters option For example if you have permission to...

Page 496: ...fers per session 0 To display aggregate counts for dial out state machines in each of the possible operational and administrative states host1 dialout show l2tp dial out virtual router summary To disp...

Page 497: ...um number of trigger packets held in buffer while the dial out session is being established Maximum trigger buffers per session Related Topics For detailed information about operational states see Dia...

Page 498: ...458 Monitoring Operational Status within the Current VR Context JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 499: ...1 DHCP Local Server Overview on page 469 Configuring DHCP Local Server on page 477 Configuring DHCP Relay on page 495 Configuring the DHCP External Server Application on page 523 Monitoring and Troubl...

Page 500: ...460 Managing DHCP JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 501: ...on parameter carried by DHCP is the IP address A computer must be initially assigned a specific IP address that is appropriate to the network to which the computer is attached and that is not assigned...

Page 502: ...L line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external server and DHCP local server in equal access mode the router retrieves th...

Page 503: ...ring RADIUS Attributes on page 171 and RADIUS IETF Attributes on page 259 Configuring the DHCP Access Model The E Series router provides a DHCP access model which enables you to integrate the router i...

Page 504: ...address to the remote host The new IP address is included when the router next updates its routing table Dynamic IP addresses are leased to the remote host for a specific period of time which can rang...

Page 505: ...CP packet processing The logged packets are output to the dhcpCapture event logging category You can configure per interface DHCP packet logging on statically configured and dynamically created IP int...

Page 506: ...mand To delete a connected user s IP address lease and the associated route configuration when the DHCP client binding is no longer needed use the dhcp delete binding command When you delete a DHCP cl...

Page 507: ...e remote ID string supports matching of both regular expression metacharacters and nonprintable ASCII characters in binary sequences subnetAddress IP address of the subnet on which the DHCP client res...

Page 508: ...delete DHCP client bindings that match the specified circuit ID string host1 vr3 dhcp delete binding circuit id xe3 To specify nonprintable byte codes in the circuit ID string or remote ID string you...

Page 509: ...Server on page 489 In equal access mode the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service In standalone mode the...

Page 510: ...ess Mode Overview In equal access mode the router enables access to non PPP users Non PPP equal access requires the use of the router s DHCP local server and SRC software which communicates with a RAD...

Page 511: ...rk can be presented to the DHCP local server in the client s DHCP request message The giaddr field in the DHCP request message contains the IP address of a DHCP relay agent The router attempts to matc...

Page 512: ...configure the DHCP local server to use AAA authentication for the incoming clients The DHCP local server receives DHCP client requests for addresses selects DHCP local pools from which to allocate add...

Page 513: ...e authentication is successful the local server selects an IP address pool based on the order presented in Table 100 on page 473 When the router finds a match it selects a pool based on the match and...

Page 514: ...entify clients when it receives subsequent messages and to maintain the state of each client within the DHCP protocol In addition the table contains information that may be transferred to and from the...

Page 515: ...Authentication for DHCP Local Server Standalone Mode on page 487 for a sample configuration 2 For standalone mode optionally configure the router to use AAA authentication for DHCP requests from subsc...

Page 516: ...476 DHCP Local Server Configuration Tasks JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 517: ...Addresses from Address Pools on page 479 Configuring DHCP Local Server to Support Creation of Dynamic Subscriber Interfaces on page 480 Differentiating Between Clients with the Same Client ID or Hard...

Page 518: ...fied in the DHCP local pool host1 config ip dhcp local excluded address 10 10 3 4 4 Optional Enable general DHCP local server traps See Using SNMP Traps to Monitor DHCP Local Server Events on page 482...

Page 519: ...itchover or reload if the action that caused the dynamic interface to be created occurs again a new dynamic interface is created The new dynamic interface then inherits the limit set by the global val...

Page 520: ...enables the DHCP local server to create unique client IDs to support roaming clients and to manage situations in which two clients in the network have the same hardware address NOTE This feature repl...

Page 521: ...in the following situations When duplicate client IDs and duplicate hardware addresses do not exist in your network When the DHCP local server application interacts with DHCP relays in your network t...

Page 522: ...verity level 1 alert 2 critical and 3 error events This trap helps administrators monitor DHCP local server general health error statistics address lease status and protocol events The global SNMP tra...

Page 523: ...an IP DHCP Local Server Binding on page 482 Configuring DHCP Local Address Pools on page 484 Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 487 Configuring DHCP Local Ser...

Page 524: ...0 10 1 1 The default router must be on the same subnetwork as the local server pool IP addresses that you configure with the network command You specify the IP address of a primary server and optional...

Page 525: ...p node Peer to peer m node Mixed h node Hybrid 9 Specify the IP addresses that the DHCP local server can provide from an address pool host1 config dhcp local network 10 10 1 0 255 255 0 0 Use the forc...

Page 526: ...address pools that are linked are viewed as a group Setting Grace Periods for Address Leases The JUNOSe software enables you to configure a grace period for a particular local address pool the grace p...

Page 527: ...ptionally apply the grace period to released addresses Configuring AAA Authentication for DHCP Local Server Standalone Mode The DHCP local server enables you to optionally configure AAA based authenti...

Page 528: ...s host1 config service dhcp local standalone authenticate 3 Specify the password that authenticates a locally configured DHCP standalone mode client In DHCP standalone mode the password is presented t...

Page 529: ...ID included MAC Address excluded Option 82 excluded Related Topics ip dhcp local auth domain command ip dhcp local auth include command ip dhcp local auth password command ip dhcp local auth user pref...

Page 530: ...does not expire 3 Specify the name of a DNS domain for DHCPv6 clients in the current virtual router to search You can specify a maximum of four DNS domains for a DHCPv6 local server s search list hos...

Page 531: ...2 2 4 1 64 string Local address pool name for example server4pool NOTE After a stateful SRP switchover in a scaled environment the interface strings associated with DHCPv6 client bindings might not be...

Page 532: ...Configuring the Router to Work with the SRC Software E Series Broadband Services Routers have an embedded SRC client that interacts with the SRC software For information about configuring the SRC clie...

Page 533: ...y host1 config if exit host1 config interface fastEthernet 2 0 host1 config if ip unnumbered loopback 0 2 Configure the parameters to enable the router to forward authentication requests to the RADIUS...

Page 534: ...IP addresses to subscribers of ISP Boston host1 config ip dhcp local pool ispBoston host1 config dhcp local network 10 10 2 0 255 255 255 0 host1 config dhcp local domain name ispBoston host1 config d...

Page 535: ...P request If you do not configure DHCP relay then BOOTP relay is disabled The router must wait for an acknowledgment from the DHCP server that the assigned address has been accepted The IP client must...

