Juniper JUNOSE 11.0.X MULTICAST ROUTING Скачать руководство пользователя страница 279 | Manualshive

Страница: 279 / 788

background image

Security/Authentication

The RADIUS server (the disconnect client) must calculate the authenticator as specified
for an Accounting-Request message in RFC 2866. The router’s RADIUS
dynamic-request server verifies the request using authenticator calculation as specified
for an Accounting-Request message in RFC 2866. A key (secret), as specified in RFC
2865, must be configured and used in the calculation of the authenticator. The
response authenticator is calculated as specified for an Accounting-Response message
in RFC 2866.

Configuring RADIUS-Initiated Disconnect

To configure RADIUS-initiated disconnect feature, perform the following steps to set
up the RADIUS dynamic-request server that will perform the disconnect operation:

1.

Configure the RADIUS dynamic-request server, and enter RADIUS Configuration
mode.

host1(config)#

radius dynamic-request server 10.10.5.10

host1(config-radius)#

2.

Enable the RADIUS-initiated disconnect capability on the RADIUS dynamic-request
server.

host1(config-radius)#

subscriber disconnect

3.

Define the secret used in the RADIUS Authenticator field during exchanges
between the RADIUS dynamic-request server and the RADIUS server.

host1(config-radius)#

key Secret3Clientkey

4.

(Optional) Specify the UDP port on which the RADIUS dynamic-request server
listens for messages from the RADIUS server. The default is 1700.

host1(config-radius)#

udp-port 1770

RADIUS-Initiated Change of Authorization

This section describes the RADIUS dynamic-request server’s support for CoA
messages. CoA messages are used by the E Series router’s RADIUS-initiated packet
mirroring feature, which is described in the

Configuring RADIUS-Based Mirroring

chapter in

JUNOSe Policy Management Configuration Guide

, and by Service Manager,

which is described in “Configuring Service Manager” on page 635 of this guide.

Change-of-Authorization Messages

The RADIUS dynamic-request server receives and processes the unsolicited CoA
messages from RADIUS servers. The RADIUS-initiated CoA feature uses the following
codes in its RADIUS request and response messages:

■

CoA-Request (43)

Configuring RADIUS-Initiated Disconnect

■

239

Chapter 4: Configuring RADIUS Dynamic-Request Server

«
...
277
278
279
280
281
...
»

Содержание JUNOSE 11.0.X MULTICAST ROUTING

Страница 1: ...r E Series Broadband Services Routers Broadband Access Configuration Guide Release 11 0 x Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale California 94089 USA 408 745 2000 www juniper net Pu...

Страница 2: ...051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 578 186 and 6 590 785 JUNOSe Software for E Series Broadband Services Routers Broadband Access...

Страница 3: ...alms devices links ports or transactions or require the purchase of separate licenses to use particular features functionalities services applications operations or capabilities or provide throughput...

Страница 4: ...n connection with such withholding taxes by promptly providing Juniper with valid tax receipts and other required documentation showing Customer s payment of any withholding taxes completing appropria...

Страница 5: ...nted to in writing by the party to be charged If any portion of this Agreement is held invalid the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement T...

Страница 6: ...vi...

Страница 7: ...itoring RADIUS 297 Chapter 9 Configuring TACACS 311 Chapter 10 Monitoring TACACS 323 Part 3 Managing L2TP Chapter 11 L2TP Overview 329 Chapter 12 Configuring an L2TP LAC 337 Chapter 13 Configuring an...

Страница 8: ...criber Management 593 Chapter 25 Configuring Subscriber Interfaces 597 Chapter 26 Monitoring Subscriber Interfaces 629 Part 6 Managing Subscriber Services Chapter 27 Configuring Service Manager 635 Ch...

Страница 9: ...ons 5 B RAS Protocol Support 5 Remote Access References 6 Before You Configure B RAS 6 Remote Access Configuration Tasks 6 Configuring a B RAS License 7 Mapping a User Domain Name to a Virtual Router...

Страница 10: ...nd 41 Using the aaa local username Command 41 Assigning a Local User Database to a Virtual Router 42 Enabling Local Authentication on the Virtual Router 42 Configuration Commands 43 Local Authenticati...

Страница 11: ...nfiguring the SRC Client 94 DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview 101 DHCPv6 Prefix Delegation Example 103 Order of Preference in Determining the Local Address Pool for A...

Страница 12: ...134 Monitoring Local Address Pool Aliases 136 Monitoring Local Address Pools 136 Monitoring Local Address Pool Statistics 138 Monitoring Shared Local Address Pools 138 Monitoring the Routing Table 139...

Страница 13: ...ETF Attributes 185 4 NAS IP Address 185 5 NAS Port 186 8 Framed IP Address 189 9 Framed Ip Netmask 189 13 Framed Compression 190 25 Class 190 30 Called Station Id 191 31 Calling Station Id 191 32 NAS...

Страница 14: ...26 56 DHCP MAC Address 222 26 57 DHCP GI Address 222 26 62 MLPPP Bundle Name 223 26 63 Interface Desc 223 26 81 L2C Information 224 26 92 L2C Up Stream Data 224 26 93 L2C Down Stream Data 225 26 129...

Страница 15: ...er 245 RADIUS Relay Server Overview 245 RADIUS Relay Server Platform Considerations 246 RADIUS Relay Server References 246 How RADIUS Relay Server Works 246 Authentication and Addressing 247 Accountin...

Страница 16: ...RADIUS Dynamic Request Server Statistics 305 Monitoring the Configuration of the RADIUS Dynamic Request Server 306 Setting a Baseline for RADIUS Relay Statistics 307 Monitoring RADIUS Relay Server Sta...

Страница 17: ...the Router 340 Preventing Creation of New Tunnels and Sessions at a Destination 341 Preventing Creation of New Sessions for a Tunnel 341 Specifying a Drain Timeout for a Disconnected Tunnel 341 Shutti...

Страница 18: ...ing 376 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP 376 Assigning Bundled Group Identifiers 377 Overriding All Endpoint Discriminators 378 Enabling Tunnel Switching 378 Creating Pers...

Страница 19: ...r Dynamic Speed Timeout 398 Advisory Speed Precedence for VLANs over Bridged Ethernet 398 Using AAA Domain Maps to Configure the Transmit Connect Speed Calculation Method 398 Using AAA Tunnel Groups t...

Страница 20: ...onnection 435 Monitoring Detailed Configuration Information about Specified Sessions 436 Monitoring Configured and Operational Summary Status 437 Monitoring Configured Switch Profiles on Router 438 Mo...

Страница 21: ...ith the Same Client ID or Hardware Address 474 Logging Out DHCP Local Server Subscribers 475 Clearing an IP DHCP Local Server Binding 476 Using SNMP Traps to Monitor DHCP Local Server Events 476 Using...

Страница 22: ...dhcp relay agent sub option Command to Enable Option 82 Suboption Support 505 Configuration Example Using DHCP Relay Option 82 to Pass IEEE 802 1p Values to DHCP Servers 507 Using the set dhcp relay...

Страница 23: ...n 540 Monitoring DHCP Binding Host Information 542 Monitoring DHCP Bindings Displaying IP Address to MAC Address Bindings 544 Monitoring DHCP Bindings Displaying DHCP Bindings Based on Binding ID 545...

Страница 24: ...Identifier and No Circuit Type 589 Username with VLAN Circuit Identifier and Circuit Type 590 Username with MAC Address 590 Chapter 24 Monitoring Subscriber Management 593 Monitoring IP Service Profil...

Страница 25: ...faces 616 Configuring Dynamic Subscriber Interfaces over Ethernet 616 Configuring Dynamic Subscriber Interfaces over VLANs 617 Configuring Dynamic Subscriber Interfaces over Bridged Ethernet 618 Confi...

Страница 26: ...to Deactivate Service Sessions 659 Setting Thresholds 659 Using the Deactivate Service Attribute 660 Using Mutex Groups to Activate and Deactivate Subscriber Services 661 Activating and Deactivating M...

Страница 27: ...696 Chapter 28 Monitoring Service Manager 701 Setting a Baseline for HTTP Local Server Statistics 701 Monitoring the Connections to the HTTP Local Server 702 Monitoring the Configuration of the HTTP L...

Страница 28: ...xxviii Table of Contents JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 29: ...ing the E Series Router as an LAC 330 Figure 8 Using the E Series Router as an LNS 330 Chapter 12 Configuring an L2TP LAC 337 Figure 9 Lockout States 361 Chapter 14 Configuring L2TP Dial Out 405 Figur...

Страница 30: ...tion 617 Figure 25 IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration 618 Figure 26 IP over Bridged Ethernet over ATM Dynamic Subscriber Interface Configuration 619 Figure 27 GRE Tu...

Страница 31: ...Fields 119 Table 15 show aaa route download Output Fields 120 Table 16 show aaa route download routes Output Fields 122 Table 17 show aaa route download routes global Output Fields 124 Table 18 show...

Страница 32: ...ss Request Attributes 247 Table 48 Required RADIUS Accounting Attributes 248 Chapter 6 RADIUS Attribute Descriptions 253 Table 49 RADIUS IETF Attributes Supported by JUNOSe Software 253 Table 50 Junip...

Страница 33: ...ers Output Fields 426 Table 83 show l2tp Output Fields 428 Table 84 show l2tp destination Output Fields 430 Table 85 show l2tp destination lockout Output Fields 431 Table 86 show l2tp destination prof...

Страница 34: ...p relay proxy statistics Output Fields 562 Table 122 show dhcp relay statistics Output Fields 564 Table 123 show dhcp server statistics Output Fields 566 Table 124 show dhcp server Output Fields 567 T...

Страница 35: ...hapter 28 Monitoring Service Manager 701 Table 152 show ip http scalar Output Fields 702 Table 153 show ip http server Output Fields 703 Table 154 show ip http statistics Output Fields 704 Table 155 s...

Страница 36: ...xxxvi List of Tables JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 37: ...mation in the latest release notes differs from the information in the documentation follow the JUNOSe Release Notes To obtain the most current version of all Juniper Networks technical documentation...

Страница 38: ...2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents information as displayed on your terminal s screen Fixed width text like this There are two levels of a...

Страница 39: ...are CDs and at http www juniper net Documentation Feedback We encourage you to provide feedback comments and suggestions so that we can improve the documentation to better meet your needs Send your co...

Страница 40: ...e notes http www juniper net customers csc software Search technical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Network...

Страница 41: ...Part 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 109 Managing Remote Access 1...

Страница 42: ...2 Managing Remote Access JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 43: ...g Local Authentication Servers on page 40 Configuring Tunnel Subscriber Authentication on page 50 Configuring Name Server Addresses on page 51 Configuring Local Address Servers on page 54 Configuring...

Страница 44: ...aded to the router over an ATM connection via a DS3 OC3 E3 or OC12 link The router provides the logical termination for PPP sessions as well as the interface to authentication and accounting systems B...

Страница 45: ...k services to different users Accounting Tracks what the user did and when they did it You can use accounting for an audit trail or for billing for connection time or resources used Central management...

Страница 46: ...Refer to the Release Notes corresponding to your software release for information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers Bef...

Страница 47: ...or port 16 Optional Set up the router to notify RADIUS when a user fails AAA 17 Optional Configure a RADIUS download server on the router 18 Optional Configure the Session and Resource Control SRC cl...

Страница 48: ...dialog box When the router is configured to require authentication of a PPP user the router checks for the appropriate user domain name to virtual router mapping If it finds a match the router sends...

Страница 49: ...the LNS Also the phone number configured in the aaa domain map command must be an exact match to the value passed by L2TP in the called number AVP AVP 21 For example as specified in the following seq...

Страница 50: ...ntication of PPP sessions This address is included in the Access Request sent to the authentication server as an IP address hint aaa domain map Use to map a user domain name to a virtual router or a l...

Страница 51: ...main map ipv6 router name vroutv6 Use the no version to delete the entry See ipv6 router name local interface Use to map a user domain name to a loopback interface The local interface identifies the i...

Страница 52: ...e router searches for the domain name or the realm name To provide these features the router allows you to specify delimiters for the domain name and realm name You can use up to eight one character d...

Страница 53: ...cifying the Domain Name or Realm Name Parse Direction You can specify the direction either left to right or right to left in which the router performs the parsing operation when identifying the realm...

Страница 54: ...Example host1 config aaa delimiter domainName Use the no version to return to the default See aaa delimiter aaa parse direction Use to specify the direction the router uses to parse the username for...

Страница 55: ...bc com the domain name is usEast If no realm name is found the router searches for a domain name Example host1 config aaa parse order domain first Use the no version to return to the default realm fir...

Страница 56: ...e Name for Users from a Domain Assigning a single username and a single password for all users associated with a domain provides better compatibility with some RADIUS servers You can use this feature...

Страница 57: ...host1 config aaa domain map xyz com host1 config domain map Use the no version to delete the map entry See aaa domain map override user Use to specify a single username and single password for all use...

Страница 58: ...ed For example suppose that you have configured the following authentication servers Auth1 Auth2 Auth3 Auth4 and Auth5 Your router attempts to send an authentication request to Auth1 If Auth1 is unava...

Страница 59: ...Routers ERX310 ERX710 ERX1410 and E120 Broadband Services Routers RADIUS Request Type 50000 50124 50000 50124 RADIUS authentication 50125 50499 50125 50249 RADIUS accounting 50500 50624 50250 50374 R...

Страница 60: ...PPP and an external RADIUS authentication server The JUNOSe software s AAA service accepts and passes EAP messages between the JUNOSe application and the router s internal RADIUS authentication serve...

Страница 61: ...If you have enabled duplicate or broadcast accounting the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context Duplicate and Broadca...

Страница 62: ...ters in the group host1 vr group config aaa virtual router 1 vrXyz1 host1 vr group config aaa virtual router 2 vrXyz2 host1 vr group config aaa virtual router 3 vrXyz3 host1 vr group config exit host1...

Страница 63: ...ers you cansure configure depends on available memory The router has an embedded RADIUS client for authentication and accounting NOTE You can configure B RAS with RADIUS accounting but without RADIUS...

Страница 64: ...al Enable duplicate address checking host1 config aaa duplicate address check enable 10 Optional Specify that duplicate accounting records be sent to the accounting server for a virtual router host1 c...

Страница 65: ...aa accounting broadcast westVrGroup38 host1 vrSouth25 config exit Use the no version to disable the AAA broadcast accounting See aaa accounting broadcast aaa accounting default Use to specify the acco...

Страница 66: ...s be sent to the accounting server on another virtual router Example host1 config aaa accounting duplication routerBoston Use the no version to disable the feature See aaa accounting duplication aaa a...

Страница 67: ...to collect only the uptime status of the sessions Collecting only uptime information is more efficient because less data is sent to AAA Example host1 config aaa accounting statistics time Use the no v...

Страница 68: ...s of authentication used in the order specified For example radius none specifies that RADIUS authentication is initially used however if RADIUS servers are not available users are granted access with...

Страница 69: ...which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval aaa virtual router Use to add virtual routers to a vir...

Страница 70: ...available To turn off the deadtime mechanism specify a value of 0 Example host1 config radius authentication server 10 10 0 1 host1 config radius deadtime 10 Use the no version to set the time to the...

Страница 71: ...ystem Maximums The same IP address can be used for both an authentication and accounting server but not for multiple servers of the same type The router uses different UDP ports for authentication ser...

Страница 72: ...of the show radius servers command see Monitoring RADIUS Server Information on page 141 Example host1 config radius algorithm round robin Use the no version to set the algorithm to the default direct...

Страница 73: ...ect Tunnel Link Start Tunnel Link Stop and Tunnel Link Reject as described in RFC 2867 Your router supports tunnel accounting for the L2TP LAC and LNS Example host1 config radius tunnel accounting ena...

Страница 74: ...verify RADIUS authentication and accounting and IP address assignment setup You must specify either a PPP or Multilink PPP MLPPP user PPP indicates a regular PPP user MLPPP simulates Multilink PPP so...

Страница 75: ...NOTE When a RADIUS server times out or when it has no available RADIUS identifier values the router removes the RADIUS server from the list of available servers for a period of time The router restore...

Страница 76: ...US client will not issue another system log message or SNMP trap regarding this RADIUS server until the deadtime expires if configured or for 3 minutes if deadtime is not configured The E Series RADIU...

Страница 77: ...ess Request messages host1 config radius trap auth server not responding enable 2 Optional Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access...

Страница 78: ...Use to enable or disable SNMP traps when a particular RADIUS accounting server fails to respond to a RADIUS accounting request The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable E...

Страница 79: ...ius trap auth server responding radius trap no acct server responding Use to enable or disable SNMP traps when all of the configured RADIUS accounting servers per VR fail to respond to a RADIUS accoun...

Страница 80: ...d by the virtual router Creating Local User Databases When a subscriber connects to an E Series router that is using local authentication the local authentication server uses the entries in the local...

Страница 81: ...ers are not supported in the username command However after the user is added to the default local user database you can use the aaa local username command with a database name default to enter Local...

Страница 82: ...hentication when the subscriber connects to the E Series router Use the following commands in Global Configuration mode NOTE If you do not specify a local user database the virtual router selects the...

Страница 83: ...aaa authentication ppp default local radius Use the no version to restore the default authentication method of radius See aaa authentication default aaa local database Use to create a local user datab...

Страница 84: ...username ip address Use to specify the IP address parameter for a user entry in the local user database The address is negotiated with the subscriber after the subscriber is authenticated Example hos...

Страница 85: ...al user database The password is used to authenticate a subscriber and is encrypted by means of a two way encryption algorithm NOTE CHAP authentication requires that passwords and secrets be stored in...