Page 536: ...0 Strings to Forward Client Traffic to Specific DHCP Servers on page 503 host1 config set dhcp relay Use the no version without specifying an IP address to explicitly delete the DHCP relay from the cu...

Page 537: ...ional option 82 if one is already present in the DHCP packets Assigning the Giaddr to Source IP Address As a security measure DHCP servers typically use the giaddr included in DHCP packets to ensure t...

Page 538: ...sing the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets Each DHCP request packet includes a broadcast flag that if set specifies how to transmit DHCP Offer reply packets and DHCP...

Page 539: ...st first issue the no set dhcp relay layer2 unicast replies command to disable layer 2 unicast replies and then issue the set dhcp relay broadcast flag replies command again to enable broadcast flag r...

Page 540: ...ault which is required in certain configurations to enable address renewals from the DHCP server to work properly However the default installation of host routes might cause a conflict when you config...

Page 541: ...10 0 to subscriber interface ip53001 host1 config ip route 10 10 10 0 255 255 255 252 ip ip53001 7 Prevent DHCP relay from installing host routes this avoids a conflict that can cause undesirable ARP...

Page 542: ...figure DHCP relay to use information in the giaddr in DHCP ACK messages to specify which interface is to be used as the primary interface This capability allows you to build dynamic interfaces on the...

Page 543: ...re option 60 strings in received DHCP client packets against strings that you configure on the router You can use the DHCP relay option 60 feature when providing converged services in your network env...

Page 544: ...eywords to configure actions for nonmatching strings drop Discard traffic local server Forward packets to the DHCP local server proxy client Forward traffic to the DHCP proxy client server relay Forwa...

Page 545: ...onfig set dhcp relay 2 Configure the action DHCP relay takes when the incoming traffic has an exact option 60 string of myword DHCP relay forwards this traffic to the DHCP server with an IP address of...

Page 546: ...dhcp local equal access host1 config set dhcp vendor option equals docsis relay 192 168 1 1 host1 config set dhcp vendor option equals cablemodem relay 192 168 1 1 Use the show dhcp summary and show d...

Page 547: ...he client originated DHCP packets that the DHCP relay forwards to a DHCP server When the DHCP relay agent information option is enabled the DHCP relay adds the option 82 information to packets it rece...

Page 548: ...gent replaces any existing Vendor Specific value in the client packet with the relay agent s value The JUNOSe software provides two commands that you can use to configure DHCP relay agent information...

Page 549: ...ble Disable set dhcp relay agent remote id only Disable Disable Disable no set dhcp relay agent Format of the JUNOSe Data Field in the Vendor Specific Suboption for Option 82 RFC 4243 describes suppor...

Page 550: ...4 high order bits are 0 Example 1 The Vendor Specific suboption for a VLAN ID of 2468 0x09a4 and a UPC of 5 is formatted as follows 09 0c 00 00 13 0a 07 01 02 09 a4 02 01 05 UPC val 5 UPC len 1 byte U...

Page 551: ...Agent Circuit ID suboption identifies the interface on which DHCP packets are received When the packets are received on a LAG interface the router clearly identifies the interface The suboptions inclu...

Page 552: ...dleA LAG interface with VLAN hostname vrname interface type bundle name sub if vlan id Examples lag bundleA 1 2 relayVr lag bundleA 2 bostonHost lag bundleA 1 2 LAG interface with Stacked VLAN hostnam...

Page 553: ...signs an IP address that provides the desired service to the DHCP client The DHCP server uses information based on the IEEE 802 1p values which are extracted from the DHCP packets using JUNOSe softwar...

Page 554: ...0 host1 config policy list classifier group exit host1 config policy list classifier group dot1p1 host1 config policy list classifier group user packet class 1 host1 config policy list classifier grou...

Page 555: ...use the option 82 suboptions This configuration includes the command that specifies the mapping of the user packet class values from the layer 2 policy to the user packet class type in the option 82 V...

Page 556: ...command to enable support for DHCP relay agent option which includes the option 82 suboptions Agent Circuit ID suboption 1 and Agent Remote ID suboption 2 This command does not support the Vendor Spe...

Page 557: ...astEthernet 1 2 3 4 relayVr fastEthernet 1 2 4 bostonHost fastEthernet 1 2 3 4 Ethernet interface with Stacked VLAN hostname vrname interface type slot port sub if svlan id vlan id Examples fastEthern...

Page 558: ...cuit ID suboption If you do not explicitly specify the circuit id only or remote id only keyword both suboptions are used Related Topics radius remote circuit id format set dhcp relay set dhcp relay a...

Page 559: ...t a Timeout for DHCP Client Renewal Messages You can set the amount of time in the range 1 168 hours that the DHCP relay proxy waits for a renewal message from DHCP clients after a router reboot or sw...

Page 560: ...released the host routes that are no longer needed are still unavailable For additional information on managing client bindings see Viewing and Deleting DHCP Client Bindings on page 466 Selecting the...

Page 561: ...s renewal requests from clients For information about using the set dhcp relay layer2 unicast replies command see Configuring Layer 2 Unicast Transmission Method for Reply Packets to DHCP Clients on p...

Page 562: ...522 Configuring DHCP Relay Proxy JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 563: ...namic Subscriber Interfaces on page 530 Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces on page 532 Configuring Dynamic Subscriber Interfaces for Interoperati...

Page 564: ...riber requests an address from the DHCP server through the E Series router All communication between the subscriber and the DHCP server is monitored by the E Series router After the subscriber receive...

Page 565: ...dynamic subscriber interface for the client that exists with the client s primary interface A client normally receives broadcast traffic such as the traffic associated with the DHCP discovery process...

Page 566: ...OSe releases in which deleting and re creating the dynamic subscriber interface was the default behavior for the DHCP external server Related Topics Configuring DHCP External Server to Control Preserv...

Page 567: ...uplicate MAC mode by issuing the dhcp external duplicate mac address command and creation of subscriber state information based on lease renewals by issuing the ip dhcp external server sync command si...

Page 568: ...guration Requirements To configure the E Series router to support an external DHCP server you enable the DHCP external server application on the router If you are using DHCP packet detection you must...

Page 569: ...the DHCP external server application You can resynchronize and create subscriber state information that is based on lease renewals To synchronize the external DHCP server with the E Series router Issu...

Page 570: ...external server application to ignore the giaddr when determining the next hop for the subscriber access routes Issue the ip dhcp external disregard giaddr next hop command from Global Configuration...

Page 571: ...er a dynamically created VLAN the VLAN is dynamically created based on the agent circuit id option suboption 1 that is contained in the DHCP option 82 field For information about configuring agent cir...

Page 572: ...starts the discovery process on its primary IP interface Issue the ip dhcp external recreate subscriber interface command from Global Configuration mode host1 vr1 config ip dhcp external recreate subs...

Page 573: ...face profile host1 config profile dsiTest host1 config profile ip unnumbered loopback 5500 host1 config profile exit 2 Define a route map in the VR in which the static primary IP interface resides hos...

Page 574: ...to configure the primary IP interface to support creation of dynamic subscribers interfaces which is accomplished by issuing the ip auto configure ip subscriber exclude primary command as shown in Ste...

Page 575: ...lete a specific client host1 dhcp external delete binding binding id 3972819365 Related Topics dhcp delete binding dhcp external delete binding Deleting Clients from a Virtual Router s DHCP Binding Ta...

Page 576: ...ult in a service interruption To configure the DHCP external server application to use a combination of the MAC address and giaddr to uniquely identify DHCP clients also known as enabling duplicate MA...

Page 577: ...enable the IP Subscriber Manager application to re authenticate the auto detected subscribers created on static and dynamic primary IP interfaces after a cold boot Issue the ip re authenticate auto d...

Page 578: ...538 Configuring DHCP External Server to Re Authenticate Auto Detected Dynamic Subscriber Interfaces JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 579: ...ion Information on page 553 Monitoring DHCP External Server Statistics on page 554 Monitoring DHCP External Server Duplicate MAC Address Setting on page 555 Monitoring DHCP Local Address Pools on page...

Page 580: ...you retrieve baseline relative statistics Use the delta keyword with the show dhcp commands to display baselined statistics Tasks to set a baseline for DHCP statistics are 1 Setting a Baseline for DH...

Page 581: ...fy the type of interface and interface specifier host1 baseline ip dhcp local interface atm 3 1 To set a baseline for DHCPv6 local server statistics Issue the baseline ipv6 dhcpv6 local command host1...

Page 582: ...ings Tasks to monitor DHCP bindings are Monitoring DHCP Binding Information on page 543 Monitoring DHCP Binding Count Information on page 546 Monitoring DHCP Binding Host Information on page 548 Monit...

Page 583: ...00 0013 9365 local 0 0 0 0 81 3 0 11 bound 2409734618 8000 000b 9365 local 0 0 0 0 81 3 0 7 bound 2409734619 8000 0009 9365 local 0 0 0 0 81 3 0 6 bound The output of the show dhcp binding command is...

Page 584: ...0 0 71 1 0 14 bound 3070230543 7000 000e 9365 relay p 0 0 0 0 71 1 0 16 bound 3070230545 7000 0010 9365 relay p 0 0 0 0 71 1 0 18 bound 3070230547 7000 0012 9365 relay p 0 0 0 0 71 1 0 20 bound 307023...

Page 585: ...ent 0 0 0 0 for DHCP external server and DHCP relay proxy bindings IpSubnet IP address assigned to client IpAddress State of the DHCP client binding State IP address of the DHCP server that allocated...

Page 586: ...and interfaces with the specified interface string host1 vr2 show dhcp count interface ip71 4 Assigned Bound Type IpSubnet Interfaces Clients Clients Clients external 0 0 0 0 3 3 3 3 This show dhcp co...

Page 587: ...remote ID string is not supported for the DHCP external server application DHCP external server does not store information about the agent circuit id suboption or agent remote id suboption of option 8...

Page 588: ...ts of the show dhcp host command are arranged in ascending order by IP address whereas the results of the show dhcp binding command are arranged in ascending order by binding ID To display binding inf...

Page 589: ...nding order by IP address To display information about DHCP external server bindings with a specified subnet address host1 vr1 show dhcp host external 0 0 0 0 To display information about DHCP binding...

Page 590: ...available in seconds Lease Detailed output only Time remaining on the current lease in seconds Remaining Detailed output only IP interface that is associated with the client IpInterface Related Topics...

Page 591: ...he current lease in seconds Expire Interface that is associated with the subscriber s computer Interface Related Topics show ip dhcp external binding Monitoring DHCP Bindings Displaying DHCP Bindings...

Page 592: ...ace NOTE This command is deprecated and might be removed completely in a future release The function provided by this command has been replaced by the show dhcp binding command Action To display DHCP...

Page 593: ...ernal Server Configuration Information Purpose Display information about the router s DHCP external server application Action To display DHCP external server information host1 show ip dhcp external co...

Page 594: ...urpose Display statistics for all external DHCP servers or for a specific server Action To display statistics for a DHCP external server host1 config show ip dhcp external statistics server address 10...

Page 595: ...ernal server application Currently this command displays the status of the method that DHCP external server uses to uniquely identify DHCP clients with duplicate MAC addresses Action To display the du...

Page 596: ...Server Address 10 10 20 8 Linked Pool cable5 High utilization threshold 85 Abated utilization threshold 75 Current utilization 0 Utilization trap disabled Shared pool allocations 25 To display informa...

Page 597: ...Servers Address of default router used for subscribers Default Routers DHCP server address that is sent to subscribers Server Address Names of any pools that are linked to this pool Linked Pool Thres...

Page 598: ...ver Authentication Configuration User Prefix ERX4 Boston Domain ISP1 com Password to4TooL8 Virtual Router included Circuit Type included Circuit ID included MAC Address excluded Option 82 excluded To...

Page 599: ...sts that have been granted auth grants Number of authorization requests that have been denied auth denies Related Topics show ip dhcp local auth Monitoring DHCP Local Server Configuration Purpose Disp...

Page 600: ...2005 08 01 12 UTC To display information about all DHCP local server leases host1 show ip dhcp local leases Dhcp Local Leases Address Hardware Lease Initiated Renewed 192 168 0 2 10 06 10 00 10 32 120...

Page 601: ...or clients in the grace period Expiration Infinite or the number of seconds remaining in the lease if any remaining time of grace period for clients in the grace period Remaining Day date and time the...

Page 602: ...packet 17 in error 0 in discard 0 unknown client packet 3 Transmit Statistics offer 4 ack accept 5 ack renew 1 ack rebind 1 nak 3 nak renew 0 nak rebind 0 total out packet 14 out error 0 out discard 0...

Page 603: ...acket Statistics for packets that have been transmitted Transmit Statistics Number of DHCP offer messages sent offer Number of DHCP acknowledgments sent in response to accepted requests ack accept Num...

Page 604: ...d with the vendor option command drop the DHCP application responsible for the action has not been configured yet therefore all packets for this application will be dropped Total 4 entries Vendor opti...

Page 605: ...entries no match Related Topics show dhcp vendor option Monitoring DHCP Packet Capture Settings Purpose Display the configuration for per interface DHCP packet logging Action To display configuration...