Страница 86: ...gure a user entry and optional password or secret in the default local user database This command creates the database if it does not already exist Optionally specify a password or secret that is assi...

Страница 87: ...create the AAA local authentication environment host1 config aaa local database westfordLocal40 host1 config aaa local username btjones database westfordLocal40 host1 config local user secret 38schil...

Страница 88: ...rds to show the configured users and their parameters The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password encryption comma...

Страница 89: ...aaa local username btjones database westfordLocal40 secret 5 9s7 4N WK2 2 6 operational virtual router boston2 no ip address ip address pool addressPoolA aaa local username maryrdavis database westfo...

Страница 90: ...out sending access requests to the configured RADIUS server Because of this behavior these subscribers cannot get any additional control attributes from the authentication server This reduces your abi...

Страница 91: ...PPP Internet Protocol Control Protocol IPCP specifically the remote client may request the DNS and WINS server IP addresses If the IP addresses passed to the router by the remote PC client are differe...

Страница 92: ...PP clients and not for domain name server resolution aaa dns primary Use to specify the IP address of the DNS primary name server Example host1 config aaa dns primary 10 10 10 5 Use the no version to...

Страница 93: ...2 Specify the IP address of the WINS secondary name server host1 config aaa wins secondary 192 168 10 40 NOTE The router uses name server addresses exclusively for PPP clients and not for domain name...

Страница 94: ...f IP addresses that are available for allocation and used by clients such as PPP sessions Figure 1 Local Address Pool Hierarchy Local Address Pool Ranges As shown in Figure 1 on page 54 each local add...

Страница 95: ...ols within the same virtual router The addresses are configured and managed within DHCP Therefore thresholds are not configured on the shared pool but are instead managed by the referenced DHCP local...

Страница 96: ...the local address server to signal SNMP traps when certain conditions exist These thresholds include high utilization threshold and abated utilization threshold If a pool s outstanding addresses exce...

Страница 97: ..._LAS_Pool_A DHCP_Pool_1 Delete a shared local address pool host1 config no ip local shared pool Shared_LAS_Pool_C Set SNMP variables by specifying an existing pool name and values host1 config ip loca...

Страница 98: ...ls The backup pool name is a character string up to 16 characters long Example host1 config aaa domain map westford com host1 config domain map backup address pool name backup_poolB Use the no version...

Страница 99: ...all ranges or the specified range See ip local pool ip local pool snmpTrap Use to enable SNMP pool utilization traps Example host 1 config ip local pool addr_test snmpTrap Use the no version to disabl...

Страница 100: ...ss Accept message takes priority over the local prefix pool name configured for the domain map If the pool name or prefix is not present in the RADIUS Access Accept message the IPv6 local address pool...

Страница 101: ...s per ATM Subinterface Configure an ATM interface by entering Configuration mode and performing the following tasks For more information about configuring ATM interfaces see JUNOSe Link Layer Configur...

Страница 102: ...nfiguring ATM interfaces see JUNOSe Link Layer Configuration Guide 1 Configure a physical interface host1 config interface atm 0 1 2 Configure the subinterface host1 config if interface atm 0 1 20 3 C...

Страница 103: ...Once you create an AAA profile you can map it between a PPP client s domain name and certain AAA services on given interfaces Using AAA profiles you can Allow or deny a domain name access to AAA authe...

Страница 104: ...e administrator wants to restrict access of a PPP interface to the specific domain abc com 1 Create an AAA profile host1 config aaa profile restrictToABC 2 Specify the domain name you want to allow ho...

Страница 105: ...is example an administrator wants to associate all subscribers of a PPP interface with a specific domain name 1 Create an AAA profile host1 config aaa profile forwardToXyz 2 Map the original domain na...

Страница 106: ...specific domain name and not allow other domain names 1 Create an AAA profile host1 config aaa profile toAbc 2 Map the original domain name to the mapped domain name for domain map lookup host1 confi...

Страница 107: ...ontinues processing as if there were no AAA profile aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delete the AAA profile See aaa profi...

Страница 108: ...gned NOTE Although an AAA profile and an interface profile have similar functionality they are not related and should be treated differently Example host1 config if ppp aaa profile westford24 Use the...

Страница 109: ...faces host1 config aaa profile nas port type ethernet wireless cable aaa profile Use to create and configure a AAA profile Example host1 config aaa profile nasPortType Use the no version to delete the...

Страница 110: ...1 wireless cdma Wireless CDMA wireless other wireless umts Wireless UMTS Example host1 config aaa profile nas port type ethernet wireless 80211 Use the no version to remove the NAS Port Type setting f...

Страница 111: ...access routes before they are assigned to clients Using the route download server helps eliminate routing protocol storms and other delays in client service activation that can be caused by protocol c...

Страница 112: ...route download server is enabled as soon as IP is established in the virtual router in which the download is performed After the initial route download process is established the router repeats the ro...

Страница 113: ...ry interval 25 password dl1456atl synchronization 03 45 00 4 Optional Verify your route download configuration host1 config exit host1 show aaa route download AAA Route Downloader configured in virtua...

Страница 114: ...sed in RADIUS Access Request messages for route download requests You can specify from 1 through 32 alphanumeric characters The default password is juniper synchronization The time that the server sta...

Страница 115: ...outes that you want cleared in the routing table of the current virtual router or in the specified VRF Use the wildcard character to clear all downloaded routes in the routing table of the current vir...

Страница 116: ...eature enables service providers to track subscribers on the basis of a virtual port known as the logical line ID LLID The LLID is an alphanumeric string that logically identifies a subscriber line Th...

Страница 117: ...he LLID to the router in the Calling Station Id RADIUS attribute 31 of an Access Accept message The router ignores any RADIUS attributes other than the Calling Station Id that are returned in the prea...

Страница 118: ...r for example atm 4 1 104 2 104 NAS Port Id 87 The use of radius commands such as radius calling station format or radius override calling station id to control or change the inclusion of these attrib...

Страница 119: ...the Router to Obtain the LLID for a Subscriber To configure the router to obtain the LLID for a subscriber 1 Create an AAA profile that supports subscriber preauthentication host1 config aaa profile p...

Страница 120: ...istics command For information see Setting Baselines for Remote Access on page 110 aaa profile Use to configure a new AAA profile Example host1 config aaa profile boston123 Use the no version to delet...

Страница 121: ...authenticate radius pre authentication server Use to specify the IP address of a RADIUS preauthentication server This command accesses RADIUS Configuration mode from which you can configure additiona...

Страница 122: ...collected on input Ingress Statistics integer 0 disable 1 enable 6 13 12 26 Indicates whether statistics are collected on output Egress Statistics string qos profile name sublen 26 len 26 Specifies t...

Страница 123: ...RADIUS appear in RADIUS Acct Start messages RADIUS attributes specified by a profile for dynamic interfaces do not appear in RADIUS Acct Start messages because the profile is not active when the Acct...

Страница 124: ...e Cause attribute these mappings enable you to provide different information about the cause of a termination When a subscriber s L2TP or PPP session is terminated the router logs a message for the in...

Страница 125: ...low threshold for example the bandwidth on demand algorithm determined that the port was no longer needed Port Unneeded 12 NAS ended the session to allocate the port to a higher priority use Port Pree...

Страница 126: ...eer 17 ppp authenticate inactivity ti authenticate inactivity ti 4 meout meout More 3 Optional Display all PPP terminate reasons host1 config terminate code ppp authenticate authenticator timeout Conf...

Страница 127: ...ude acct terminate cause acct off disable Use the no version to restore the default enable See radius include terminate code Use to configure a customized mapping relationship between an application s...

Страница 128: ...timeout is useful for networks in which the PPP keepalive timer is disabled for wireless subscribers Without the keepalive timer the router cannot detect whether a wireless subscriber has been discon...

Страница 129: ...timeout is reached the router terminates the user session Example 1 Sets the idle timeout to 1200 seconds and enables the router to monitor only ingress traffic for this idle timeout period to determi...

Страница 130: ...ls AAA aaa accounting acct stop on aaa failure Use to cause the router to send an Acct Stop message if a user fails AAA but RADIUS grants access Example host1 vr17 config aaa accounting acct stop on a...

Страница 131: ...Access Accept message was used for DHCPv6 Prefix Delegation In this release you can control the RADIUS IETF attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements and DHCPv6 Pre...

Страница 132: ...ix Propagation of LAG Subscriber Information to AAA and RADIUS The RADIUS application sends the link aggregation group LAG interface ID to the RADIUS server when the subscriber is connected over LAG i...

Страница 133: ...ribute The radius nas port format radius vlan nas port format stacked and radius pppoe nas port format commands do not affect the value of the Nas Port attribute 87 Nas Port Id The radius override nas...

Страница 134: ...are functions as the COPS server or policy decision point PDP Table 10 on page 94 provides common terms used in the COPS environment Table 10 SRC Client and COPS Terminology Description Term Common Op...

Страница 135: ...ed in bulk for example an entire QoS configuration or in smaller segments for example updating a marking filter The following list shows the interaction between the PEP and the PDP during the COPS PR...

Страница 136: ...ware and the SRC client use Previously you disabled the SRC client and reenabled it to start synchronization The disabling of the SRC client s COPS support was undesirable for the applications that re...

Страница 137: ...and QoS configuration support for L2TP interfaces on an L2TP access concentrator LAC host1 config sscc protocol lac 5 Optional Specify on which router the TCP COPS connection is to be established host...

Страница 138: ...QoS configuration on IPv6 interfaces The IPv6 support is in addition to the default IPv4 support Example host1 config sscc protocol ipv6 Use the no version to disable IPv6 support on the SRC client S...

Страница 139: ...he SRC client See sscc protocol lac sscc restart Use to force the router to restart a COPS connection to and resynchronize with the SRC software without removing the SRC client The no sscc enable cops...

Страница 140: ...ddress If you do not specify a source address the TCP COPS connection is not bound to a specific source that is local address Example host1 config sscc sourceAddress 10 9 123 8 Use the no version to r...

Страница 141: ...s in networks that use DHCPv6 These pools can be used to assign prefixes from a delegating router which is an E Series router configured as a DHCPv6 local server to the requesting router which is the...

Страница 142: ...local pool The DNS server addresses are returned to the client in DHCPv6 responses as part of the DNS Recursive Name Server option You can configure a list of up to four domain names in an IPv6 local...

Страница 143: ...er After the IPv6 link is formed between CPE1 and PE1 and the IPv6 link local address is created CPE1 requests and obtains prefixes that are shorter than 64 usually of length 48 from PE1 CPE1 is conne...

Страница 144: ...IETF attribute 97 Delegated IPv6 Prefix RADIUS IETF attribute 123 Framed IPv6 Pool RADIUS IETF attribute 100 If any of the first three attributes are returned then the prefix contained in those attrib...

Страница 145: ...2 32 48 In this case the starting and ending prefixes of the range are implicitly specified In this example the start of the range is 2002 2002 48 and the end of the range is 2002 2002 ffff 48 All pre...

Страница 146: ...pool and on the DHCPv6 local server the values configured in the IPv6 local pool take precedence 6 Specify the name of a DNS domain in the IPv6 local pool to be returned to clients in the DHCPv6 respo...

Страница 147: ...ld of the output of the following show ipv6 local pool largePrefixRange and show ipv6 local pool commands indicates the number of prefixes that can be allocated to DHCPv6 clients 1048756 host1 show ip...

Страница 148: ...e IPv6 Local Pool Configuration mode host1 config ipv6 local pool example host1 config v6 local prefix 4004 4004 32 48 host1 config v6 local exclude prefix 4004 4004 48 host1 config v6 local exit Crea...

Страница 149: ...g Routing Table Address Lookup on page 118 Monitoring the AAA Model on page 118 Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers on page 118 Monitoring AAA Profile Configurat...

Страница 150: ...nitoring RADIUS Server IP Addresses on page 147 Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router Advertisements on page 148 Monitoring the RADIUS Attribute Used for DHCPv6 Prefi...

Страница 151: ...baseline aaa command host1 baseline aaa There is no no version Setting a Baseline for AAA Route Downloads Purpose Set a baseline for route downloads Action Issue the baseline aaa route download comman...

Страница 152: ...se the following commands show ppp interface summary show ppp interface selective control For details on the show ppp commands see JUNOSe Link Layer Configuration Guide You can use the output filterin...

Страница 153: ...ounting records are sent to the accounting server Broadcast accounting Enabled disabled send acct stop on AAA access deny Enabled disabled send acct stop on authentication server access deny Number of...

Страница 154: ...splay the names of a specific virtual router group or of all virtual router groups configured on the router Display the virtual routers making up the groups host1 show aaa accounting vr group vr group...

Страница 155: ...se direction configured on the router Action To display the domain and realm name delimiters parse order and parse direction configured on the router host1 show aaa delimiters domain delimiters realm...

Страница 156: ...mapped router name Name of the tunnel group assigned to the domain map tunnel group IPv6 virtual router to which user domain name is mapped ipv6 router name Interface information to use on the local E...

Страница 157: ...r which is indicated by system chooses Tunnel RWS Name of the virtual router to map to the user domain name Tunnel Virtual Router L2TP peer resynchronization method Tunnel Failover Resync Name of the...

Страница 158: ...a duplicate address check Monitoring the AAA Model Purpose Display the AAA model Action To display the AAA model host1 show aaa model aaa model old model Related Topics show aaa model Monitoring IP Ad...

Страница 159: ...command output fields Table 14 show aaa profile Output Fields Field Description Field Name Configuration of NAS Port Type attribute for ATM interfaces atm nas port type Configuration of NAS Port Type...

Страница 160: ...d Success TUE DEC 19 22 46 47 2006 Last Regular Download complete Next Download Scheduled WED DEC 20 10 46 47 2006 Next Regular Download WED DEC 20 10 46 47 2006 To display information about the RADIU...

Страница 161: ...ER or the day date and time of attempt Last Download Attempt Either NEVER or the day date and time of success Last Download Success Status of last regular download either complete or not complete Last...

Страница 162: ...255 255 254 2 null0 0 192 168 1 9 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 13 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 17 32 Access P 255 255 255 255 254 2 null0 0 192 168 1 21...

Страница 163: ...fy the first router context that you want to display in the output For example aaa a2 specifies that the display shows a list of router contexts starting with VRF a2 in virtual router aaa Action To di...

Страница 164: ...192 168 40 7 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 8 32 Access P 255 255 255 255 0 2 null0 0 default d1 n 192 168 40 9 32 Access P 255 255 255 255 0 2 null0 0 To specify the...

Страница 165: ...equests 109 incoming disconnect requests 7 outgoing grant tunnel responses 3 outgoing grant responses 6 outgoing deny responses 0 outgoing error responses 0 outgoing Authentication requests 9 incoming...

Страница 166: ...ing Re Authentication responses Number of preauthentication requests from AAA to the preauthentication task outgoing Pre Authentication requests Number of preauthentication responses from the preauthe...

Страница 167: ...ubscriber Port Limits Port Limit 0 2 5 0 3 2 3 2 2 Related Topics show aaa subscriber per port limit Monitoring the Maximum Number of Active Subscribers Per Virtual Router Purpose Display the maximum...

Страница 168: ...guration Guide Action To display the virtual router groups that are configured for AAA broadcast accounting host1 show configuration category aaa global attributes Configuration script being generated...

Страница 169: ...for local authentication For additional information about the show configuration command see JUNOSe System Basics Configuration Guide Action To display the configuration information for AAA local aut...

Страница 170: ...router virtual router Related Topics show configuration category aaa local authentication Monitoring AAA Server Attributes Purpose Display status of the attributes on the AAA server including AAA acc...

Страница 171: ...tual router isp no aaa accounting duplication no aaa accounting broadcast aaa duplicate address check enable aaa accounting acct stop on aaa failure enable aaa accounting acct stop on access deny disa...

Страница 172: ...n Purpose Display information about the COPS layer over which the SRC connection is made Action To display information about the COPS layer over which the SRC connection is made host1 show cops info G...

Страница 173: ...ess of the remote pee Remote IP Address TCP port number of the remote peer Remote TCP Port Type of client for the session For this release the client type must be 16640 SRC client Client Type Number o...

Страница 174: ...COPS layer over which the SRC connection is made Action To display statistics about the COPS layer host1 show cops statistics General Cops Information Sessions Created 0 Sessions Deleted 0 Current Se...

Страница 175: ...umber of bytes received for this COPS session Bytes Received Number of packets received for this COPS session Packets Received Number of bytes sent on this COPS session Bytes Sent Number of packets se...

Страница 176: ...al alias Alias Pool alias1 poolA alias2 poolB alias3 poolC poolA poolD poolB poolD poolC poolD Meaning Table 24 on page 136 lists the show ip local alias command output fields Table 24 show ip local a...

Страница 177: ...0 10 2 2 1 10 2 2 10 10 0 High Abated Pool Thresh Thresh Trap Group poolC 85 75 N Aliases alias3 In Begin End Free Use 10 3 1 1 10 3 1 10 10 0 High Abated Pool Thresh Thresh Trap Group poolD 85 75 N...

Страница 178: ...tistics Purpose Display local address pool statistics Use the optional delta keyword to specify that baselined statistics are to be shown Action To display local address pool statistics host1 show ip...

Страница 179: ...Protocol Route type codes I1 ISIS level 1 I2 ISIS level2 I route type intra IA route type inter E route type external i metric type internal e metric type external P periodic download O OSPF E1 extern...

Страница 180: ...radius algorithm Monitoring RADIUS Override Settings Purpose Display the current RADIUS override settings Action To display the RADIUS override settings host1 vrXyz7 show radius override nas ip addr...

Страница 181: ...Related Topics show radius rollover on reject Monitoring RADIUS Server Information Purpose Display RADIUS server information Use with the optional accounting authentication dynamic request route down...