Page 606: ...Override Option off Trust All Clients off Preserve Option From Trusted Clients off Circuit ID Sub option 1 on select hostname select exclude subinterface id Remote ID Sub option 2 on Vendor Specific S...

Page 607: ...IP addresses of configured DHCP servers DHCP Server Addresses Related Topics show dhcp relay Monitoring DHCP Relay Proxy Statistics Purpose Display statistics for the DHCP relay proxy NOTE The show dh...

Page 608: ...e messages sent to a server Decline Number of releases sent to a server Release Number of information messages sent to a server Inform Number of clients being maintained by the relay proxy Active Clie...

Page 609: ...tion circuit ID suboption On add Relay Agent Option remote ID suboption On packets with giaddr override 0 packets with Relay Agent Option override 2 packets forwarded with Relay Agent Option already p...

Page 610: ...y reply messages that were discarded because their message type for example offer ack was unknown possibly due to corruption dropped unknown message type reply packets Relay Agent Option statistics st...

Page 611: ...received from DHCP servers that were discarded because their server address and XID do not match an outstanding DHCP server request dropped unknown xid reply packets Number of DHCP relay requests sent...

Page 612: ...gments received from the server Naks received Number of IP addresses rejected because they were already in use addresses declined Number of IP addresses released back to the server addresses released...

Page 613: ...server Address Number of IP address leases granted by the server Leases Number of offers sent by the server Offers Number of requests sent to the server Requests Number of acknowledgments received fr...

Page 614: ...DHCPv6 Local Server DNS Search Lists Purpose Display the DHCPv6 local servers DNS search list Action To display the DNS search list for DHCPv6 local servers host1 show ipv6 dhcpv6 local dns domain sea...

Page 615: ...s Field Description Field Name IPv6 address of the DNS server DNS server Related Topics show ipv6 dhcpv6 local dns servers Monitoring DHCPv6 Local Server Prefix Lifetime Purpose Display the DHCPv6 def...

Page 616: ...pv6 dhcpv6 local statistics command output fields Table 129 show ipv6 dhcpv6 local statistics Output Fields Field Description Field Name Number of bytes of memory used by DHCPv6 local server memUsage...

Page 617: ...es that are being used by DHCP local server clients Optionally display information for a specific duplicate MAC address Action To display information about a specific MAC address being used by multipl...

Page 618: ...hcp Local Interface Limits Total Interface Limit Count Denied Denied atm 3 1 300 127 5 29 To display information about the maximum number of leases on all interfaces host1 config show ip dhcp local li...

Page 619: ...ated Topics show ip dhcp local limits Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local Server Purpose Display the static IP address MAC address pairs that the DHCP local serve...

Page 620: ...server and DHCP external server Action To display the status of the configured DHCP applications host1 show dhcp summary DHCP local server configured and inactive DHCP relay configured and active Mean...

Page 621: ...nvironment Configuring Subscriber Management on page 583 Monitoring Subscriber Management on page 599 Configuring Subscriber Interfaces on page 603 Monitoring Subscriber Interfaces on page 635 Managin...

Page 622: ...582 Managing the Subscriber Environment JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 623: ...mers to create a unified subscriber management provisioning and service delivery environment The flexibility of the router provides a variety of methods and configurations that enable customers to dyn...

Page 624: ...k service usage that can be used for volume based billing Dynamic address assignment Uses RADIUS DHCP and profiles to dynamically allocate IP addresses to subscribers Dynamic policy management Uses po...

Page 625: ...Subscriber Management Procedure Figure 15 on page 585 shows a subscriber management environment that includes an external DHCP server a RADIUS server the SRC software and the DHCP external server appl...

Page 626: ...to provide authentication authorization accounting and address assignment RADIUS uses the profile to obtain information for the subscriber s IP interface Creates the subscriber s dynamic subscriber in...

Page 627: ...route map exit 6 Enable autoconfiguration mode host1 config interface gigabitEthernet 12 0 host1 config if ip address 192 168 1 1 255 255 255 0 host1 config if ip auto configure ip subscriber include...

Page 628: ...created by JUNOSe subscriber management Specify one of the following circuit types atm or vlan Use the optional prepend circuit type keyword to specify that the circuit type is prepended to the circui...

Page 629: ...nclusion of the IP address in the username See include ip address include mac address Use to include the MAC address identifier in the username that is dynamically created by JUNOSe subscriber managem...

Page 630: ...keyword to specify that the primary interface is assigned to a subscriber See ip auto configure ip subscriber ip auto detect ip subscriber Use to set the router packet detect feature and specify that...

Page 631: ...is greater than the configured value and the interface is deleted On static interfaces the subscriber s access route is removed when the inactivity timer is exceeded When the subscriber logs back in t...

Page 632: ...stateful SRP switchover high availability using an IP service profile to configure subscriber authentication is preferable to using either the subscriber command or the atm atm1483 subscriber command...

Page 633: ...c subscriber interfaces associated with this primary IP interface See ip use framed routes ip subscriber password Use to specify the password for an IP service profile The password is used as the dyna...

Page 634: ...he no version to remove the source address range from the route map See set ip source prefix user name Use to specify the username for an IP service profile The username is used as the dynamically cre...

Page 635: ...ier group filter host1 config policy list classifier group exit host1 config policy list exit host1 config An interface profile that references the restrictAccess policy host1 config profile atlInterf...

Page 636: ...atlServiceProfile host1 config service profile user prefix xyzcorp atl host1 config service profile domain eastcoast host1 config service profile include hostname host1 config service profile include...

Page 637: ...ier vlan host1 config service profile include mac address host1 config service profile include dhcp option 82 agent circuit id host1 config service profile exit host1 config The example generates the...

Page 638: ...598 Subscriber Management Configuration Examples JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 639: ...tion about IP service profiles host1 show ip service profile ip service profile west500 user name finance22 user prefix xyz bos domain xyzcorp net include virtual router name include mac address inclu...

Page 640: ...file agent circuit id or agent remote id include dhcp option 82 Password used to retrieve information from RADIUS for subscriber interfaces password Related Topics show ip service profile Monitoring A...

Page 641: ...is configured Virtual Router Name of subscriber interface ip indicates that subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address o...

Page 642: ...602 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 643: ...page 622 Subscriber Interfaces Overview You can configure E Series routers to create subscriber interfaces statically or dynamically The following list shows the underlying layer 2 interfaces on which...

Page 644: ...P session An example of a dynamic interface configuration is a PPPoE session running on top of a Gigabit Ethernet VLAN interface Figure 16 on page 604 shows an example of the dynamic interface stack F...

Page 645: ...u must manually configure the SSI and you cannot use the same dynamic profiles and RADIUS that DSIs use Subscribers can be connected to a single broadcast segment without using dynamic or static subsc...

Page 646: ...addresses at any given time For example Figure 18 on page 606 illustrates the relationship between subscriber interfaces an associated primary IP interface and an associated Ethernet interface Figure...

Page 647: ...cally created subscriber interfaces see Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces on page 613 Routing Protocols You configure unicast routing protocols on subscribe...

Page 648: ...6 or a local gaming service on network 10 12 0 0 16 Rate limits and policies on the subscriber interface customize the service level for the associated service In this application the E Series router...

Page 649: ...uter can separate the traffic from subnets A and B Because the E Series router is forwarding traffic in this application the shared IP interface should demultiplex the traffic by using a source addres...

Page 650: ...igabitEthernet 0 1 For E120 and E320 Routers use the slot adapter port format which includes an identifier for the bay in which the I O adapter IOA resides In the software adapter 0 identifies the rig...

Page 651: ...ubscriber an IP address from one of the local address pools In equal access mode the DHCP local server works with Juniper Networks Session and Resource Control SRC software and the authorization accou...

Page 652: ...12 shows the interface stacking in an IP over Ethernet dynamic subscriber interface configuration The illustration indicates which layers in the stack are static and dynamic and identifies the CLI com...

Page 653: ...configurations or the router for packet detection configurations then assigns a subscriber an IP address matching this source prefix the router does not create a dynamic subscriber interface for that...

Page 654: ...is discarded In addition creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router s Address Resolution Protocol ARP table This occurs regardless of whet...

Page 655: ...ow arp command The following sample output from the show ip mac validate interface command displays the MAC address validation state strict inherited by the dynamic subscriber interface ip74 39 64 3 f...

Page 656: ...s on network 10 12 0 0 16 Figure 22 Subscriber Interfaces Using a Destination Address to Demultiplex Traffic E Series router To configure the static subscriber interfaces shown in Figure 22 on page 61...

Page 657: ...an address or make it unnumbered host1 config if ip unnumbered loopback 0 d Specify the destination addresses for the subscriber interface to use to demultiplex traffic host1 config if ip destination...

Page 658: ...yer 2 interface host1 config interface fastEthernet 4 1 b Create a primary IP interface host1 config if ip address 10 1 1 1 255 255 255 0 c Exit Interface Configuration mode host1 config if exit 2 Con...

Page 659: ...subscriber interface IP2 host1 config virtual router vrb Proceed with new virtual router creation confirm yes host1 vrb config interface ip ip2 host1 vrb config if ip share interface fastEthernet 4 1...

Page 660: ...Broadband Services Router or the E320 router you can configure up to 1024 subnets for static subscriber interfaces per primary IP interface when each subnet has a variable network mask that is less th...

Page 661: ...stination if the next hop IP address is resolvable over MPLS If you specify a virtual router the command fails if the VR does not already exist If you do not specify a VR the current VR is assumed Aft...

Page 662: ...ing DHCP events perform the following steps 1 Configure the DHCP server For instructions see Configuring the DHCP Local Server on page 477 2 Specify a Fast Ethernet Gigabit Ethernet or 10 Gigabit Ethe...

Page 663: ...rface by adding a subinterface number to the interface identification command host1 config if interface gigabitEthernet 1 0 1 5 Assign a unique VLAN ID to the VLAN subinterface host1 config if vlan id...

Page 664: ...Configure an associated PVC for the ATM 1483 subinterface by specifying the VCD the VPI the VCI and the encapsulation type host1 config subif atm pvc 10 100 22 aal5snap 5 Specify bridged Ethernet as t...

Page 665: ...GRE tunnel interface For instructions see the Configuration Tasks section in JUNOSe IP Services Configuration Guide 2 Create the primary IP interface by assigning an IP address and mask to the bridge...

Page 666: ...each physical interface this example assigns an IP address to a loopback interface loopback 0 Each physical interface is then configured as an unnumbered IP interface referencing the same loopback int...

Page 667: ...0 10 Create an unnumbered primary IP interface associated with the loopback interface configured in Steps 6 and 7 host1 config if ip unnumbered loopback 0 11 Configure the primary IP interface to ena...

Page 668: ...rver Example host1 config dhcp local default router 10 10 1 1 Use the no version to remove the association between the address pool and the router See default router encapsulation bridge1483 Use to co...

Page 669: ...move an interface or a subinterface if the one above it still exists See interface fastEthernet interface gigabitEthernet Use to select a Gigabit Ethernet interface NOTE You can configure only the pri...

Page 670: ...er host IP addresses within that subnet 1 1 1 1 16 if no specific or longer route entry is found or if the SRP module receives too much traffic from subnets other than 1 1 1 1 the CPU utilization on t...

Page 671: ...figure ip subscriber include primary Use the no version to disable creation of dynamic subscriber interfaces associated with this primary IP interface Use the no version with the include primary keywo...

Page 672: ...amic creation of subscriber interfaces to demultiplex traffic with the specified source address You can issue this command from either Interface Configuration mode or Subinterface Configuration mode E...

Page 673: ...er can provide from an address pool Example host1 config dhcp local network 10 10 1 0 255 255 255 0 Use the no version to remove the network address and mask See network service dhcp local Use to enab...

Page 674: ...vlan id Use to configure a VLAN ID for a VLAN subinterface Specify a VLAN ID number that is in the range 0 4095 and is unique within the Ethernet interface Issue the vlan id command before you config...

Page 675: ...see the Monitoring IP section in JUNOSe IP Services Configuration Guide Action You can use the show ip demux interface command to monitor the configuration of subscriber interfaces Monitoring Subscri...

Page 676: ...Display information about active IP subscribers that were created by the JUNOSe software s subscriber management feature Action To display information about subscribers that were created by subscribe...

Page 677: ...at subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address of the subscriber Mac Address AAA profile handle Profile Handle Interface...

Page 678: ...638 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 679: ...Part 6 Managing Subscriber Services Configuring Service Manager on page 641 Monitoring Service Manager on page 707 Managing Subscriber Services 639...

Page 680: ...640 Managing Subscriber Services JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 681: ...on page 667 Combined and Independent IPv4 and IPv6 Services in a Dual Stack Overview on page 669 Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack on page 670 Configuring RADIUS Ac...

Page 682: ...and Acronyms Table 138 on page 642 defines terms and acronyms that are used in this discussion of the Service Manager application Table 138 Service Manager Terms and Acronyms Definition Term A service...

Page 683: ...tion about the topics covered in this chapter see the following documents Data Over Cable Service Interface Specifications DOCSIS 2 0 Radio Frequency Interface Specification CM SP RFIv2 0 I10 051209 F...