Страница 182: ...radius alive Meaning Table 28 on page 142 lists the show radius servers command output fields Table 28 show radius servers Output Fields Field Description Field Name IP address of RADIUS server IP Ad...

Страница 183: ...rver is accessed using the round robin algorithm Status Related Topics show radius servers Monitoring RADIUS Services Statistics Purpose Use to display statistics for RADIUS services Use with the opti...

Страница 184: ...show radius pre authentication statistics RADIUS Pre Authentication Statistics Statistic 172 28 30 117 UDP Port 1812 Round Trip Time 0 Access Requests 2809 Rollover Requests 0 Retransmissions 56 Acces...

Страница 185: ...mber of retransmissions Retransmissions Number of Access Accepts received from the server Access Accepts Number of Access Rejects received from the server Access Rejects Number of access challenges re...

Страница 186: ...accounting requests Interim Requests Number of accounting stop requests sent includes Acct Off Acct Stop Acct Link Stop and Acct Tunnel Stop requests Stop Requests Number of accounting reject requests...

Страница 187: ...tatus for RADIUS accounting for L2TP tunnels Action To display RADIUS accounting for L2TP tunnels host1 show radius tunnel accounting disabled Meaning RADIUS accounting is either enabled or disabled R...

Страница 188: ...used for DHCPv6 Prefix Delegation Action To display the RADIUS attribute used for DHCPv6 Prefix Delegation host1 show aaa dhcpv6 delegated prefix DHCPv6 Delegated Prefix Framed IPv6 Prefix Related To...

Страница 189: ...s 0 Create Addresses Sent 0 Delete Addresses Sent 0 Authentication Successes 0 Authentication Failures 0 Meaning Table 30 on page 149 lists the show sscc info command output fields Table 30 show sscc...

Страница 190: ...ly Number of connections that were closed by the remote SAE Create Interfaces sent Number of create interface indications sent to the SAE Delete Interfaces sent Number of delete interface indications...

Страница 191: ...ddresses 3274 Address Transitions 3280 Create Addresses Sent 3277 Delete Addresses Sent 3 Meaning Table 31 on page 151 lists the show sscc statistics command output fields Table 31 show sscc statistic...

Страница 192: ...from the SAE Synchronizes received Number of synchronization complete indications sent Synchronize Complete sent Number of internal errors Internal Errors Number of errors with lower layer communicati...

Страница 193: ...en the aaa intf desc format include sub intf enable command has been issued the subinterface is included in the subscriber s interface field at login and is displayed in the output When the aaa intf d...

Страница 194: ...host1 show subscribers interface ethernet 5 2 Subscriber List Virtual User Name Type Addr Endpt Router bert tst 192 168 10 3 user default User Name Interface bert FastEthernet 5 2 4 User Name Login Ti...

Страница 195: ...scribers summary Virtual Router Subscribers Ppp Ip Tnl Total default 1 1 0 0 1 Total Subscribers 10 chassis wide total Peak Subscribers 15 chassis wide total To display the number of subscribers on ea...

Страница 196: ...ds Table 32 show subscribers Output Fields Field Description Field Name Name of the subscriber User Name Type of subscriber atm ip ipsec ppp tnl tunnel tst test Type IP or IPv6 address and source of t...

Страница 197: ...nName command ICR Partition location id Number of subscribers Count Number of slot in the chassis Slot Related Topics show subscribers Monitoring Application Terminate Reason Mappings Purpose Display...

Страница 198: ...reasons This example uses aaa as the application host1 config run show terminate code aaa Radius Apps Terminate Reason Description Code aaa deny server not available deny server not available 17 aaa d...

Страница 199: ...number of prefixes that can be allocated to clients and the number of prefixes that are in use by clients Action To display information about all the IPv6 local address pools configured on a virtual r...

Страница 200: ...ation for a specific IPv6 local address pool host1 show ipv6 local pool example Pool example Utilization 24 Start End Total In Use Exclude Util Preferred Valid Lifetime Lifetime 4004 4004 48 4004 4004...

Страница 201: ...time Prefix length or prefix range excluded from allocation to the requesting router Exclude Percentage of prefixes currently allocated to clients from a particular prefix range in the pool Util List...

Страница 202: ...ents from the local address pool Allocations Number of errors encountered during the allocation of prefixes Allocation Errors Number of prefixes released back to the pool Releases Number of errors enc...

Страница 203: ...DIUS Dynamic Request Server on page 235 Configuring RADIUS Relay Server on page 245 RADIUS Attribute Descriptions on page 253 Application Terminate Reasons on page 273 Monitoring RADIUS on page 297 Co...

Страница 204: ...164 Managing RADIUS and TACACS JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 205: ...s running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server You can access the RADIUS server through either a subscriber line or the CLI...

Страница 206: ...ing Tracks service use by subscribers RADIUS Attributes JUNOSe software supports the RADIUS attributes and vendor specific attributes VSAs listed in this chapter These attributes define specific authe...

Страница 207: ...es When an application requests user authentication the request must have certain authenticating attributes such as a user s name password and the particular type of service the user is requesting Thi...

Страница 208: ...eout used for EAP request packets Table 37 on page 168 lists the RADIUS IETF attributes supported for Access Request Access Accept Access Reject CoA Request and Disconnect Request messages Table 37 AA...

Страница 209: ...ifier 32 Proxy State 33 Acct Session Id 44 Acct Multi Session Id 50 CHAP Challenge 60 NAS Port Type 61 Port Limit 62 Tunnel Type See Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint S...

Страница 210: ...nd Primary Dns 135 Ascend Secondary Dns 136 Ascend Num In Multilink 188 Ascend Data Filter 242 Supported Juniper Networks VSAs Table 38 on page 170 lists the Juniper Networks Vendor ID 4874 VSAs suppo...

Страница 211: ...10 Egress Policy Name 26 11 Ingress Statistics 26 12 Egress Statistics 26 13 Service Category 26 14 PCR 26 15 SCR 26 16 Mbs 26 17 Sa Validate 26 22 IGMP Enable 26 23 Pppoe Description 26 24 Redirect V...

Страница 212: ...56 DHCP GI Address 26 57 LI Action 26 58 Med Dev Handle 26 59 Med Ip Address 26 60 Med Port Number 26 61 MLPPP Bundle Name 26 62 Interface Desc 26 63 Tunnel Group 26 64 Activate Service 26 65 Deactiv...

Страница 213: ...e IP SPI 26 85 Mobile IP Key 26 86 Mobile IP Replay 26 87 Mobile IP Access Control List 26 88 Mobile IP Lifetime 26 89 L2TP Resynch Method 26 90 Tunnel Switch Profile 26 91 L2C Up Stream Data 26 92 L2...

Страница 214: ...26 120 Min LP Data Rate Up 26 121 Min LP Data Rate Dn 26 122 Max Interlv Delay Up 26 123 Act Interlv Delay Up 26 124 Max Interlv Delay Dn 26 125 Act Interlv Delay Dn 26 126 DSL Line State 26 127 DSL T...

Страница 215: ...S IETF Attributes Table 39 on page 176 lists the RADIUS IETF attributes supported for Acct Start Acct Stop Interim Acct Acct On and Acct Off messages The following notes are referred to in Table 39 on...

Страница 216: ...User Name 1 NAS IP Address 4 NAS Port 5 Service Type 6 Framed Protocol See Note 3 7 Framed IP Address See Note 2 8 Framed IP Netmask 9 Framed Compression See Note 3 13 Class 25 Called Station Id 30 Ca...

Страница 217: ...ee Note 1 64 Tunnel Medium Type See Note 1 65 Tunnel Client Endpoint See Note 1 66 Tunnel Server Endpoint See Note 1 67 Acct Tunnel Connection See Note 1 68 Connect Info 77 Tunnel Assignment Id LAC on...

Страница 218: ...ication server 2 ERX routers send IPv6 accounting attributes in the Acct Stop and Interim Acct messages stop interim when they are configured to return these attributes and when the subscriber is eith...

Страница 219: ...ons see the Managing Interchassis Redundancy chapter in the JUNOSe Services Availability Configuration Guide Table 40 AAA Accounting Message Juniper Network Vendor ID 4874 VSAs Supported Partition Acc...

Страница 220: ...Data Rate Up 26 113 Act Data Rate Dn 26 114 Min Data Rate Up 26 115 Min Data Rate Dn 26 116 Att Data Rate Up 26 117 Att Data Rate Dn 26 118 Max Data Rate Up 26 119 Max Data Rate Dn 26 120 Min LP Data...

Страница 221: ...on page 181 lists RADIUS attributes supported by the following tunnel related accounting messages Acct Tunnel Start Acct Tunnel Stop Acct Tunnel Reject Acct Tunnel Link Start Acct Tunnel Link Stop Ac...

Страница 222: ...the inclusion of a set of DSL Forum vendor specific attributes VSAs in the following AAA access and accounting messages Access Request Acct Start Acct Stop Interim Acct if Acct Stop messages are speci...

Страница 223: ...DSL Forum Vendor ID 3561 VSAs Supported in AAA Access and Accounting Messages Interim Acct Acct Stop Acct Start Access Request Attribute Name Attribute Number Agent Circuit Id 26 1 Agent Remote Id 26...

Страница 224: ...tribute Name Attribute Number User Name 1 User Password 2 NAS IP Address 4 Service Type 6 Reply Message 18 State Access Request is only in response to an Access Challenge 24 Class 25 Virtual Router 26...

Страница 225: ...ge and display information for the NAS IP Address RADIUS attribute radius override nas ip addr tunnel client endpoint radius override nas info radius override nas ip addr tunnel client endpoint Use to...

Страница 226: ...ses the value for the Nas Port attribute The radius nas port format radius vlan nas port format stacked and radius pppoe nas port format commands do not affect the value of the Nas Port attribute For...

Страница 227: ...outers only The format attribute set using the radius nas port format command does not accommodate the number of bits required by the ATM interface specifier slot adapter port vpi vci or the Gigabit E...

Страница 228: ...tended ethernet field widths slot 4 adapter 1 port 3 vlan 12 Use the no version to restore the default behavior of the radius nas port format command radius pppoe nas port format unique Use to set the...

Страница 229: ...an IP address must be assigned to the subscriber See radius include Example host1 config radius include framed ip addr acct start enable Use the no version to restore the default enable 9 Framed Ip Ne...

Страница 230: ...able 13 Framed Compression Use the following command to manage the Framed Compression RADIUS attribute radius include framed compression radius include framed compression Use to include the Framed Com...

Страница 231: ...the Calling Station Id RADIUS attribute radius calling station format radius calling station delimiter radius include calling station id radius override calling station id remote circuit id NOTE For...

Страница 232: ...nterface description command to enable sending of VC interface descriptors to AAA To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields use the fix...

Страница 233: ...lation ASCII Character Slot Number ASCII Character Slot Number 9 9 0 0 A 10 1 1 B 11 2 2 C 12 3 3 D 13 4 4 E 14 5 5 F 15 6 6 G 16 7 7 8 8 For example slot 16 is shown as the ASCII character uppercase...

Страница 234: ...yword is not supported for VLAN subinterfaces based on agent circuit identifier information otherwise known as ACI VLANs When you issue the radius calling station format fixed format stacked radius ca...

Страница 235: ...14 adapter 1 port 2 VCI 3 and VPI 4 the virtual router displays the format in ASCII as E 1 2 003 00004 Example 3 host1 config radius calling station format fixed format adapter new field For example w...

Страница 236: ...it ID transmitted from a DSLAM device See radius override calling station id remote circuit id Example host1 config radius override calling station id remote circuit id Use the no version to restore t...

Страница 237: ...cast accounting specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting inf...

Страница 238: ...version to restore the default format agent circuit id radius remote circuit id delimiter Use to configure the delimiter character that the router uses to set off multiple components in the format of...

Страница 239: ...ization CoA message to start the mirroring session when the user is already logged in As a trigger in user initiated mirroring to identify the user whose traffic is to be mirrored This VSA can be opti...

Страница 240: ...dius acct session id format decimal Use the no version to negate the Acct Session Id format 45 Acct Authentic Use the following command to manage the Acct Authentic RADIUS attribute radius include acc...

Страница 241: ...sabling this command See radius include Example host1 config radius include acct multi session id acct stop disable Use the no version to restore the default enable for accounting messages and disable...

Страница 242: ...ds RADIUS attribute radius include output gigawords radius include output gigawords Use to include the Acct Output Gigawords attribute in Acct Stop messages You can control inclusion of the Acct Outpu...

Страница 243: ...AG interface in DHCP standalone authenticate mode see Propagation of LAG Subscriber Information to AAA and RADIUS on page 92 radius dsl port type Use to configure the NAS Port Type attribute for the D...

Страница 244: ...d See radius include Example host1 config radius include nas port type acct start enable Use the no version to restore the default enable Related Topics Monitoring the DSL Port Type RADIUS Attribute o...

Страница 245: ...Use the following command to manage the Tunnel Client Endpoint RADIUS attribute radius include tunnel client endpoint radius include tunnel client endpoint Use to include the Tunnel Client Endpoint a...

Страница 246: ...s command See radius include Example host1 config radius include acct tunnel connection acct stop enable Use the no version to restore the default enable 77 Connect Info Use the following commands to...

Страница 247: ...t is the same as the TX speed See radius connect info format radius include connect info Use to include the Connect Info attribute in Access Request Acct Start or Acct Stop messages You can control in...

Страница 248: ...ude Example host1 config radius include tunnel preference acct start enable Use the no version to restore the default enable 87 NAS Port Id Use the following commands to manage and show information fo...

Страница 249: ...onfig radius include nas port id access request enable Use the no version to restore the default enable radius override nas port id remote circuit id Use to configure RADIUS to override the standard u...

Страница 250: ...include the Tunnel Server Auth Id attribute in Access Request Acct Start or Acct Stop messages You can control inclusion of the Tunnel Server Auth Id attribute by enabling or disabling this command Se...

Страница 251: ...d For RADIUS to include this attribute at least one IPv6 prefix must be assigned to the subscriber See radius include Example host1 config radius include framed ipv6 prefix acct start enable Use the n...

Страница 252: ...d in the accounting messages If the IPv6 pool name is configured in the AAA domain map using the CLI and is not returned from RADIUS server the Acct Start Acct Stop or Interim Acct messages report the...

Страница 253: ...ned by the RADIUS server the immediate accounting Acct Stop or Interim Acct messages contain the prefix returned from the RADIUS server If this attribute is not returned from the RADIUS server the imm...

Страница 254: ...u can configure using CLI commands The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute 26 1 Virtual Router Use the follow...

Страница 255: ...dius ignore Example host1 config radius ignore ingress policy name enable Use the no version to restore the default enable 26 11 Egress Policy Name Use the following commands to manage the Egress Poli...

Страница 256: ...ored in Access Accept messages You can control this behavior by enabling or disabling this command See radius ignore Example host1 config radius ignore atm service category enable Use the no version t...

Страница 257: ...attribute to be ignored in Access Accept messages You can control this behavior by enabling or disabling this command See radius ignore Example host1 config radius ignore atm mbs enable Use the no ve...

Страница 258: ...efault enable 26 36 Acct Output Gigapackets Use the following command to manage the Acct Output Gigapackets RADIUS attribute radius include output gigapkts radius include output gigapkts Use to includ...

Страница 259: ...ccounting messages If the IPv6 virtual router is configured in the AAA domain map and is not returned from the RADIUS server the Acct Start Acct Stop or Interim Acct messages report the value configur...

Страница 260: ...primary dns radius include ipv6 primary dns Use to include the IPv6 Primary DNS attribute in Acct Start or Acct Stop messages You can control inclusion of the attribute by enabling or disabling this...

Страница 261: ...nnect Cause RADIUS attribute radius include l2tp ppp disconnect cause radius include l2tp ppp disconnect cause Use to include the Disconnect Cause attribute in Acct Stop and Acct Tunnel Link Stop mess...

Страница 262: ...nable Use the no version to restore the default disable 26 56 DHCP MAC Address Use the following command to manage the DHCP MAC Address RADIUS attribute radius include dhcp mac address radius include...

Страница 263: ...ute in Access Request Acct Start Interim Acct or Acct Stop messages You can control inclusion of the MLPPP Bundle Name attribute by enabling or disabling this command There is no explicit command to i...

Страница 264: ...radius include access loop parameters radius include access loop parameters Use to include the L2C Information attribute in Access Request messages You can control inclusion of the L2C Information at...

Страница 265: ...9 Ipv6 NdRa Prefix Use the following command to manage the Ipv6 NdRa Prefix RADIUS attribute radius include ipv6 nd ra prefix radius include ipv6 nd ra prefix Use to include the IPv6 NdRa Prefix attri...

Страница 266: ...te access request enable Use the no version to restore the default disable See radius include 26 142 Upstream Calculated Qos Rate The Upstream Calculated Qos Rate RADIUS attribute enables RADIUS to re...

Страница 267: ...er You can control this behavior by enabling or disabling this command Ignoring the Max Clients Per Interface attribute is enabled by default Example 1 Ignores the Max Clients Per Interface attribute...

Страница 268: ...nfigure ICR partition accounting per virtual router Example host1 config radius icr partition accounting enable Use the no version to restore the default disable All IPv6 Accounting Attributes Use the...

Страница 269: ...t and Acct Stop messages that the router sends to RADIUS If you enable inclusion of the ANCP related VSAs in Acct Stop messages the router also includes the VSAs in Interim Acct messages Inclusion is...

Страница 270: ...min lp data rate dn 139 4 Max Interlv Delay Up 26 123 l2cd max interlv delay up 140 4 Act Interlv Delay Up 26 124 l2cd act interlv delay up 141 4 Max Interlv Delay Dn 26 125 l2cd max interlv delay dn...