Page 684: ...nable statistics collection Activate the service session Deactivate service sessions Optional for RADIUS CoA method Configure the CoA feature for the RADIUS dynamic request server Use the CLI to manag...

Page 685: ...hen you can associate the service definition with subscribers to create their service sessions Service definitions gives you flexibility by enabling you to use A single service definition to create a...

Page 686: ...initions independent of the Service Manager commands and operations which are performed on the E Series router For detailed information about the JUNOSe software s macro language see the Command Line...

Page 687: ...n the service definition that has the error Optional command in error Passes the value env getErrorStatus Service Manager displays the error status for the error Optional command error status Specifie...

Page 688: ...d hierarchical policy parameters Optional output stat epg Collects input statistics associated with the external group that is attached at the secondary input stage from policy manager Both the extern...

Page 689: ...continue to use the original definition until you deactivate the service session 4 Modify You can update an existing service definition file at any time To update a service definition file a Use your...

Page 690: ...eferencing Policies in Service Definitions In Profile Configuration mode policy interface commands for IP and L2TP allow attachments to be merged into any existing merge capable attachment at an attac...

Page 691: ...oS profile when activating a service but make sure that the QoS profile is attached to the subscriber s interface For more information about configuring QoS profiles see the Configuring and Attaching...

Page 692: ...pecify that Service Manager create QoS parameter instances when the subscriber logs in during service activation or through RADIUS QoS parameter VSAs You can specify up to eight parameter instance com...

Page 693: ...ue 15000 In Profile Configuration mode the no version removes the QoS parameter instance command in the profile See qos parameter Specifying QoS Parameter Instances in a Service Definition After you c...

Page 694: ...rameterName4 for the subscriber s interface If it finds a parameter instance it adds bandwidth2 3 000 000 to the current value If Service Manager does not find a parameter instance it creates one with...

Page 695: ...g parameter instances in profiles and modifying explicit parameter instances can cause invalid parameter instance values Table 141 on page 655 lists a series of activations and deactivations using par...

Page 696: ...events Table 142 on page 656 lists the sources that overwrite QoS profiles and parameter instances created by other sources Each row represents new QoS profiles and parameter instances columns represe...

Page 697: ...ager using other sources without affecting the reference counts For more information see QoS Statistics on page 659 RADIUS QoS profile attachments and parameter instances configured through RADIUS can...

Page 698: ...and parameter instances After removing the QoS profile and parameter instances Service Manager automatically removes the following QoS configurations in the following order 1 QoS profiles 2 Scheduler...

Page 699: ...ch time the parameter is modified through service deactivation References of regular parameter instances are also counted using a separate reference count Parameter instances are removed when both ref...

Page 700: ...s greater flexibility and efficient management for a large number of subscribers and services Enables you to use mutual exclusion mutex groups to create mutex services RADIUS CoA only CLI based suppor...

Page 701: ...when you have a large number of users already logged in through RADIUS and you want to activate new services for them This method is also used for the guided entrance service described in Guided Entra...

Page 702: ...VSA you specify values for the input and output bandwidth tiered 1280000 5120000 2 Specify optional VSAs for the service session as needed Service Volume Service Timeout Service Statistics Service Ma...

Page 703: ...hat the service is to remain active the service is terminated when the time expires a tagged VSA Access Accept and CoA Request Service Timeout 26 68 Statistics configuration a tagged VSA 0 disable 1 t...

Page 704: ...000 and output bandwidth of 5120000 The subscriber can use the service for 5 hours 18000 seconds and Service Manager captures both timestamp and volume statistics during the session service statistics...

Page 705: ...ics 600 2 service interim acct interval voice 100000 6 service activation 1440 6 service timeout 1200 6 service interim acct interval Using RADIUS to Deactivate Service Sessions A service session can...

Page 706: ...ervices NOTE Service Manager terminates a session when the output byte count exceeds the configured service volume threshold The output byte count is captured by the output stat clacl string in the cl...

Page 707: ...existing service This ensures that the subscriber is never without an active service In the original CoA Request method the order of activation and deactivation is random in some cases the existing se...

Page 708: ...lighted in bold text parameterizes input and output bandwidth tiered inputBW outputBW uid app servicemanager getUniqueId name SM tiered uid oname SM O tiered uid classifier list matchAll ip any any ra...

Page 709: ...in which IPv4 and IPv6 protocols share a common transport and framing layer A dual stack implementation supports both IPv4 and IPv6 hosts to help provide a smooth transition to all parts of a enterpr...

Page 710: ...when IPv6 subscribers or IPv4 and IPv6 subscribers in a dual stack are in a network When you create the service definition include the following service attribute in the service definition if you want...

Page 711: ...rvice is deleted when the service is deactivated Combined IPv4 and IPv6 Service in a Dual Stack To configure a single service for IPv4 and IPv6 interfaces you can create and install one service defini...

Page 712: ...s You must enable Service Manager volume statistics for a service session When you terminate a subscriber session Service Manager first sends RADIUS Acct Stop messages for any active services associat...

Page 713: ...ng interval for services that are created during a user RADIUS based login and services that are activated by a CoA operation The service interim accounting interval is specified by the RADIUS Service...

Page 714: ...vate attribute VSA 26 65 Table 149 on page 674 describes a sample Acct Start message for a service session In the table the three fields used by Service Manager are shown in bold characters An Acct St...

Page 715: ...l aaa service accounting interval Use to specify the default interval between service accounting updates Service manager uses the default interval when no value is specified in the Service Interim Ac...

Page 716: ...reset the accounting interval to 0 which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval Service Interim Acc...

Page 717: ...ce definitions for example you might use the CLI commands to verify that a newly created service definition is correct When you are satisfied with the service definition you can then use RADIUS to act...

Page 718: ...ssion keyword tiered 1280000 5120000 service management owner session Use to activate a service for an existing subscriber by identifying the owner used to create the subscriber session and specifying...

Page 719: ...management owner session service management subscriber session service session Use to activate a service for a subscriber by creating a subscriber session and a service session NOTE Always activate at...

Page 720: ...ger s performance Typically when you use a service definition to activate a subscriber s service session Service Manager uses resources to build that service However if you later use the same service...

Page 721: ...service s duration and traffic volume volume Specifies that the service is automatically deactivated when the indicated traffic volume is exceeded time Specifies that the service is automatically deac...

Page 722: ...ollect statistics about both the volume of traffic and the duration of the service session Example host1 config service management service session profile vodISP1 host1 config service session profile...

Page 723: ...elete the volume attribute from the service session profile See volume Using the CLI to Deactivate Subscriber Service Sessions The CLI supports several methods that enable you to manually deactivate s...

Page 724: ...service management owner session command See service management owner session no service management subscriber session service session Use to gracefully deactivate service sessions for a subscriber U...

Page 725: ...when a threshold is reached you create a service session profile that includes a time threshold or a volume threshold or both Then you attach the service session profile when you activate the service...

Page 726: ...stics Collection with the CLI on page 688 if you are using the CLI Setting Up the Service Definition File for Statistics Collection Service Manager statistics are based on classifier lists the classif...

Page 727: ...profile Example 2 This example shows how you can also configure your service definition to collect total statistics from multiple classifier lists The following command specifies that three classifier...

Page 728: ...ed3 host1 config service session profile statistics volume time host1 config service session profile 2 Apply the service session when you activate the subscriber service session host1 config service m...

Page 729: ...t string external parent grp name policy parameter name The string variable specifies the type of statistics to track Service Manager supports the following strings input stat epg Track input statisti...

Page 730: ...ber of JUNOSe commands in a service definition to specify a service Reference objects in service definitions Referencing commonly used objects is more resource efficient than using unique objects for...

Page 731: ...put stat clacl matchAll endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client1 isp1 com none username tiered 1280000 5120000 1 activate service Sample CLI Command host1 config service man...

Page 732: ...ay MG based service that has upstream and downstream components The IP address and port for both the subscriber and the opposite end of the phone call were originally negotiated with the SBC The VoIP...

Page 733: ...ubscriber might be shown a Web site that offers services such as Predefined services A group of user selectable services that meets a variety of needs of a single subscriber The subscriber might selec...

Page 734: ...ng the HTTP Local Server to Support Guided Entrance on page 696 for information about the HTTP local server RADIUS Dynamic Request Server and CoA messages Enables RADIUS to dynamically activate the ne...

Page 735: ...profile profileName endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client5 isp1 com none username http 192 168 25 2 80 1 activate service Sample CLI Command host1 config service manageme...

Page 736: ...service Tiered Service Selected at Web Site Value Tag RADIUS Attribute client5 isp1 com none username tiered 1280000 5120000 2 activate service http 192 168 25 2 80 deactivate service 720 2 service t...

Page 737: ...cify the maximum number of connections that can exist between one IP address and the HTTP local server host1 west40 config ip http same host limit 20 6 Specify the maximum time that HTTP local servers...

Page 738: ...servers maintain connections host1 west40 config ip http max connection time 1000 7 Enable the HTTP local server to listen for and process IPv6 exception packets host1 west40 config ipv6 http server 8...

Page 739: ...n time ip http port Use to specify the port on which the HTTP local server receives connection attempts for IPv4 exception packets Specify a port number in the range 1 65535 Example host1 config ip ht...

Page 740: ...local server Specify a number in the range 0 1000 Example host1 config ip http same host limit 20 Use the no version to restore the default number of allowed connections 3 See ip http same host limit...

Page 741: ...ion for the subscriber HTTP redirect is per interface use the command in Interface Configuration mode or Subinterface Configuration mode for static interfaces and use the command in Profile Configurat...

Page 742: ...ut must limit the total flow for IPv4 and IPv6 interfaces to 64 Kbps Figure 33 Input Traffic Flow with Rate Limit Profile on an External Parent Group for a Combined IPv4 IPv6 Service VoIP 64 Kbps VoIP...

Page 743: ...ericName vb in destination host VB6G1 n ipv6 classifier list cl46 6 genericName vb out source host VB6G1 n ip policy list pl v4v6 genericName in classifier group cl46 4 genericName vb in external pare...

Page 744: ...ansmit unconditional The conformed action which sets the action for packets not conforming to the committed rate and committed burst size but conforming to the peak rate and peak burst size for a rate...

Page 745: ...ce Manager track statistics associated with the external parent group named vb v4v6 in and the corresponding hierarchical policy named v4v6 and that this external parent group is associated with the p...

Page 746: ...d traffic denoted as inBw in the macro 10 0 0 1 Host IP address for IPv4 subscribers denoted as VBG1 in the macro 2001 1 Host IP address for IPv6 subscribers denoted as VB6G1 in the macro vlan Interfa...

Page 747: ...oring IPv4 and IPv6 Interfaces for Service Manager on page 713 Monitoring Service Definitions on page 723 Monitoring Service Session Profiles on page 724 Monitoring Active Owner Sessions with Service...

Page 748: ...eld Name Maximum time that the HTTP local server maintains an inactive connection in seconds Maximum connection length Number of configured Web servers Current number of http servers Number of Web ser...

Page 749: ...ection Listening port Maximum number of connections allowed between one IP address and the HTTP local server Same host limit Protocols that the HTTP local server is listening for IPv4 IPv6 or IPv4 and...

Page 750: ...s No resource failures Total number of HTTP connections established Http connections created Total number of HTTP connections ended Http connections terminated Total number of HTTP connections that ex...

Page 751: ...g the Default Interval for Interim Accounting of Services Purpose Display the default interval used for interim accounting for services associated with users on the virtual router An entry of 0 indica...

Page 752: ...ng Profiles for Service Manager Purpose Display information about the policies and QoS configurations referenced in profiles Action To display information about a specific profile host1 show profile n...

Page 753: ...hernet 1 1 200 GigabitEthernet1 1 line protocol Ethernet is up ip is not present Network Protocols IP Multipath mode hashed Auto Configure disabled Auto Detect disabled Inactivity Timer disabled Use F...

Page 754: ...tes 0 Unicast Packets 0 Bytes 0 Multicast Packets 0 Bytes 0 In Total Dropped Packets 0 Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Fo...

Page 755: ...put fields Table 159 show ip interface Output Fields Field Description Field Name Interface type and specifier interface Status of the interface interface status Url to which a subscriber s initial we...

Page 756: ...ts received with destination unreachable dst unreach Packets sent with time to live exceeded time excd Packets sent with parameter errors param probs Source quench packets sent src quench Send packets...

Page 757: ...d into an output IP interface In Forwarded Packets Bytes Total number of packets and bytes that were dropped on the interface In Total Dropped Packets Bytes Packets discarded on a receive IP interface...

Page 758: ...kets and bytes dropped by the scheduler because they exceeded the contract Out Scheduler Drops Exceeded Packets Bytes Packets discarded on the egress interface because of rate limiting Out Policed Pac...

Page 759: ...tion unreachable destination unreach Packets received because the destination was administratively unreachable for example the packet encountered a firewall filter admin unreach Packets sent with para...

Page 760: ...eived packet redirects redirects Echo request ping packets echo requests Echo replies received echo replies Number of received router solicitations rtr solicits Number of received router advertisement...