Страница 271: ...ing one or more of the DSL Forum VSAs from a DSLAM connected to the router via a PPPoE interface When you enable the inclusion of the DSL Forum VSAs in these RADIUS messages the router includes all of...

Страница 272: ...ed by default When you enable inclusion of the DSL Forum VSAs for a specified message type the router includes in that message all of the DSL Forum attributes that it receives from the DSLAM Example h...

Страница 273: ...pted from Access Accept messages Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute Examples host1 config...

Страница 274: ...234 CLI Commands Used to Modify RADIUS Attributes JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 275: ...namic Request Server Overview The E Series router s RADIUS dynamic request server feature provides an efficient way for you to use RADIUS servers to centrally manage user sessions The RADIUS dynamic r...

Страница 276: ...rization and accounting information Having a common database allows any server to view who is currently valid and connected and allows service providers to manage the disconnection of users Figure 5 S...

Страница 277: ...es from RADIUS servers The RADIUS initiated disconnect feature uses the existing format of RADIUS disconnect request and response messages The RADIUS initiated disconnect feature uses the following co...

Страница 278: ...the disconnect request is owned by a component that does not support RADIUS initiated disconnect for example IP LAC subscribers cannot be disconnected Session context not removable 504 A request coul...

Страница 279: ...config radius subscriber disconnect 3 Define the secret used in the RADIUS Authenticator field during exchanges between the RADIUS dynamic request server and the RADIUS server host1 config radius key...

Страница 280: ...uter sends the CoA NAK without an error cause attribute Table 46 on page 240 lists the supported error cause codes Table 46 Error Cause Codes RADIUS Attribute 101 Description Value Code The request co...

Страница 281: ...ccounting Request message in RFC 2866 The RADIUS dynamic request server verifies the request using authenticator calculation as specified for an Accounting Request in RFC 2866 A key secret as specifie...

Страница 282: ...ured operations will continue See authorization change key Use to define the key secret that is used to calculate the RADIUS Authenticator field during exchanges between the RADIUS dynamic request ser...

Страница 283: ...uest server subscriber disconnect Use to enable the RADIUS dynamic request server to receive RADIUS disconnect messages from a RADIUS server Example host1 config radius subscriber disconnect Use the n...

Страница 284: ...seline for RADIUS Dynamic Request Server Statistics on page 304 Monitoring RADIUS Dynamic Request Server Statistics on page 305 Monitoring the Configuration of the RADIUS Dynamic Request Server on pag...

Страница 285: ...ubscriber to be authenticated by a central authority The standard uses the Extensible Authentication Protocol EAP for message exchange during the authentication process The E Series router s RADIUS re...

Страница 286: ...IUS Extensions June 2000 RFC 2284 PPP Extensible Authentication Protocol EAP March 1998 RFC 3539 Authentication Authorization and Accounting AAA Transport Profile June 2003 How RADIUS Relay Server Wor...

Страница 287: ...outer s RADIUS relay server creates a RADIUS Access Accept message and sends the message back to the subscriber The router s DHCP server either the router s DHCP local server or an external DHCP serve...

Страница 288: ...are received for this subscriber for more than 24 hours RADIUS Relay Server and the SRC Software The SRC software is an advanced subscriber configuration and management service The RADIUS relay server...

Страница 289: ...E Series router supports one instance of the RADIUS relay server per virtual router The instance can provide authentication authorization and accounting support 1 Enable RADIUS relay server support on...

Страница 290: ...ret3Clientkey Use the no version to delete the secret See key radius relay server Use to configure a RADIUS relay authentication or accounting server and enter RADIUS Relay Configuration mode Example...

Страница 291: ...ort Monitoring RADIUS Relay Server To monitor RADIUS relay server see Setting the Baseline for RADIUS Dynamic Request Server Statistics on page 304 Monitoring RADIUS Dynamic Request Server Statistics...

Страница 292: ...252 Monitoring RADIUS Relay Server JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 293: ...erences on page 272 RADIUS IETF Attributes Table 49 on page 253 describes the RADIUS IETF attributes supported by JUNOSe software The attributes are sorted by standard number Table 49 RADIUS IETF Attr...

Страница 294: ...55 255 255 Framed IP Netmask 9 Name of the filter list for the user Interpreted as input policy name Filter Id 11 The maximum transmission unit to be configured for the user when it is not negotiated...

Страница 295: ...2 E Series router s port ID and IP address Proxy State 33 Indicates whether this Accounting Request marks the beginning of the user service Start the end Stop or the interim Interim Update Acct Status...

Страница 296: ...or 8 PVC failed no hardware or no interface NAS Error 9 Negotiation failures connection failures or address lease expiration NAS Request 10 PPP challenge timeout PPP request timeout tunnel establishme...

Страница 297: ...o use in the case of a tunnel initiator or the tunneling protocol in use in the case of a tunnel terminator Only L2TP tunnels supported at this time Tunnel Type 64 Transport medium to use when creatin...

Страница 298: ...1 1 98 172 81 1 99 18d cb8 ce6 9f4 6 In this case the local information refers to the LNS and the peer information refers to the LAC NAS Port Id usually contains one of the following atm slot port sub...

Страница 299: ...Num In Multilink 188 RADIUS policy definitions used to configure a policy to classify packet flows and perform filter forward packet marking rate limit profile and traffic class actions Ascend Data Fi...

Страница 300: ...te primary wins address 6 12 B RAS user s WINS NBNS address negotiated during IPCP 4 octet IP address Primary WINS NBNS 26 6 integer 4 byte secondary wins address 6 12 B RAS user s WINS NBNS address n...

Страница 301: ...See the enable command in the Passwords and Security chapter in JUNOSe System Basics Configuration Guide Allow All VR Access 26 19 single attribute enter 0 1 5 10 or 15 sublen len Specifies other leve...

Страница 302: ...Sessions 26 33 integer 4 octet 6 12 Route tag to apply to returned framed ip address Framed Ip Route Tag 26 34 string dial out number sublen len Dial number in L2TP dial out Tunnel Dialout Number 26...

Страница 303: ...y DNS 26 48 string l2tp ppp disconnect cause sublen len L2TP PPP disconnect cause information received by the LAC Disconnect Cause 26 51 integer 4 octet 6 12 RADIUS relay server s IP address Radius Cl...

Страница 304: ...volume is exceeded Service Volume tagX 26 67 integer time in seconds 0 no timeout 6 12 Number of seconds that the service can be active service is deactivated when the timeout expires Service Timeout...

Страница 305: ...e ASCII representation of 0 21474836470 multiple instances of this VSA can be returned from RADIUS using this format sublen len Name of the QoS parameter instance to create on the user s interface fol...

Страница 306: ...Data 26 92 string actual downstream rate access loop parameter ASCII encoded sublen len Actual downstream rate access loop parameter ASCII encoded as defined in GSMP extensions for layer2 control L2C...

Страница 307: ...tion atm slot port vpi vci Acc Aggr Cir Id Asc 26 112 integer 4 octet 6 12 Actual upstream data rate of the subscriber s synchronized DSL link Act Data Rate Up 26 113 integer 4 octet 6 12 Actual downs...

Страница 308: ...le 3 Silent 6 12 State of the DSL line DSL Line State 26 127 string 3 byte 5 11 Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated DSL Type 26 1...

Страница 309: ...hat can be used to assign addresses to users being authenticated by a RADIUS server when the existing addresses in the primary local address pool are fully exhausted The authentication server override...

Страница 310: ...for RADIUS JUNOSe software uses the vendor ID assigned to the DSL Forum 3561 or DE9 in hexadecimal format by the Internet Assigned Numbers Authority IANA Table 51 JUNOSe Software DSL Forum Vendor ID...

Страница 311: ...y upstream interleaving delay configured for the subscriber Maximum Interleaving Delay Upstream 26 139 integer 4 octet 6 12 Subscriber s actual one way upstream interleaving delay Actual Interleaving...

Страница 312: ...RADIUS Accounting June 2000 RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support June 2000 RFC 2868 RADIUS Attributes for Tunnel Protocol Support June 2000 RFC 2869 RADIUS Extensions...

Страница 313: ...Cause attributes AAA Terminate Reasons on page 273 L2TP Terminate Reasons on page 274 PPP Terminate Reasons on page 289 RADIUS Client Terminate Reasons on page 295 AAA Terminate Reasons Table 53 on p...

Страница 314: ...ror 17 deny unknown subscriber user error 17 deny user termination nas request 10 shutdown address lease expiration admin reset 6 shutdown administrative reset L2TP Terminate Reasons Table 54 on page...

Страница 315: ...assigned session id nas request 10 session rx cdn avp malformed bad length nas request 10 session rx cdn avp malformed truncated nas request 10 session rx cdn avp missing mandatory assigned session i...

Страница 316: ...session rx iccn no resources nas request 10 session rx iccn unexpected nas request 10 session rx icrp avp bad hidden nas request 10 session rx icrp avp bad value assigned session id nas request 10 se...

Страница 317: ...p missing secret nas request 10 session rx icrq avp unknown nas request 10 session rx icrq no resources nas request 10 session rx icrq unexpected nas request 10 session rx occn avp bad hidden nas requ...

Страница 318: ...0 session rx ocrq avp bad value assigned session id nas request 10 session rx ocrq avp bad value bearer type nas request 10 session rx ocrq avp bad value framing type nas request 10 session rx ocrq av...

Страница 319: ...r nas request 10 session rx sli avp missing secret nas request 10 session rx sli avp unknown nas request 10 session rx sli no resources nas request 10 session rx unexpected packet lac incoming nas req...

Страница 320: ...vice unavailable 15 session upper removed service unavailable 15 session warmstart not operational service unavailable 15 session warmstart recovery error nas request 10 session warmstart upper not re...

Страница 321: ...bad length service unavailable 15 tunnel rx scccn avp malformed truncated user error 17 tunnel rx scccn avp missing challenge response service unavailable 15 tunnel rx scccn avp missing random vector...

Страница 322: ...avp missing mandatory framing capabilities service unavailable 15 tunnel rx sccrp avp missing mandatory host name service unavailable 15 tunnel rx sccrp avp missing mandatory protocol version service...

Страница 323: ...ilable 15 tunnel rx sccrq avp missing mandatory host name service unavailable 15 tunnel rx sccrq avp missing mandatory protocol version service unavailable 15 tunnel rx sccrq avp missing random vector...

Страница 324: ...able 15 tunnel rx frs avp missing random vector service unavailable 15 tunnel rx frs avp missing secret service unavailable 15 tunnel rx frs avp unknown service unavailable 15 tunnel rx frs no resourc...

Страница 325: ...ing secret service unavailable 15 tunnel rx recovery scccn avp unexpected challenge response service unavailable 15 tunnel rx recovery scccn avp unknown service unavailable 15 tunnel rx recovery scccn...

Страница 326: ...version service unavailable 15 tunnel rx recovery sccrp avp missing random vector service unavailable 15 tunnel rx recovery sccrp avp missing secret service unavailable 15 tunnel rx recovery sccrp avp...

Страница 327: ...vp missing mandatory framing capabilities service unavailable 15 tunnel rx recovery sccrq avp missing mandatory host name service unavailable 15 tunnel rx recovery sccrq avp missing mandatory protocol...

Страница 328: ...ry stopccn avp unknown service unavailable 15 tunnel rx recovery stopccn no resources service unavailable 15 tunnel rx recovery stopccn session id not null service unavailable 15 tunnel rx recovery un...

Страница 329: ...uest 10 authenticate max requests nas request 10 authenticate no authenticator user error 17 authenticate pap peer authenticator timeout nas request 10 authenticate pap request timeout session timeout...

Страница 330: ...n disable lost carrier 2 interface down port error 8 interface no hardware nas request 10 ip admin disable nas request 10 ip inhibited by authentication nas request 10 ip link down nas request 10 ip m...

Страница 331: ...request 10 ip service disable nas request 10 ip stale stacking nas request 10 ipv6 admin disable nas request 10 ipv6 inhibited by authentication nas request 10 ipv6 link down nas request 10 ipv6 local...

Страница 332: ...k rx conf req nas request 10 lcp loopback rx echo reply nas request 10 lcp loopback rx echo req nas request 10 lcp max configure exceeded nas request 10 lcp mru changed nas request 10 lcp negotiation...

Страница 333: ...t 1 lcp peer renegotiate rx conf rej user request 1 lcp peer renegotiate rx conf req nas request 10 lcp tunnel disconnected nas request 10 lcp tunnel failed port error 8 link interface no hardware los...

Страница 334: ...terface nas request 10 osi admin disable nas request 10 osi link down nas request 10 osi max configure exceeded nas request 10 osi no local align npdu nas request 10 osi no peer align npdu nas request...

Страница 335: ...s and the RADIUS Acct Terminate Cause attributes they are mapped to by default Table 56 Default RADIUS Client Mappings RADIUS Acct Terminate Cause RADIUS Client Terminate Reason Description Code nas r...

Страница 336: ...296 RADIUS Client Terminate Reasons JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 337: ...toring the NAS Port ID RADIUS Attribute on page 301 Monitoring Included RADIUS Attributes on page 302 Monitoring Ignored RADIUS Attributes on page 304 Setting the Baseline for RADIUS Dynamic Request S...

Страница 338: ...ide nas port id remote circuit id command to override the standard NAS Port Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM nas port id Displays the current setting for the Ca...

Страница 339: ...radius vlan nas port format Monitoring the Calling Station Id RADIUS Attribute Purpose Display the format and delimiter used for the Calling Station Id 31 attribute Action To display the format config...

Страница 340: ...fect Action To display the format configured for the PPPoE remote circuit ID value captured from a DSLAM host1 show radius remote circuit id format nas identifier agent circuit id agent remote id Rela...

Страница 341: ...ow radius dsl port type show radius ethernet port type Monitoring the Connect Info RADIUS Attribute Purpose Display the format for the Connect Info attribute Action To display the format for the Conne...

Страница 342: ...c n c disabled disabled dhcp options n c n c disabled disabled disabled dhcp mac address n c n c disabled disabled disabled dhcp gi address n c n c disabled disabled disabled dsl forum attributes n c...

Страница 343: ...l2cd act interlv delay dn vsa n c n c disabled disabled disabled l2cd dsl line state vsa n c n c disabled disabled disabled l2cd dsl type vsa n c n c disabled disabled disabled l2tp ppp disconnect ca...

Страница 344: ...m service category vsa accepted from RADIUS server attribute atm mbs vsa accepted from RADIUS server attribute atm pcr vsa accepted from RADIUS server attribute atm scr vsa accepted from RADIUS server...

Страница 345: ...Bad Authenticators 0 CoA Packets Dropped 0 No Secret 0 Unknown Request 0 Invalid Addresses Received 0 Meaning Table 59 on page 305 lists the show radius dynamic request statistics command output field...

Страница 346: ...tics on page 304 show radius statistics Monitoring the Configuration of the RADIUS Dynamic Request Server Purpose Display the configuration of the RADIUS dynamic request server Action To display the c...

Страница 347: ...adius relay command host1 baseline radius relay There is no no version Related Topics Monitoring RADIUS Relay Server Statistics on page 307 baseline radius relay Monitoring RADIUS Relay Server Statist...

Страница 348: ...Accepts Number of access challenges received Access Challenges Number of access rejects received Access Rejects Number of access requests waiting for a response Pending Requests Number of duplicate re...

Страница 349: ...Address IP Mask Secret 10 10 8 15 255 255 255 255 newsecret 192 168 102 5 255 255 255 255 999Y2K Udp Port 1812 RADIUS Relay Accounting Server Configuration IP Address IP Mask Secret 10 10 1 0 255 255...

Страница 350: ...Output Fields Field Description Field Name Status of UDP checksums enabled or disabled udp checksums Related Topics show radius relay udp checksum Monitoring the Status of ICR Partition Accounting Pu...

Страница 351: ...o are attempting to gain access to a router or NAS TACACS a more recent version of the original TACACS protocol provides separate authentication authorization and accounting AAA services NOTE TACACS i...

Страница 352: ...d passwords Authorization Determines what an authenticated user is allowed to do Authorization gives the network manager the ability to limit network services to different users Also the network manag...

Страница 353: ...To allow login authorization through the TACACS server you can use the following commands aaa authorization aaa authorization config commands and authorization For information about using these comma...

Страница 354: ...mode Specifies the type of accounting records that are recorded on the TACACS server Accounting records track user actions and resource usage You can analyze and use the records for network managemen...

Страница 355: ...AVP timezone TACACS Platform Considerations TACACS is supported on all E Series routers For information about the modules supported on E Series routers See the ERX Module Guide for modules supported...

Страница 356: ...imary 2 Optional Set the authentication and encryption key value shared by all TACACS servers that do not have a server specific key set up by the tacacs server host command host1 config tacacs server...

Страница 357: ...cs host1 config aaa accounting commands 1 listX stop only tacacs host1 config aaa accounting commands 13 listY stop only tacacs host1 config aaa accounting commands 14 default stop only tacacs host1 c...

Страница 358: ...on the router and to create accounting method lists Specify default to configure the default method list or configure a named method list The default method list is used by lines and consoles unless...

Страница 359: ...r vty lines an authentication list called default is automatically assigned to the vty lines To allow users to access the vty lines you must create an authentication list and either Name the list defa...

Страница 360: ...commands to capture accounting information for User Exec mode commands at the indicated JUNOSe privilege level 0 through 15 Specify the name of the method list to be applied to the line or console To...

Страница 361: ...nated primary host is always the first in the search order the remaining hosts are contacted in the order in which they were created If the primary host is deleted or if you modify the primary host wi...

Страница 362: ...version to remove the address See tacacs server source address tacacs server timeout Use to set the interval in seconds that the server waits for the server host to reply The specified interval is sha...

Страница 363: ...CACS Statistics You can set a baseline for TACACS statistics To set the baseline Issue the baseline tacacs command host1 baseline tacacs There is no no version Related Topics baseline tacacs Monitorin...

Страница 364: ...m the host Auth Replies Number of expected but not received authentication replies from the host Auth Pending Number of authentication timeouts for the host Auth Timeouts Number of authorization reque...

Страница 365: ...ted for the pending statistics host1 show tacacs delta Meaning Table 67 on page 325 lists the show tacacs command output fields Table 67 show tacacs Output Fields Field Description Field Name Authenti...

Страница 366: ...ntinued Field Description Field Name The order in which requests are sent to hosts until a response is received Search Order Related Topics show tacacs 326 Monitoring TACACS Information JUNOSe 11 0 x...

Страница 367: ...view on page 329 Configuring an L2TP LAC on page 337 Configuring an L2TP LNS on page 369 Configuring L2TP Dial Out on page 405 L2TP Disconnect Cause Codes on page 417 Monitoring L2TP and L2TP Dial Out...

Страница 368: ...328 Managing L2TP JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 369: ...s PPP for transmission across a network An L2TP access concentrator LAC configured on an access device such as an E Series router receives packets from a remote client and forwards them to an L2TP net...

Страница 370: ...rm Combination of a unique attribute represented by an integer and a value containing the actual value identified by the attribute Attribute value pair AVP L2TP access concentrator LAC a node that act...

Страница 371: ...t of a call Remote system A logical connection created between the LAC and the LNS when an end to end PPP connection is established between a remote system and the LNS NOTE There is a one to one relat...

Страница 372: ...too large The router always supports packets that have an offset pad field of up to 16 bytes and may support larger offset pad fields depending on other information in the header This restriction is a...

Страница 373: ...ore even if PPP in the LNS chooses to renegotiate the MRU it has no way to determine the proper MRU since it does not know the minimum MRU on all of the intervening links between it and the LAC To ove...

Страница 374: ...talled in the ERX router For information about installing modules in the ERX router see the ERX Hardware Guide SMs provide dedicated tunnel server ports that are always configured on the module Unlike...

Страница 375: ...the ERX1440 router supports 32 000 L2TP sessions and all other E Series routers support a maximum of 16 000 L2TP sessions The following guidelines apply On all E Series routers The SM and the ES2 S1...

Страница 376: ...formation July 2001 Fail Over extensions for L2TP failover draft ietf l2tpext failover 06 txt April 2006 expiration RFC 4951 Fail Over Extensions for Layer 2 Tunneling Protocol L2TP failover August 20...

Страница 377: ...nnels and Sessions on page 340 Shutting Down Destinations Tunnels and Sessions on page 342 Specifying the Number of Retransmission Attempts on page 343 Configuring Calling Number AVP Formats on page 3...

Страница 378: ...using shared tunnel server ports you must configure the shared tunnel server ports before you configure Layer 2 Tunneling Protocol L2TP network server LNS support You use the tunnel server command in...

Страница 379: ...40 Shutting Down Destinations Tunnels and Sessions on page 342 Specifying the Number of Retransmission Attempts on page 343 Generating UDP Checksums in Packets to L2TP Peers You can configure the rout...

Страница 380: ...meout 1200 Related Topics l2tp destruct timeout Preventing Creation of New Destinations Tunnels and Sessions You can configure several L2TP drain operations which determine how the router creates new...

Страница 381: ...n tunnel command both affect the administrative state of L2TP for the tunnel Although each command has a different effect the no version of each command is equivalent Each command s no version leaves...

Страница 382: ...each command is equivalent Each command s no version leaves L2TP in the enabled state To close all destinations tunnels and sessions on the router host1 config l2tp shutdown Closing Existing and Preve...

Страница 383: ...router uses a retry count of 5 Use the established keyword to apply the retry count only to established tunnels Use the not established keyword to apply the retry count only to tunnels that are not es...

Страница 384: ...lar to the fixed format of RADIUS attribute 31 Calling Station Id If you set up the router to generate the Calling Number AVP in fixed format the router formats the AVP to use a fixed format of up to...

Страница 385: ...outer For ERX7xx models ERX14xx models and ERX310 Broadband Services Routers which do not use IOAs adapter is always shown as 0 Slot numbers 0 through 16 are shown as ASCII characters in the 1 byte sl...

Страница 386: ...ter new field format host1 config aaa tunnel calling number format fixed adapter new field For example when you configure this L2TP Calling Number AVP format on an E320 router for an ATM interface on...

Страница 387: ...specify the optional stacked keyword but the Ethernet interface does not have an S VLAN ID Example The following command configures the L2TP Calling Number AVP in fixed adapter new field format for an...

Страница 388: ...ured calling number format includes either or both of the agent circuit id and agent remote id suboptions The calling number format determines what element triggers use of the fallback format as shown...

Страница 389: ...P to use a fixed format of up to 15 characters consisting of all ASCII fields with a 1 byte slot field 1 byte adapter field and 1 byte port field Fallback format for ATM interfaces systemName up to 4...

Страница 390: ...new field format the router formats the AVP to use a fixed format of up to 17 characters consisting of all ASCII fields with a 2 byte slot field 1 byte adapter field and 2 byte port field Fallback for...

Страница 391: ...bytes VLAN 4 bytes Fallback format for Ethernet interfaces that use fixed adapter embedded systemName up to 4 bytes slot 1 byte adapter 1 byte port 1 byte S VLAN 4 bytes VLAN 4 bytes Fallback format...

Страница 392: ...that the fixed format is used when both PPPoE agent circuit id and agent remote id are unavailable issue the following commands host1 config radius calling station format fixed format host1 config ra...

Страница 393: ...el locally on the router from Domain Map Tunnel mode perform the following steps 1 Specify a domain name and enter Domain Map Configuration mode host1 config aaa domain map westford com host1 config d...

Страница 394: ...onfig domain map tunnel server name boston 10 Optional Specify a source IP address for the LAC tunnel endpoint All L2TP packets sent to the peer use this source address host1 config domain map tunnel...

Страница 395: ...D If you do not set a tunnel assignment ID the software sets it to the default assignmentID This parameter is only generated and used by the L2TP LAC device 17 Optional Specify whether or not to use t...

Страница 396: ...Sessions Tunnel RWS Router 3 boston 5 0 system chooses vr2 host1 show aaa tunnel parameters Tunnel password is 3 92k b q4 Tunnel client name is NULL Tunnel nas port method is none Tunnel nas port igno...

Страница 397: ...tunnel group tunnel router name default 4 Specify the LNS endpoint address of a tunnel host1 config tunnel group tunnel address 192 0 2 13 5 Specify a preference for the tunnel You can specify up to e...

Страница 398: ...table IP interface for example a loopback interface Make sure that the address is configured in the virtual router for this domain map and that the address is reachable by the peer host1 config tunnel...

Страница 399: ...and preference command router name server name source address tunnel type Configuring the RX Speed on the LAC You can configure the E Series LAC to always generate L2TP Receive RX Speed AVP 38 If you...

Страница 400: ...a Locked Out Destination Is Available on page 362 3 Configuring a Lockout Timeout on page 362 4 Unlocking a Destination that is Currently Locked Out on page 362 5 Starting an Immediate Lockout Test on...

Страница 401: ...the following commands to manage L2TP destination lockout and configure a lockout process that meets the needs of your network environment Use the l2tp destination lockout timeout command to modify t...

Страница 402: ...out expires all information about the locked out destination is deleted including the time remaining on the destination s lockout timeout and the requirement to run a lockout test prior to returning t...

Страница 403: ...nels with separate receive and transmit addresses and to avoid problems due to a misconfiguration Three possible configurations are available Default configuration The E Series LAC accepts the change...

Страница 404: ...l from a set of tunnels associated with either the PPP user or the PPP user s domain The router provides the following methods for selecting tunnels Tunnel selection failover between preference levels...

Страница 405: ...ect to every destination available for the domain Support for multiple destinations affects the procedure for mapping a user domain name to an L2TP tunnel To learn how to complete this mapping see Map...

Страница 406: ...vel the router drops to the next lower preference level to make the next selection This process is consistent regardless of which fail over scheme is currently running on the router A tunnel without a...

Страница 407: ...host1 config l2tp weighted load balancing Configuring the Weighted Load Balancing Method 367 Chapter 12 Configuring an L2TP LAC...

Страница 408: ...368 Configuring the Weighted Load Balancing Method JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 409: ...RADIUS Connect Info Attribute on the LNS on page 374 Overriding LNS Out of Resource Result Codes 4 and 5 on page 375 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP on page 376 Enabling...

Страница 410: ...configure an LNS you can configure it to accept calls from any LAC NOTE If there is no explicit LNS configuration on the router the UDP port used for L2TP traffic is closed and no tunnels or sessions...

Страница 411: ...ame to be used in any hostname AVP sends to the LAC By default the router name is used as the local hostname host1 config l2tp dest profile host local host andy 7 Optional Specify the local IP address...

Страница 412: ...Attribute on the LNS on page 374 Overriding LNS Out of Resource Result Codes 4 and 5 on page 375 Selecting Tunnel Service Modules for LNS Sessions Using MLPPP on page 376 bundled group id bundled grou...

Страница 413: ...t profile and access L2TP Destination Profile Host Configuration mode Each L2TP destination profile can have multiple L2TP host profiles For an LAC to connect to an LNS the appropriate L2TP destinatio...

Страница 414: ...rofile or host profile maximum session limit is not exceeded For information about the maximum number of L2TP sessions supported per chassis see JUNOSe Release Notes Appendix A System Maximums To set...

Страница 415: ...CDN Call Disconnect Notify message to the LAC This signals the LAC to fail over to another LNS that has the resources for more sessions Some third party LAC implementations fail over only when they r...

Страница 416: ...of resource result code override show l2tp destination profile Selecting Tunnel Service Modules for LNS Sessions Using MLPPP You can install multiple tunnel service modules in an E Series router deplo...

Страница 417: ...include a endpoint discriminator option in the LCP proxy AVPs The router places all bundled sessions without endpoint discriminators on the same SM However if there are many such bundled sessions the...

Страница 418: ...opics bundled group id bundled group id overrides mlppp ed Enabling Tunnel Switching L2TP tunnel switching allows you to switch packets between one session terminating at an L2TP LNS and another sessi...

Страница 419: ...ou to verify both the tunnel configuration and connectivity This command supports tunnel initiation incoming calls on the LAC outgoing calls on the LNS The command does not support tunnel respondent o...

Страница 420: ...nt all PPP signaling for the tunnel session takes place between the LNS and the client without active participation of the LAC As a result the LAC is not aware of the reason that a session has disconn...

Страница 421: ...st profile host disconnect cause Enabling RADIUS Accounting for Disconnect Cause You use the radius include l2tp ppp disconnect cause acct stop enable command to specify that the Disconnect Cause RADI...

Страница 422: ...ndow command in L2TP Destination Profile Host Configuration mode 1 Configuring the Default Receive Window Size on page 382 2 Configuring the Receive Window Size on the LAC on page 383 3 Configuring th...

Страница 423: ...ndow command TIP The RWS setting must be the same for all users of the same tunnel If you modify the RWS setting for an existing tunnel subsequent tunnel users might be not be able to log in if their...

Страница 424: ...he LNS 1 Access L2TP Destination Profile Host Configuration mode For example host1 config virtual router fms02 host1 fms02 config l2tp destination profile fms02 ip address 192 168 5 61 host1 fms02 con...

Страница 425: ...ocol method as the primary peer resynchronization method but then fall back to the silent failover method if the peer does not support the failover protocol method The following list highlights differ...

Страница 426: ...ailover forces disconnection of the tunnel and all of its sessions failover protocol fallback to silent failover The tunnel uses the L2TP failover protocol method however if the peer non failed endpoi...

Страница 427: ...e the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration failover protocol Tunnels use the L2TP failover protocol method If the peer non...

Страница 428: ...r protocol 2 silent failover 3 failover protocol with silent failover as backup 6 12 L2TP peer resynchronization method L2TP Resynch Method 26 90 Configuring L2TP Tunnel Switch Profiles You can use th...

Страница 429: ...l switch profile the router also disconnects all associated L2TP switched sessions using that profile In some cases attributes configured in a tunnel switch profile take precedence over similar attrib...

Страница 430: ...ing AAA Tunnel Groups on page 392 To apply a named tunnel switch profile through RADIUS include the Tunnel Switch Profile RADIUS attribute VSA 26 91 in RADIUS Access Accept messages For details see Ap...

Страница 431: ...to relay the Bearer Type Calling Number and Cisco NAS Port Info AVP types across the LNS LAC boundary host1 config l2tp tunnel switch profile avp bearer type relay host1 config l2tp tunnel switch pro...

Страница 432: ...nel RWS Router Profile 3 null 2000 0 system chooses null concord Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups To apply an L2TP tunnel switch profile to sessions associated with an A...

Страница 433: ...pply a different default tunnel switch profile to each virtual router configured To apply a default L2TP tunnel switch profile to a virtual router 1 Create the virtual router to which you want to appl...

Страница 434: ...the establishment of an L2TP tunnel session the LAC sends AVP 24 to the LNS to convey the transmit speed of the subscriber s access interface You can configure the calculation method for the transmit...

Страница 435: ...alculation methods NOTE Configuring the transmit connect speed calculation method has no effect on the operation of the L2TP Receive RX Speed AVP 38 or the Connect Info RADIUS attribute 77 at the LAC...

Страница 436: ...f any logical interface in the interface column For those logical interfaces with a rate controlled by QoS QoS reports this configured rate as the transmit connect speed for that interface For those l...

Страница 437: ...speed 5 Mbps 5 Mbps Actual Example 2 L2TP Session over Ethernet VLAN Interface In this example an L2TP session is established over a PPPoE subinterface over an Ethernet VLAN subinterface The configur...

Страница 438: ...e information about supported L2TP terminate reasons see AAA Terminate Reasons on page 273 Advisory Speed Precedence for VLANs over Bridged Ethernet For interface columns that consist of an L2TP sessi...

Страница 439: ...ystem chooses null Tunnel Tunnel Tunnel Tunnel Failover Switch Tx Tag Resync Profile Speed Method 5 null null dynamic layer2 Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation...

Страница 440: ...Configuring the calculation method as a default AAA tunnel parameter for a virtual router has lower precedence than using AAA domain maps AAA tunnel groups or RADIUS to configure the transmit connect...

Страница 441: ...rmat is assignmentId Tunnel calling number format is fixed Using RADIUS to Configure the Transmit Connect Speed Calculation Method On the LAC the router can receive tunnel configuration attributes thr...

Страница 442: ...lation Method on page 399 Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method on page 400 Using RADIUS to Configure the Transmit Connect Speed Calculation Me...

Страница 443: ...en proxy LCP is disabled or required to renegotiate at the LNS All PPP LCP echo requests and their responses PPP LCP terminate request or terminate acknowledgement packets from the client or LNS when...

Страница 444: ...404 PPP Accounting Statistics JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 445: ...work server LNS function is deployed in networks that have a combination of broadband and narrowband access A remote site can communicate on demand with the home site with a normal L2TP access concent...

Страница 446: ...Protocol PPP stack for the dial out session Dial out route Network Model for Dial Out In Figure 10 on page 406 the home site connects to the Internet over a permanent leased line to the Internet serv...

Страница 447: ...5 Once the LNS successfully completes a control connection and session with the LAC the LAC performs the actual narrowband dial out operation to the remote site using the information passed by the LN...

Страница 448: ...e not functional down Targets Table 76 on page 408 describes the operational states of the targets Table 76 Target Operational States Description State Dial out route is up and operational inService D...

Страница 449: ...was unsuccessful This state prevents the router from thrashing on an outgoing call that cannot be completed When in this state the router discards all trigger packets received for the session The inhi...

Страница 450: ...cannot be routed successfully by the new access route the router detects this discrepancy as a configuration error because trigger packets that arrive are not forwarded into the outgoing call rather...

Страница 451: ...sed in PPP L2TP dial out sessions at the LNS PPP Username Juniper VSA 26 36 Password used in PPP L2TP dial out sessions at the LNS PPP Password Juniper VSA 26 37 Authentication protocol used for L2TP...

Страница 452: ...e The route does not need to be identical to the one specified in the dial out route but it must be able to forward packets that have the same destination address as the trigger packet However if the...

Страница 453: ...Dial Out To configure L2TP dial out 1 Enable the creation of a dial out session host1 config l2tp dial out target 10 10 0 0 255 255 0 0 L2TP dial out de dt profile dialOut 2 Optional Set the maximum...

Страница 454: ...P outgoing call ends If no trigger is received before the dormant timer expires the dial out session is deleted The range is 0 3600 seconds Example host1 config l2tp dial out dormant timer value 300 U...

Страница 455: ...dial out target Use to define an L2TP dial out target When the router receives packets destined for the target it creates a dial out session When you create a target you must specify the following ip...

Страница 456: ...nitoring Status of Dial out Sessions on page 447 Monitoring Dial out Targets within the Current VR Context on page 448 Monitoring Operational Status within the Current VR Context on page 450 416 Monit...

Страница 457: ...e cause of the disconnection The following list shows current disconnection causes on an E Series LNS that do not have a specific disconnect cause codes The peer initiated termination of LCP after the...

Страница 458: ...beyond the completion of LCP negotiation and Prior to receiving the terminate request from the peer the local LCP has sent a Protocol Reject in response to any packet for Encryption Control Protocol E...

Страница 459: ...PPP L2TP uses the authenticated name as part of the key for bundle selection Therefore there will never be an unexpected authenticated name for an existing MLPPP bundle authenticate mlppp name mismatc...

Страница 460: ...within the time allowed for upper layer negotiation Code 19 with direction 1 is generated if the peer denies address parameters requested by the local NCP Code 19 with direction 2 is generated if the...

Страница 461: ...cked Out Destinations on page 431 Monitoring Configured Destination Profiles or Host Profiles on page 431 Monitoring Configured and Operational Status of all Destinations on page 434 Monitoring Statis...

Страница 462: ...page 422 lists the show aaa domain map command output fields Table 80 show aaa domain map Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user domain name...

Страница 463: ...expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tunnel Tunnel Max Sessions L2TP r...

Страница 464: ...e 81 on page 424 lists the show aaa tunnel group command output fields Table 81 show aaa tunnel group Output Fields Field Description Field Name Name of the domain Domain Virtual router to which user...

Страница 465: ...l Tunnel Client Name Host name expected from the peer the LNS when during tunnel startup Tunnel Server Name Preference level for the tunnel Tunnel Preference Maximum number of sessions allowed on a tu...

Страница 466: ...the show aaa tunnel parameters command output fields Table 82 show aaa tunnel parameters Output Fields Field Description Field Name Default tunnel password Tunnel password Hostname that the LAC sends...

Страница 467: ...ission retries for established tunnels is 5 Retransmission retries for not established tunnels is 5 Tunnel idle timeout is 60 seconds Failover within a preference level is disabled Weighted load balan...

Страница 468: ...timeout Enabled or disabled Failover within a preference level Enabled or disabled Weighted load balancing Enabled or disabled Tunnel authentication challenge Whether the E Series LAC sends Calling S...

Страница 469: ...nformation about specified destinations To display information about a specific destination host1 show l2tp destination ip 172 31 1 98 L2TP destination 1 is Up with 5 active tunnels and 64 active sess...

Страница 470: ...uter on which the tunnel is configured Virtual Addresses of the local and remote interfaces Local and peer addresses Effective administrative state The more restrictive of the router and destination a...

Страница 471: ...destination is waiting for the lockout timeout to expire and how much time is left or waiting for the lockout test to start or finish L2TP destination waiting Number of destinations that are currentl...

Страница 472: ...ssword is 222 Interface profile is ascints Default upper binding type mlppp Maximum sessions is 250 Failover resync is failover protocol Statistics Current session count is 2 Remote host is mexico Con...

Страница 473: ...t Local IP address Identifier for bundled sessions Bundled group id Password for the tunnel Tunnel password Name of the host profile Interface profile Status of proxy LCP for the remote host Proxy lcp...

Страница 474: ...strative status of the L2TP destination enabled No restrictions on creation and operation of sessions and tunnels for this destination drain Router will not create new sessions or tunnels for this des...

Страница 475: ...lppp endpoint discriminator mismatch 9 0 0 0 lcp mlppp peer mrru not valid 10 0 0 0 lcp mlppp peer ssn invalid 11 0 0 0 lcp callback refused 12 0 0 0 authenticate timed out 13 0 0 0 authenticate mlppp...

Страница 476: ...session id is 2 Statistics packets octets discards errors Data rx 7 237 1 0 Data tx 6 160 0 0 Session operational configuration User name is t1 s1 local Tunneling PPP interface atm 0 0 1 Call type is...

Страница 477: ...ify the session locally and remotely Local and peer session id Information about the traffic for this session Statistics Information received from the peer when the session was created Session operati...

Страница 478: ...profiles configured on the router Action To display only the names of the L2TP tunnel switch profiles configured on the router host1 show l2tp switch profile L2TP tunnel switch profile concord L2TP tu...

Страница 479: ...p with 12 active sessions 5 L2TP tunnels found To display detailed configuration information about specified tunnel host1 show l2tp tunnel detail 1 xyz L2TP tunnel 1 xyz is Up with 13 active sessions...

Страница 480: ...ps Tunnel address information Tunnel address Method used to transfer traffic Transport Name of the virtual router on which the tunnel is configured Virtual router IP addresses of the local and remote...

Страница 481: ...n acknowledgment from the router Receive window size Number of acknowledgments that the router has received from the peer Receive ZLB Number of received control packets that were out of order Receive...

Страница 482: ...creation and operation of sessions for this tunnel drain Router will not create new sessions for this tunnel disabled Router disabled existing sessions and will not create new sessions for this tunne...

Страница 483: ...nhibited 0 Maximum targets inhibited 0 Authentication grant for nonexistent session 0 Authentication deny for nonexistent session 0 Dial out Virtual router statistics Virtual routers active 0 Virtual...

Страница 484: ...state 0 Sessions in connecting state 0 Sessions in inService state 0 Sessions in inhibited state 0 Sessions in postInhibited state 0 Sessions in failed state 0 To display information about the operati...

Страница 485: ...al router statistics VRs in use by the state machine Virtual routers active VRs that have been used by the state machine Virtual routers created VRs no longer used by the state machine Virtual routers...

Страница 486: ...tics Currently active sessions Sessions active All sessions created Sessions created Sessions deleted Sessions removed Sessions reset using the l2tp dial out session reset command Sessions reset Trigg...

Страница 487: ...aspects of the dial out state machine and details about the dial out routes themselves This section presents sample output The actual output on your router may differ significantly Action To display...

Страница 488: ...Session Current status of the session Status Current operational status of session Operational status Related Topics For detailed information about operational states see Dial Out Operational States...

Страница 489: ...virtual routers host1 dialout show l2tp dial out target allVirtualRouters NOTE The level of a user s permission determines the use of the allVirtualRouters option For example if you have permission to...

Страница 490: ...fers per session 0 To display aggregate counts for dial out state machines in each of the possible operational and administrative states host1 dialout show l2tp dial out virtual router summary To disp...

Страница 491: ...um number of trigger packets held in buffer while the dial out session is being established Maximum trigger buffers per session Related Topics For detailed information about operational states see Dia...

Страница 492: ...452 Monitoring Operational Status within the Current VR Context JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 493: ...5 DHCP Local Server Overview on page 463 Configuring DHCP Local Server on page 471 Configuring DHCP Relay on page 489 Configuring the DHCP External Server Application on page 517 Monitoring and Troubl...

Страница 494: ...454 Managing DHCP JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 495: ...on parameter carried by DHCP is the IP address A computer must be initially assigned a specific IP address that is appropriate to the network to which the computer is attached and that is not assigned...

Страница 496: ...L line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external server and DHCP local server in equal access mode the router retrieves th...

Страница 497: ...ring RADIUS Attributes on page 165 and RADIUS IETF Attributes on page 253 Configuring the DHCP Access Model The E Series router provides a DHCP access model which enables you to integrate the router i...

Страница 498: ...address to the remote host The new IP address is included when the router next updates its routing table Dynamic IP addresses are leased to the remote host for a specific period of time which can rang...

Страница 499: ...CP packet processing The logged packets are output to the dhcpCapture event logging category You can configure per interface DHCP packet logging on statically configured and dynamically created IP int...

Страница 500: ...mand To delete a connected user s IP address lease and the associated route configuration when the DHCP client binding is no longer needed use the dhcp delete binding command When you delete a DHCP cl...

Страница 501: ...e remote ID string supports matching of both regular expression metacharacters and nonprintable ASCII characters in binary sequences subnetAddress IP address of the subnet on which the DHCP client res...

Страница 502: ...delete DHCP client bindings that match the specified circuit ID string host1 vr3 dhcp delete binding circuit id xe3 To specify nonprintable byte codes in the circuit ID string or remote ID string you...

Страница 503: ...Server on page 483 In equal access mode the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service In standalone mode the...

Страница 504: ...ess Mode Overview In equal access mode the router enables access to non PPP users Non PPP equal access requires the use of the router s DHCP local server and SRC software which communicates with a RAD...

Страница 505: ...rk can be presented to the DHCP local server in the client s DHCP request message The giaddr field in the DHCP request message contains the IP address of a DHCP relay agent The router attempts to matc...

Страница 506: ...configure the DHCP local server to use AAA authentication for the incoming clients The DHCP local server receives DHCP client requests for addresses selects DHCP local pools from which to allocate add...

Страница 507: ...e authentication is successful the local server selects an IP address pool based on the order presented in Table 100 on page 467 When the router finds a match it selects a pool based on the match and...

Страница 508: ...entify clients when it receives subsequent messages and to maintain the state of each client within the DHCP protocol In addition the table contains information that may be transferred to and from the...

Страница 509: ...Authentication for DHCP Local Server Standalone Mode on page 481 for a sample configuration 2 For standalone mode optionally configure the router to use AAA authentication for DHCP requests from subsc...

Страница 510: ...470 DHCP Local Server Configuration Tasks JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 511: ...Addresses from Address Pools on page 473 Configuring DHCP Local Server to Support Creation of Dynamic Subscriber Interfaces on page 474 Differentiating Between Clients with the Same Client ID or Hard...

Страница 512: ...fied in the DHCP local pool host1 config ip dhcp local excluded address 10 10 3 4 4 Optional Enable general DHCP local server traps See Using SNMP Traps to Monitor DHCP Local Server Events on page 476...

Страница 513: ...itchover or reload if the action that caused the dynamic interface to be created occurs again a new dynamic interface is created The new dynamic interface then inherits the limit set by the global val...

Страница 514: ...enables the DHCP local server to create unique client IDs to support roaming clients and to manage situations in which two clients in the network have the same hardware address NOTE This feature repl...

Страница 515: ...in the following situations When duplicate client IDs and duplicate hardware addresses do not exist in your network When the DHCP local server application interacts with DHCP relays in your network t...

Страница 516: ...verity level 1 alert 2 critical and 3 error events This trap helps administrators monitor DHCP local server general health error statistics address lease status and protocol events The global SNMP tra...

Страница 517: ...an IP DHCP Local Server Binding on page 476 Configuring DHCP Local Address Pools on page 478 Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 481 Configuring DHCP Local Ser...

Страница 518: ...0 10 1 1 The default router must be on the same subnetwork as the local server pool IP addresses that you configure with the network command You specify the IP address of a primary server and optional...

Страница 519: ...p node Peer to peer m node Mixed h node Hybrid 9 Specify the IP addresses that the DHCP local server can provide from an address pool host1 config dhcp local network 10 10 1 0 255 255 0 0 Use the forc...

Страница 520: ...address pools that are linked are viewed as a group Setting Grace Periods for Address Leases The JUNOSe software enables you to configure a grace period for a particular local address pool the grace p...

Страница 521: ...ptionally apply the grace period to released addresses Configuring AAA Authentication for DHCP Local Server Standalone Mode The DHCP local server enables you to optionally configure AAA based authenti...

Страница 522: ...s host1 config service dhcp local standalone authenticate 3 Specify the password that authenticates a locally configured DHCP standalone mode client In DHCP standalone mode the password is presented t...

Страница 523: ...ID included MAC Address excluded Option 82 excluded Related Topics ip dhcp local auth domain command ip dhcp local auth include command ip dhcp local auth password command ip dhcp local auth user pref...

Страница 524: ...does not expire 3 Specify the name of a DNS domain for DHCPv6 clients in the current virtual router to search You can specify a maximum of four DNS domains for a DHCPv6 local server s search list hos...

Страница 525: ...s you want to delete all All DHCPv6 local server client bindings ipv6Prefix IPv6 prefix address and subnetwork mask of the DHCPv6 clients for example 2002 2 4 1 64 string Local address pool name for e...

Страница 526: ...io for this example Subscribers obtain access to ISP Boston via a router Subscribers log in through the SRC software and a RADIUS server provides authentication Figure 12 Non PPP Equal Access Configur...

Страница 527: ...he DHCP local server cannot assign these addresses host1 config ip dhcp local excluded address 10 10 1 1 host1 config ip dhcp local excluded address 10 10 1 2 6 Configure the DHCP local server to prov...

Страница 528: ...488 Configuring the Router to Work with the SRC Software JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 529: ...P request If you do not configure DHCP relay then BOOTP relay is disabled The router must wait for an acknowledgment from the DHCP server that the assigned address has been accepted The IP client must...

Страница 530: ...0 Strings to Forward Client Traffic to Specific DHCP Servers on page 497 host1 config set dhcp relay Use the no version without specifying an IP address to explicitly delete the DHCP relay from the cu...

Страница 531: ...ional option 82 if one is already present in the DHCP packets Assigning the Giaddr to Source IP Address As a security measure DHCP servers typically use the giaddr included in DHCP packets to ensure t...

Страница 532: ...sing the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets Each DHCP request packet includes a broadcast flag that if set specifies how to transmit DHCP Offer reply packets and DHCP...

Страница 533: ...st first issue the no set dhcp relay layer2 unicast replies command to disable layer 2 unicast replies and then issue the set dhcp relay broadcast flag replies command again to enable broadcast flag r...

Страница 534: ...ault which is required in certain configurations to enable address renewals from the DHCP server to work properly However the default installation of host routes might cause a conflict when you config...

Страница 535: ...10 0 to subscriber interface ip53001 host1 config ip route 10 10 10 0 255 255 255 252 ip ip53001 7 Prevent DHCP relay from installing host routes this avoids a conflict that can cause undesirable ARP...

Страница 536: ...figure DHCP relay to use information in the giaddr in DHCP ACK messages to specify which interface is to be used as the primary interface This capability allows you to build dynamic interfaces on the...

Страница 537: ...re option 60 strings in received DHCP client packets against strings that you configure on the router You can use the DHCP relay option 60 feature when providing converged services in your network env...

Страница 538: ...eywords to configure actions for nonmatching strings drop Discard traffic local server Forward packets to the DHCP local server proxy client Forward traffic to the DHCP proxy client server relay Forwa...

Страница 539: ...onfig set dhcp relay 2 Configure the action DHCP relay takes when the incoming traffic has an exact option 60 string of myword DHCP relay forwards this traffic to the DHCP server with an IP address of...

Страница 540: ...dhcp local equal access host1 config set dhcp vendor option equals docsis relay 192 168 1 1 host1 config set dhcp vendor option equals cablemodem relay 192 168 1 1 Use the show dhcp summary and show d...

Страница 541: ...he client originated DHCP packets that the DHCP relay forwards to a DHCP server When the DHCP relay agent information option is enabled the DHCP relay adds the option 82 information to packets it rece...

Страница 542: ...gent replaces any existing Vendor Specific value in the client packet with the relay agent s value The JUNOSe software provides two commands that you can use to configure DHCP relay agent information...

Страница 543: ...ble Disable set dhcp relay agent remote id only Disable Disable Disable no set dhcp relay agent Format of the JUNOSe Data Field in the Vendor Specific Suboption for Option 82 RFC 4243 describes suppor...

Страница 544: ...4 high order bits are 0 Example 1 The Vendor Specific suboption for a VLAN ID of 2468 0x09a4 and a UPC of 5 is formatted as follows 09 0c 00 00 13 0a 07 01 02 09 a4 02 01 05 UPC val 5 UPC len 1 byte U...

Страница 545: ...Agent Circuit ID suboption identifies the interface on which DHCP packets are received When the packets are received on a LAG interface the router clearly identifies the interface The suboptions inclu...

Страница 546: ...dleA LAG interface with VLAN hostname vrname interface type bundle name sub if vlan id Examples lag bundleA 1 2 relayVr lag bundleA 2 bostonHost lag bundleA 1 2 LAG interface with Stacked VLAN hostnam...

Страница 547: ...signs an IP address that provides the desired service to the DHCP client The DHCP server uses information based on the IEEE 802 1p values which are extracted from the DHCP packets using JUNOSe softwar...

Страница 548: ...0 host1 config policy list classifier group exit host1 config policy list classifier group dot1p1 host1 config policy list classifier group user packet class 1 host1 config policy list classifier grou...

Страница 549: ...use the option 82 suboptions This configuration includes the command that specifies the mapping of the user packet class values from the layer 2 policy to the user packet class type in the option 82 V...

Страница 550: ...command to enable support for DHCP relay agent option which includes the option 82 suboptions Agent Circuit ID suboption 1 and Agent Remote ID suboption 2 This command does not support the Vendor Spe...

Страница 551: ...astEthernet 1 2 3 4 relayVr fastEthernet 1 2 4 bostonHost fastEthernet 1 2 3 4 Ethernet interface with Stacked VLAN hostname vrname interface type slot port sub if svlan id vlan id Examples fastEthern...

Страница 552: ...cuit ID suboption If you do not explicitly specify the circuit id only or remote id only keyword both suboptions are used Related Topics radius remote circuit id format set dhcp relay set dhcp relay a...

Страница 553: ...t a Timeout for DHCP Client Renewal Messages You can set the amount of time in the range 1 168 hours that the DHCP relay proxy waits for a renewal message from DHCP clients after a router reboot or sw...

Страница 554: ...released the host routes that are no longer needed are still unavailable For additional information on managing client bindings see Viewing and Deleting DHCP Client Bindings on page 460 Selecting the...

Страница 555: ...s renewal requests from clients For information about using the set dhcp relay layer2 unicast replies command see Configuring Layer 2 Unicast Transmission Method for Reply Packets to DHCP Clients on p...

Страница 556: ...516 Configuring DHCP Relay Proxy JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 557: ...namic Subscriber Interfaces on page 524 Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces on page 526 Configuring Dynamic Subscriber Interfaces for Interoperati...

Страница 558: ...riber requests an address from the DHCP server through the E Series router All communication between the subscriber and the DHCP server is monitored by the E Series router After the subscriber receive...

Страница 559: ...dynamic subscriber interface for the client that exists with the client s primary interface A client normally receives broadcast traffic such as the traffic associated with the DHCP discovery process...

Страница 560: ...OSe releases in which deleting and re creating the dynamic subscriber interface was the default behavior for the DHCP external server Related Topics Configuring DHCP External Server to Control Preserv...

Страница 561: ...uplicate MAC mode by issuing the dhcp external duplicate mac address command and creation of subscriber state information based on lease renewals by issuing the ip dhcp external server sync command si...

Страница 562: ...guration Requirements To configure the E Series router to support an external DHCP server you enable the DHCP external server application on the router If you are using DHCP packet detection you must...

Страница 563: ...the DHCP external server application You can resynchronize and create subscriber state information that is based on lease renewals To synchronize the external DHCP server with the E Series router Issu...

Страница 564: ...external server application to ignore the giaddr when determining the next hop for the subscriber access routes Issue the ip dhcp external disregard giaddr next hop command from Global Configuration...

Страница 565: ...er a dynamically created VLAN the VLAN is dynamically created based on the agent circuit id option suboption 1 that is contained in the DHCP option 82 field For information about configuring agent cir...

Страница 566: ...starts the discovery process on its primary IP interface Issue the ip dhcp external recreate subscriber interface command from Global Configuration mode host1 vr1 config ip dhcp external recreate subs...

Страница 567: ...face profile host1 config profile dsiTest host1 config profile ip unnumbered loopback 5500 host1 config profile exit 2 Define a route map in the VR in which the static primary IP interface resides hos...

Страница 568: ...to configure the primary IP interface to support creation of dynamic subscribers interfaces which is accomplished by issuing the ip auto configure ip subscriber exclude primary command as shown in Ste...

Страница 569: ...lete a specific client host1 dhcp external delete binding binding id 3972819365 Related Topics dhcp delete binding dhcp external delete binding Deleting Clients from a Virtual Router s DHCP Binding Ta...

Страница 570: ...ult in a service interruption To configure the DHCP external server application to use a combination of the MAC address and giaddr to uniquely identify DHCP clients also known as enabling duplicate MA...

Страница 571: ...enable the IP Subscriber Manager application to re authenticate the auto detected subscribers created on static and dynamic primary IP interfaces after a cold boot Issue the ip re authenticate auto d...

Страница 572: ...532 Configuring DHCP External Server to Re Authenticate Auto Detected Dynamic Subscriber Interfaces JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 573: ...ion Information on page 547 Monitoring DHCP External Server Statistics on page 548 Monitoring DHCP External Server Duplicate MAC Address Setting on page 549 Monitoring DHCP Local Address Pools on page...

Страница 574: ...you retrieve baseline relative statistics Use the delta keyword with the show dhcp commands to display baselined statistics Tasks to set a baseline for DHCP statistics are 1 Setting a Baseline for DH...

Страница 575: ...fy the type of interface and interface specifier host1 baseline ip dhcp local interface atm 3 1 To set a baseline for DHCPv6 local server statistics Issue the baseline ipv6 dhcpv6 local command host1...

Страница 576: ...ings Tasks to monitor DHCP bindings are Monitoring DHCP Binding Information on page 537 Monitoring DHCP Binding Count Information on page 540 Monitoring DHCP Binding Host Information on page 542 Monit...

Страница 577: ...00 0013 9365 local 0 0 0 0 81 3 0 11 bound 2409734618 8000 000b 9365 local 0 0 0 0 81 3 0 7 bound 2409734619 8000 0009 9365 local 0 0 0 0 81 3 0 6 bound The output of the show dhcp binding command is...

Страница 578: ...0 0 71 1 0 14 bound 3070230543 7000 000e 9365 relay p 0 0 0 0 71 1 0 16 bound 3070230545 7000 0010 9365 relay p 0 0 0 0 71 1 0 18 bound 3070230547 7000 0012 9365 relay p 0 0 0 0 71 1 0 20 bound 307023...

Страница 579: ...ent 0 0 0 0 for DHCP external server and DHCP relay proxy bindings IpSubnet IP address assigned to client IpAddress State of the DHCP client binding State IP address of the DHCP server that allocated...

Страница 580: ...and interfaces with the specified interface string host1 vr2 show dhcp count interface ip71 4 Assigned Bound Type IpSubnet Interfaces Clients Clients Clients external 0 0 0 0 3 3 3 3 This show dhcp co...

Страница 581: ...remote ID string is not supported for the DHCP external server application DHCP external server does not store information about the agent circuit id suboption or agent remote id suboption of option 8...

Страница 582: ...ts of the show dhcp host command are arranged in ascending order by IP address whereas the results of the show dhcp binding command are arranged in ascending order by binding ID To display binding inf...

Страница 583: ...nding order by IP address To display information about DHCP external server bindings with a specified subnet address host1 vr1 show dhcp host external 0 0 0 0 To display information about DHCP binding...

Страница 584: ...available in seconds Lease Detailed output only Time remaining on the current lease in seconds Remaining Detailed output only IP interface that is associated with the client IpInterface Related Topics...

Страница 585: ...he current lease in seconds Expire Interface that is associated with the subscriber s computer Interface Related Topics show ip dhcp external binding Monitoring DHCP Bindings Displaying DHCP Bindings...

Страница 586: ...ace NOTE This command is deprecated and might be removed completely in a future release The function provided by this command has been replaced by the show dhcp binding command Action To display DHCP...

Страница 587: ...ernal Server Configuration Information Purpose Display information about the router s DHCP external server application Action To display DHCP external server information host1 show ip dhcp external co...

Страница 588: ...urpose Display statistics for all external DHCP servers or for a specific server Action To display statistics for a DHCP external server host1 config show ip dhcp external statistics server address 10...

Страница 589: ...ernal server application Currently this command displays the status of the method that DHCP external server uses to uniquely identify DHCP clients with duplicate MAC addresses Action To display the du...

Страница 590: ...Server Address 10 10 20 8 Linked Pool cable5 High utilization threshold 85 Abated utilization threshold 75 Current utilization 0 Utilization trap disabled Shared pool allocations 25 To display informa...

Страница 591: ...Servers Address of default router used for subscribers Default Routers DHCP server address that is sent to subscribers Server Address Names of any pools that are linked to this pool Linked Pool Thres...

Страница 592: ...ver Authentication Configuration User Prefix ERX4 Boston Domain ISP1 com Password to4TooL8 Virtual Router included Circuit Type included Circuit ID included MAC Address excluded Option 82 excluded To...

Страница 593: ...sts that have been granted auth grants Number of authorization requests that have been denied auth denies Related Topics show ip dhcp local auth Monitoring DHCP Local Server Configuration Purpose Disp...

Страница 594: ...2005 08 01 12 UTC To display information about all DHCP local server leases host1 show ip dhcp local leases Dhcp Local Leases Address Hardware Lease Initiated Renewed 192 168 0 2 10 06 10 00 10 32 120...

Страница 595: ...or clients in the grace period Expiration Infinite or the number of seconds remaining in the lease if any remaining time of grace period for clients in the grace period Remaining Day date and time the...

Страница 596: ...packet 17 in error 0 in discard 0 unknown client packet 3 Transmit Statistics offer 4 ack accept 5 ack renew 1 ack rebind 1 nak 3 nak renew 0 nak rebind 0 total out packet 14 out error 0 out discard 0...

Страница 597: ...acket Statistics for packets that have been transmitted Transmit Statistics Number of DHCP offer messages sent offer Number of DHCP acknowledgments sent in response to accepted requests ack accept Num...

Страница 598: ...d with the vendor option command drop the DHCP application responsible for the action has not been configured yet therefore all packets for this application will be dropped Total 4 entries Vendor opti...

Страница 599: ...entries no match Related Topics show dhcp vendor option Monitoring DHCP Packet Capture Settings Purpose Display the configuration for per interface DHCP packet logging Action To display configuration...

Страница 600: ...Override Option off Trust All Clients off Preserve Option From Trusted Clients off Circuit ID Sub option 1 on select hostname select exclude subinterface id Remote ID Sub option 2 on Vendor Specific S...

Страница 601: ...IP addresses of configured DHCP servers DHCP Server Addresses Related Topics show dhcp relay Monitoring DHCP Relay Proxy Statistics Purpose Display statistics for the DHCP relay proxy NOTE The show dh...

Страница 602: ...e messages sent to a server Decline Number of releases sent to a server Release Number of information messages sent to a server Inform Number of clients being maintained by the relay proxy Active Clie...

Страница 603: ...tion circuit ID suboption On add Relay Agent Option remote ID suboption On packets with giaddr override 0 packets with Relay Agent Option override 2 packets forwarded with Relay Agent Option already p...

Страница 604: ...y reply messages that were discarded because their message type for example offer ack was unknown possibly due to corruption dropped unknown message type reply packets Relay Agent Option statistics st...

Страница 605: ...received from DHCP servers that were discarded because their server address and XID do not match an outstanding DHCP server request dropped unknown xid reply packets Number of DHCP relay requests sent...

Страница 606: ...gments received from the server Naks received Number of IP addresses rejected because they were already in use addresses declined Number of IP addresses released back to the server addresses released...

Страница 607: ...server Address Number of IP address leases granted by the server Leases Number of offers sent by the server Offers Number of requests sent to the server Requests Number of acknowledgments received fr...

Страница 608: ...DHCPv6 Local Server DNS Search Lists Purpose Display the DHCPv6 local servers DNS search list Action To display the DNS search list for DHCPv6 local servers host1 show ipv6 dhcpv6 local dns domain sea...

Страница 609: ...s Field Description Field Name IPv6 address of the DNS server DNS server Related Topics show ipv6 dhcpv6 local dns servers Monitoring DHCPv6 Local Server Prefix Lifetime Purpose Display the DHCPv6 def...

Страница 610: ...pv6 dhcpv6 local statistics command output fields Table 129 show ipv6 dhcpv6 local statistics Output Fields Field Description Field Name Number of bytes of memory used by DHCPv6 local server memUsage...

Страница 611: ...es that are being used by DHCP local server clients Optionally display information for a specific duplicate MAC address Action To display information about a specific MAC address being used by multipl...

Страница 612: ...hcp Local Interface Limits Total Interface Limit Count Denied Denied atm 3 1 300 127 5 29 To display information about the maximum number of leases on all interfaces host1 config show ip dhcp local li...

Страница 613: ...ated Topics show ip dhcp local limits Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local Server Purpose Display the static IP address MAC address pairs that the DHCP local serve...

Страница 614: ...server and DHCP external server Action To display the status of the configured DHCP applications host1 show dhcp summary DHCP local server configured and inactive DHCP relay configured and active Mean...

Страница 615: ...nvironment Configuring Subscriber Management on page 577 Monitoring Subscriber Management on page 593 Configuring Subscriber Interfaces on page 597 Monitoring Subscriber Interfaces on page 629 Managin...

Страница 616: ...576 Managing the Subscriber Environment JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 617: ...mers to create a unified subscriber management provisioning and service delivery environment The flexibility of the router provides a variety of methods and configurations that enable customers to dyn...

Страница 618: ...k service usage that can be used for volume based billing Dynamic address assignment Uses RADIUS DHCP and profiles to dynamically allocate IP addresses to subscribers Dynamic policy management Uses po...

Страница 619: ...Subscriber Management Procedure Figure 15 on page 579 shows a subscriber management environment that includes an external DHCP server a RADIUS server the SRC software and the DHCP external server appl...

Страница 620: ...to provide authentication authorization accounting and address assignment RADIUS uses the profile to obtain information for the subscriber s IP interface Creates the subscriber s dynamic subscriber in...

Страница 621: ...route map exit 6 Enable autoconfiguration mode host1 config interface gigabitEthernet 12 0 host1 config if ip address 192 168 1 1 255 255 255 0 host1 config if ip auto configure ip subscriber include...

Страница 622: ...created by JUNOSe subscriber management Specify one of the following circuit types atm or vlan Use the optional prepend circuit type keyword to specify that the circuit type is prepended to the circui...

Страница 623: ...nclusion of the IP address in the username See include ip address include mac address Use to include the MAC address identifier in the username that is dynamically created by JUNOSe subscriber managem...

Страница 624: ...keyword to specify that the primary interface is assigned to a subscriber See ip auto configure ip subscriber ip auto detect ip subscriber Use to set the router packet detect feature and specify that...

Страница 625: ...is greater than the configured value and the interface is deleted On static interfaces the subscriber s access route is removed when the inactivity timer is exceeded When the subscriber logs back in t...

Страница 626: ...stateful SRP switchover high availability using an IP service profile to configure subscriber authentication is preferable to using either the subscriber command or the atm atm1483 subscriber command...

Страница 627: ...c subscriber interfaces associated with this primary IP interface See ip use framed routes ip subscriber password Use to specify the password for an IP service profile The password is used as the dyna...

Страница 628: ...he no version to remove the source address range from the route map See set ip source prefix user name Use to specify the username for an IP service profile The username is used as the dynamically cre...

Страница 629: ...ier group filter host1 config policy list classifier group exit host1 config policy list exit host1 config An interface profile that references the restrictAccess policy host1 config profile atlInterf...

Страница 630: ...atlServiceProfile host1 config service profile user prefix xyzcorp atl host1 config service profile domain eastcoast host1 config service profile include hostname host1 config service profile include...

Страница 631: ...ier vlan host1 config service profile include mac address host1 config service profile include dhcp option 82 agent circuit id host1 config service profile exit host1 config The example generates the...

Страница 632: ...592 Subscriber Management Configuration Examples JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 633: ...tion about IP service profiles host1 show ip service profile ip service profile west500 user name finance22 user prefix xyz bos domain xyzcorp net include virtual router name include mac address inclu...

Страница 634: ...file agent circuit id or agent remote id include dhcp option 82 Password used to retrieve information from RADIUS for subscriber interfaces password Related Topics show ip service profile Monitoring A...

Страница 635: ...is configured Virtual Router Name of subscriber interface ip indicates that subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address o...

Страница 636: ...596 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 637: ...page 616 Subscriber Interfaces Overview You can configure E Series routers to create subscriber interfaces statically or dynamically The following list shows the underlying layer 2 interfaces on which...

Страница 638: ...P session An example of a dynamic interface configuration is a PPPoE session running on top of a Gigabit Ethernet VLAN interface Figure 16 on page 598 shows an example of the dynamic interface stack F...

Страница 639: ...u must manually configure the SSI and you cannot use the same dynamic profiles and RADIUS that DSIs use Subscribers can be connected to a single broadcast segment without using dynamic or static subsc...

Страница 640: ...addresses at any given time For example Figure 18 on page 600 illustrates the relationship between subscriber interfaces an associated primary IP interface and an associated Ethernet interface Figure...

Страница 641: ...cally created subscriber interfaces see Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces on page 607 Routing Protocols You configure unicast routing protocols on subscribe...

Страница 642: ...6 or a local gaming service on network 10 12 0 0 16 Rate limits and policies on the subscriber interface customize the service level for the associated service In this application the E Series router...

Страница 643: ...uter can separate the traffic from subnets A and B Because the E Series router is forwarding traffic in this application the shared IP interface should demultiplex the traffic by using a source addres...

Страница 644: ...igabitEthernet 0 1 For E120 and E320 Routers use the slot adapter port format which includes an identifier for the bay in which the I O adapter IOA resides In the software adapter 0 identifies the rig...

Страница 645: ...ubscriber an IP address from one of the local address pools In equal access mode the DHCP local server works with Juniper Networks Session and Resource Control SRC software and the authorization accou...

Страница 646: ...06 shows the interface stacking in an IP over Ethernet dynamic subscriber interface configuration The illustration indicates which layers in the stack are static and dynamic and identifies the CLI com...

Страница 647: ...configurations or the router for packet detection configurations then assigns a subscriber an IP address matching this source prefix the router does not create a dynamic subscriber interface for that...

Страница 648: ...is discarded In addition creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router s Address Resolution Protocol ARP table This occurs regardless of whet...

Страница 649: ...ow arp command The following sample output from the show ip mac validate interface command displays the MAC address validation state strict inherited by the dynamic subscriber interface ip74 39 64 3 f...

Страница 650: ...s on network 10 12 0 0 16 Figure 22 Subscriber Interfaces Using a Destination Address to Demultiplex Traffic E Series router To configure the static subscriber interfaces shown in Figure 22 on page 61...

Страница 651: ...an address or make it unnumbered host1 config if ip unnumbered loopback 0 d Specify the destination addresses for the subscriber interface to use to demultiplex traffic host1 config if ip destination...

Страница 652: ...yer 2 interface host1 config interface fastEthernet 4 1 b Create a primary IP interface host1 config if ip address 10 1 1 1 255 255 255 0 c Exit Interface Configuration mode host1 config if exit 2 Con...

Страница 653: ...subscriber interface IP2 host1 config virtual router vrb Proceed with new virtual router creation confirm yes host1 vrb config interface ip ip2 host1 vrb config if ip share interface fastEthernet 4 1...

Страница 654: ...Broadband Services Router or the E320 router you can configure up to 1024 subnets for static subscriber interfaces per primary IP interface when each subnet has a variable network mask that is less th...

Страница 655: ...stination if the next hop IP address is resolvable over MPLS If you specify a virtual router the command fails if the VR does not already exist If you do not specify a VR the current VR is assumed Aft...

Страница 656: ...ing DHCP events perform the following steps 1 Configure the DHCP server For instructions see Configuring the DHCP Local Server on page 471 2 Specify a Fast Ethernet Gigabit Ethernet or 10 Gigabit Ethe...

Страница 657: ...rface by adding a subinterface number to the interface identification command host1 config if interface gigabitEthernet 1 0 1 5 Assign a unique VLAN ID to the VLAN subinterface host1 config if vlan id...

Страница 658: ...Configure an associated PVC for the ATM 1483 subinterface by specifying the VCD the VPI the VCI and the encapsulation type host1 config subif atm pvc 10 100 22 aal5snap 5 Specify bridged Ethernet as t...

Страница 659: ...GRE tunnel interface For instructions see the Configuration Tasks section in JUNOSe IP Services Configuration Guide 2 Create the primary IP interface by assigning an IP address and mask to the bridge...

Страница 660: ...each physical interface this example assigns an IP address to a loopback interface loopback 0 Each physical interface is then configured as an unnumbered IP interface referencing the same loopback int...

Страница 661: ...0 10 Create an unnumbered primary IP interface associated with the loopback interface configured in Steps 6 and 7 host1 config if ip unnumbered loopback 0 11 Configure the primary IP interface to ena...

Страница 662: ...rver Example host1 config dhcp local default router 10 10 1 1 Use the no version to remove the association between the address pool and the router See default router encapsulation bridge1483 Use to co...

Страница 663: ...move an interface or a subinterface if the one above it still exists See interface fastEthernet interface gigabitEthernet Use to select a Gigabit Ethernet interface NOTE You can configure only the pri...

Страница 664: ...er host IP addresses within that subnet 1 1 1 1 16 if no specific or longer route entry is found or if the SRP module receives too much traffic from subnets other than 1 1 1 1 the CPU utilization on t...

Страница 665: ...figure ip subscriber include primary Use the no version to disable creation of dynamic subscriber interfaces associated with this primary IP interface Use the no version with the include primary keywo...

Страница 666: ...amic creation of subscriber interfaces to demultiplex traffic with the specified source address You can issue this command from either Interface Configuration mode or Subinterface Configuration mode E...

Страница 667: ...er can provide from an address pool Example host1 config dhcp local network 10 10 1 0 255 255 255 0 Use the no version to remove the network address and mask See network service dhcp local Use to enab...

Страница 668: ...vlan id Use to configure a VLAN ID for a VLAN subinterface Specify a VLAN ID number that is in the range 0 4095 and is unique within the Ethernet interface Issue the vlan id command before you config...

Страница 669: ...see the Monitoring IP section in JUNOSe IP Services Configuration Guide Action You can use the show ip demux interface command to monitor the configuration of subscriber interfaces Monitoring Subscri...

Страница 670: ...Display information about active IP subscribers that were created by the JUNOSe software s subscriber management feature Action To display information about subscribers that were created by subscribe...

Страница 671: ...at subscriber manager created this interface Interface Day date and time that the subscriber logged in Login Time MAC address of the subscriber Mac Address AAA profile handle Profile Handle Interface...

Страница 672: ...632 Monitoring Active IP Subscribers Created by Subscriber Management JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 673: ...Part 6 Managing Subscriber Services Configuring Service Manager on page 635 Monitoring Service Manager on page 701 Managing Subscriber Services 633...

Страница 674: ...634 Managing Subscriber Services JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 675: ...on page 661 Combined and Independent IPv4 and IPv6 Services in a Dual Stack Overview on page 663 Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack on page 664 Configuring RADIUS Ac...

Страница 676: ...and Acronyms Table 138 on page 636 defines terms and acronyms that are used in this discussion of the Service Manager application Table 138 Service Manager Terms and Acronyms Definition Term A service...

Страница 677: ...tion about the topics covered in this chapter see the following documents Data Over Cable Service Interface Specifications DOCSIS 2 0 Radio Frequency Interface Specification CM SP RFIv2 0 I10 051209 F...

Страница 678: ...nable statistics collection Activate the service session Deactivate service sessions Optional for RADIUS CoA method Configure the CoA feature for the RADIUS dynamic request server Use the CLI to manag...

Страница 679: ...hen you can associate the service definition with subscribers to create their service sessions Service definitions gives you flexibility by enabling you to use A single service definition to create a...

Страница 680: ...initions independent of the Service Manager commands and operations which are performed on the E Series router For detailed information about the JUNOSe software s macro language see the Command Line...

Страница 681: ...n the service definition that has the error Optional command in error Passes the value env getErrorStatus Service Manager displays the error status for the error Optional command error status Specifie...

Страница 682: ...d hierarchical policy parameters Optional output stat epg Collects input statistics associated with the external group that is attached at the secondary input stage from policy manager Both the extern...

Страница 683: ...continue to use the original definition until you deactivate the service session 4 Modify You can update an existing service definition file at any time To update a service definition file a Use your...

Страница 684: ...eferencing Policies in Service Definitions In Profile Configuration mode policy interface commands for IP and L2TP allow attachments to be merged into any existing merge capable attachment at an attac...

Страница 685: ...oS profile when activating a service but make sure that the QoS profile is attached to the subscriber s interface For more information about configuring QoS profiles see the Configuring and Attaching...

Страница 686: ...pecify that Service Manager create QoS parameter instances when the subscriber logs in during service activation or through RADIUS QoS parameter VSAs You can specify up to eight parameter instance com...

Страница 687: ...ue 15000 In Profile Configuration mode the no version removes the QoS parameter instance command in the profile See qos parameter Specifying QoS Parameter Instances in a Service Definition After you c...

Страница 688: ...rameterName4 for the subscriber s interface If it finds a parameter instance it adds bandwidth2 3 000 000 to the current value If Service Manager does not find a parameter instance it creates one with...

Страница 689: ...g parameter instances in profiles and modifying explicit parameter instances can cause invalid parameter instance values Table 141 on page 649 lists a series of activations and deactivations using par...

Страница 690: ...events Table 142 on page 650 lists the sources that overwrite QoS profiles and parameter instances created by other sources Each row represents new QoS profiles and parameter instances columns represe...

Страница 691: ...ager using other sources without affecting the reference counts For more information see QoS Statistics on page 653 RADIUS QoS profile attachments and parameter instances configured through RADIUS can...

Страница 692: ...and parameter instances After removing the QoS profile and parameter instances Service Manager automatically removes the following QoS configurations in the following order 1 QoS profiles 2 Scheduler...

Страница 693: ...ch time the parameter is modified through service deactivation References of regular parameter instances are also counted using a separate reference count Parameter instances are removed when both ref...

Страница 694: ...s greater flexibility and efficient management for a large number of subscribers and services Enables you to use mutual exclusion mutex groups to create mutex services RADIUS CoA only CLI based suppor...

Страница 695: ...when you have a large number of users already logged in through RADIUS and you want to activate new services for them This method is also used for the guided entrance service described in Guided Entra...

Страница 696: ...VSA you specify values for the input and output bandwidth tiered 1280000 5120000 2 Specify optional VSAs for the service session as needed Service Volume Service Timeout Service Statistics Service Ma...

Страница 697: ...hat the service is to remain active the service is terminated when the time expires a tagged VSA Access Accept and CoA Request Service Timeout 26 68 Statistics configuration a tagged VSA 0 disable 1 t...

Страница 698: ...000 and output bandwidth of 5120000 The subscriber can use the service for 5 hours 18000 seconds and Service Manager captures both timestamp and volume statistics during the session service statistics...

Страница 699: ...ics 600 2 service interim acct interval voice 100000 6 service activation 1440 6 service timeout 1200 6 service interim acct interval Using RADIUS to Deactivate Service Sessions A service session can...

Страница 700: ...ervices NOTE Service Manager terminates a session when the output byte count exceeds the configured service volume threshold The output byte count is captured by the output stat clacl string in the cl...

Страница 701: ...existing service This ensures that the subscriber is never without an active service In the original CoA Request method the order of activation and deactivation is random in some cases the existing se...

Страница 702: ...lighted in bold text parameterizes input and output bandwidth tiered inputBW outputBW uid app servicemanager getUniqueId name SM tiered uid oname SM O tiered uid classifier list matchAll ip any any ra...

Страница 703: ...in which IPv4 and IPv6 protocols share a common transport and framing layer A dual stack implementation supports both IPv4 and IPv6 hosts to help provide a smooth transition to all parts of a enterpr...

Страница 704: ...when IPv6 subscribers or IPv4 and IPv6 subscribers in a dual stack are in a network When you create the service definition include the following service attribute in the service definition if you want...

Страница 705: ...rvice is deleted when the service is deactivated Combined IPv4 and IPv6 Service in a Dual Stack To configure a single service for IPv4 and IPv6 interfaces you can create and install one service defini...

Страница 706: ...s You must enable Service Manager volume statistics for a service session When you terminate a subscriber session Service Manager first sends RADIUS Acct Stop messages for any active services associat...

Страница 707: ...ng interval for services that are created during a user RADIUS based login and services that are activated by a CoA operation The service interim accounting interval is specified by the RADIUS Service...

Страница 708: ...vate attribute VSA 26 65 Table 149 on page 668 describes a sample Acct Start message for a service session In the table the three fields used by Service Manager are shown in bold characters An Acct St...

Страница 709: ...l aaa service accounting interval Use to specify the default interval between service accounting updates Service manager uses the default interval when no value is specified in the Service Interim Ac...

Страница 710: ...reset the accounting interval to 0 which turns off interim user accounting when no value is specified in the RADIUS Acct Interim Interval attribute See aaa user accounting interval Service Interim Acc...

Страница 711: ...ce definitions for example you might use the CLI commands to verify that a newly created service definition is correct When you are satisfied with the service definition you can then use RADIUS to act...

Страница 712: ...ssion keyword tiered 1280000 5120000 service management owner session Use to activate a service for an existing subscriber by identifying the owner used to create the subscriber session and specifying...

Страница 713: ...management owner session service management subscriber session service session Use to activate a service for a subscriber by creating a subscriber session and a service session NOTE Always activate at...

Страница 714: ...ger s performance Typically when you use a service definition to activate a subscriber s service session Service Manager uses resources to build that service However if you later use the same service...

Страница 715: ...service s duration and traffic volume volume Specifies that the service is automatically deactivated when the indicated traffic volume is exceeded time Specifies that the service is automatically deac...

Страница 716: ...ollect statistics about both the volume of traffic and the duration of the service session Example host1 config service management service session profile vodISP1 host1 config service session profile...

Страница 717: ...elete the volume attribute from the service session profile See volume Using the CLI to Deactivate Subscriber Service Sessions The CLI supports several methods that enable you to manually deactivate s...

Страница 718: ...service management owner session command See service management owner session no service management subscriber session service session Use to gracefully deactivate service sessions for a subscriber U...

Страница 719: ...when a threshold is reached you create a service session profile that includes a time threshold or a volume threshold or both Then you attach the service session profile when you activate the service...

Страница 720: ...stics Collection with the CLI on page 682 if you are using the CLI Setting Up the Service Definition File for Statistics Collection Service Manager statistics are based on classifier lists the classif...

Страница 721: ...profile Example 2 This example shows how you can also configure your service definition to collect total statistics from multiple classifier lists The following command specifies that three classifier...

Страница 722: ...ed3 host1 config service session profile statistics volume time host1 config service session profile 2 Apply the service session when you activate the subscriber service session host1 config service m...

Страница 723: ...t string external parent grp name policy parameter name The string variable specifies the type of statistics to track Service Manager supports the following strings input stat epg Track input statisti...

Страница 724: ...ber of JUNOSe commands in a service definition to specify a service Reference objects in service definitions Referencing commonly used objects is more resource efficient than using unique objects for...

Страница 725: ...put stat clacl matchAll endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client1 isp1 com none username tiered 1280000 5120000 1 activate service Sample CLI Command host1 config service man...

Страница 726: ...ay MG based service that has upstream and downstream components The IP address and port for both the subscriber and the opposite end of the phone call were originally negotiated with the SBC The VoIP...

Страница 727: ...ubscriber might be shown a Web site that offers services such as Predefined services A group of user selectable services that meets a variety of needs of a single subscriber The subscriber might selec...

Страница 728: ...ng the HTTP Local Server to Support Guided Entrance on page 690 for information about the HTTP local server RADIUS Dynamic Request Server and CoA messages Enables RADIUS to dynamically activate the ne...

Страница 729: ...profile profileName endtmpl Sample RADIUS Attributes Value Tag RADIUS Attribute client5 isp1 com none username http 192 168 25 2 80 1 activate service Sample CLI Command host1 config service manageme...

Страница 730: ...service Tiered Service Selected at Web Site Value Tag RADIUS Attribute client5 isp1 com none username tiered 1280000 5120000 2 activate service http 192 168 25 2 80 deactivate service 720 2 service t...

Страница 731: ...cify the maximum number of connections that can exist between one IP address and the HTTP local server host1 west40 config ip http same host limit 20 6 Specify the maximum time that HTTP local servers...

Страница 732: ...servers maintain connections host1 west40 config ip http max connection time 1000 7 Enable the HTTP local server to listen for and process IPv6 exception packets host1 west40 config ipv6 http server 8...

Страница 733: ...n time ip http port Use to specify the port on which the HTTP local server receives connection attempts for IPv4 exception packets Specify a port number in the range 1 65535 Example host1 config ip ht...

Страница 734: ...local server Specify a number in the range 0 1000 Example host1 config ip http same host limit 20 Use the no version to restore the default number of allowed connections 3 See ip http same host limit...

Страница 735: ...ion for the subscriber HTTP redirect is per interface use the command in Interface Configuration mode or Subinterface Configuration mode for static interfaces and use the command in Profile Configurat...

Страница 736: ...ut must limit the total flow for IPv4 and IPv6 interfaces to 64 Kbps Figure 33 Input Traffic Flow with Rate Limit Profile on an External Parent Group for a Combined IPv4 IPv6 Service VoIP 64 Kbps VoIP...

Страница 737: ...ericName vb in destination host VB6G1 n ipv6 classifier list cl46 6 genericName vb out source host VB6G1 n ip policy list pl v4v6 genericName in classifier group cl46 4 genericName vb in external pare...

Страница 738: ...ansmit unconditional The conformed action which sets the action for packets not conforming to the committed rate and committed burst size but conforming to the peak rate and peak burst size for a rate...

Страница 739: ...ce Manager track statistics associated with the external parent group named vb v4v6 in and the corresponding hierarchical policy named v4v6 and that this external parent group is associated with the p...

Страница 740: ...d traffic denoted as inBw in the macro 10 0 0 1 Host IP address for IPv4 subscribers denoted as VBG1 in the macro 2001 1 Host IP address for IPv6 subscribers denoted as VB6G1 in the macro vlan Interfa...

Страница 741: ...oring IPv4 and IPv6 Interfaces for Service Manager on page 707 Monitoring Service Definitions on page 717 Monitoring Service Session Profiles on page 718 Monitoring Active Owner Sessions with Service...

Страница 742: ...eld Name Maximum time that the HTTP local server maintains an inactive connection in seconds Maximum connection length Number of configured Web servers Current number of http servers Number of Web ser...

Страница 743: ...ection Listening port Maximum number of connections allowed between one IP address and the HTTP local server Same host limit Protocols that the HTTP local server is listening for IPv4 IPv6 or IPv4 and...

Страница 744: ...s No resource failures Total number of HTTP connections established Http connections created Total number of HTTP connections ended Http connections terminated Total number of HTTP connections that ex...

Страница 745: ...g the Default Interval for Interim Accounting of Services Purpose Display the default interval used for interim accounting for services associated with users on the virtual router An entry of 0 indica...

Страница 746: ...ng Profiles for Service Manager Purpose Display information about the policies and QoS configurations referenced in profiles Action To display information about a specific profile host1 show profile n...

Страница 747: ...hernet 1 1 200 GigabitEthernet1 1 line protocol Ethernet is up ip is not present Network Protocols IP Multipath mode hashed Auto Configure disabled Auto Detect disabled Inactivity Timer disabled Use F...

Страница 748: ...tes 0 Unicast Packets 0 Bytes 0 Multicast Packets 0 Bytes 0 In Total Dropped Packets 0 Bytes 0 In Policed Packets 0 In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Fo...

Страница 749: ...put fields Table 159 show ip interface Output Fields Field Description Field Name Interface type and specifier interface Status of the interface interface status Url to which a subscriber s initial we...

Страница 750: ...ts received with destination unreachable dst unreach Packets sent with time to live exceeded time excd Packets sent with parameter errors param probs Source quench packets sent src quench Send packets...

Страница 751: ...d into an output IP interface In Forwarded Packets Bytes Total number of packets and bytes that were dropped on the interface In Total Dropped Packets Bytes Packets discarded on a receive IP interface...

Страница 752: ...kets and bytes dropped by the scheduler because they exceeded the contract Out Scheduler Drops Exceeded Packets Bytes Packets discarded on the egress interface because of rate limiting Out Policed Pac...

Страница 753: ...tion unreachable destination unreach Packets received because the destination was administratively unreachable for example the packet encountered a firewall filter admin unreach Packets sent with para...

Страница 754: ...eived packet redirects redirects Echo request ping packets echo requests Echo replies received echo replies Number of received router solicitations rtr solicits Number of received router advertisement...

Страница 755: ...fixes for neighbor discovery router advertisement ND RA advertising prefixes Total number of packets and bytes received on the IP interface In Received Packets Bytes Unicast packets and bytes received...

Страница 756: ...face because of rate limiting Out Policed Packets Packets discarded on the egress interface because of a configuration problem rather than a problem with the packet itself Out Discarded Packets Type i...

Страница 757: ...True Service tiered inputbw outputbw Reference Count 0 To display summary information for all service definitions host1 show service management service definition brief Service Definitions Reference F...

Страница 758: ...Timestamp Related Topics show service management service definition Monitoring Service Session Profiles Purpose Display information about service session profiles configured on your router Action To d...

Страница 759: ...latile Sessions CLIENT1 ISP COM ip192 168 0 3 1 AAA 4194326 Active False 1 CLIENT2 ISP COM ip192 168 0 7 2 AAA 4194327 Active False 1 CLIENT3 ISP COM ip192 168 0 4 3 AAA 4194