Page 761: ...fixes for neighbor discovery router advertisement ND RA advertising prefixes Total number of packets and bytes received on the IP interface In Received Packets Bytes Unicast packets and bytes received...

Page 762: ...face because of rate limiting Out Policed Packets Packets discarded on the egress interface because of a configuration problem rather than a problem with the packet itself Out Discarded Packets Type i...

Page 763: ...True Service tiered inputbw outputbw Reference Count 0 To display summary information for all service definitions host1 show service management service definition brief Service Definitions Reference F...

Page 764: ...Timestamp Related Topics show service management service definition Monitoring Service Session Profiles Purpose Display information about service session profiles configured on your router Action To d...

Page 765: ...latile Sessions CLIENT1 ISP COM ip192 168 0 3 1 AAA 4194326 Active False 1 CLIENT2 ISP COM ip192 168 0 7 2 AAA 4194327 Active False 1 CLIENT3 ISP COM ip192 168 0 4 3 AAA 4194328 Active False 1 CLIENT4...

Page 766: ...163 show service management owner session Output Fields Field Description Field Name Name of the subscriber or name of the service session Name Type and IP address of the subscriber s interface Interf...

Page 767: ...profile or RADIUS VSA Volume Volume left until the threshold is exceeded this value starts as the volume threshold value and is decremented as the service statistics measure volume Volume Expire Curre...

Page 768: ...192 168 0 1 User Name CLIENT1 ISP COM Interface ip 192 168 0 1 Id 1 Owner AAA 4194326 Non volatile False State Active ServiceSessions Name mutex Owner Id State Operation tiered 2000000 3000000 AAA 41...

Page 769: ...ervice session belongs mutex Method used to activate the subscriber session CLI AAA and ID number generated by the owner Acct Session ID for AAA Owner Id Status of the subscriber session active or ina...

Page 770: ...tistics measure volume Volume Expire Current value of input bytes that the statistics configuration is measuring Input Bytes Current value of output bytes that the statistics configuration is measurin...

Page 771: ...utput Fields Field Description Field Name Number of active subscriber sessions on the router Total Subscriber Sessions Number of active service sessions on the router Total Service Sessions Related To...

Page 772: ...732 Monitoring the Number of Active Subscriber and Service Sessions with Service Manager JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 773: ...Part 7 Index Index on page 735 Index 733...

Page 774: ...734 Index JUNOSe 11 1 x Broadband Access Configuration Guide...

Page 775: ...aaa ipv6 nd ra prefix framed ipv6 prefix 90 aaa local database 41 aaa local select database 41 aaa local username 41 aaa new model 317 325 aaa parse direction 12 aaa parse order 12 aaa profile 63 68...

Page 776: ...k Count RADIUS attribute 51 207 Acct Multi Session Id RADIUS attribute 50 207 Acct Off messages 181 Acct On messages 181 Acct Output Gigapackets RADIUS attribute 26 36 224 Acct Session Id RADIUS attri...

Page 777: ...to domain 57 mapping backup address pool to domain 58 mapping IPv6 local address pool to domain 60 mapping user domain names to a virtual router 8 mapping user requests without a valid domain name 8 w...

Page 778: ...a dual stack activating 671 backward compatibility 671 deactivating 671 example 702 performance impact 671 rate limiting and example 702 service interim accounting 676 statistics collection and extern...

Page 779: ...0 local pool selection 470 overview 470 SRC Session and Resource Control software 461 local address pool group 486 557 local pool selection equal access 470 using domain name 471 using framed IP addre...

Page 780: ...address pools DHCPv6 local server IPv6 489 DHCPv6 Prefix Delegation and IPv6 Neighbor Discovery without configuring Delegated IPv6 Prefix 90 assigned prefix length of 128 in local address pools 105 e...

Page 781: ...AAA access and accounting messages 188 DSLAMs digital subscriber line access multiplexers 4 DSLs digital subscriber lines 4 dual stack combined IPv4 and IPv6 services example of 702 IPv4 and IPv6 serv...

Page 782: ...ion from Access Accept messages 90 Framed Ipv6 Route RADIUS attribute 99 217 Framed MTU RADIUS attribute 12 21 G giaddr 471 495 GRE Generic Routing Encapsulation tunnels dynamic subscriber interfaces...

Page 783: ...s ip dhcp server 464 ip http commands ip http 696 ip http access class 696 ip http max connection time 696 ip http port 696 ip http redirecturl 696 ip http same host limit 696 ip http server 696 IP in...

Page 784: ...DIUS attribute 26 46 226 Ipv6 NdRa Prefix RADIUS attribute 26 46 231 IPv6 NdRa Prefix attribute used for IPv6 Neighbor Discovery from Access Accept messages 90 IPv6 Primary DNS RADIUS attribute 26 47...

Page 785: ...31 434 show l2tp destination profile command 437 l2tp rx connect speed when equal command 366 L2TP transmit connect speed and Transmit TX Speed AVP 24 400 calculation methods how to configure 400 moni...

Page 786: ...ing IP spoofing 613 macros service definitions 642 Service Manager statistics 686 manuals comments on xxxix max sessions command 31 MBS RADIUS attribute 26 17 223 media access control addresses See MA...

Page 787: ...lifetime for delegated prefixes configuring 108 default 108 setting without expiration 108 Prefix Delegation See DHCPv6 Prefix Delegation prefixes allocated to clients from interface configuration 10...

Page 788: ...radius include access loop parameters 209 radius include acct authentic 204 radius include acct delay time 204 radius include acct link count 204 radius include acct multi session id 204 radius inclu...

Page 789: ...rt format stacked 260 See also show radius commands RADIUS dynamic request server change of authorization messages 245 disconnect messages 243 how it works 243 message exchange 243 245 monitoring 250...

Page 790: ...r values 664 preprovisioning services 677 680 QoS considerations 658 modifying configurations of 653 referencing configurations of 651 removing references of 653 RADIUS dynamic request server 694 RADI...

Page 791: ...s global 127 show aaa service accounting interval 711 show aaa statistics 129 show aaa subscriber per port limit 131 show aaa subscriber per vr limit 131 show aaa timeout 131 show aaa tunnel group 428...

Page 792: ...t statistics 311 show radius ethernet port type 307 show radius icr partition accounting 316 show radius nas identifier 305 show radius nas port format 304 show radius override 303 show radius pppoe n...

Page 793: ...pport system log messages 33 T TACACS AAA services 317 accounting 317 authentication login process 317 authorization 317 configuring 322 daemon 317 318 host 318 NAS network access server 317 318 privi...

Page 794: ...ser Name RADIUS attribute 1 10 user name command 594 user prefix command 594 usernames and passwords from a domain configuring 16 using shared tunnel server ports 376 V valid lifetime for delegated pr...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands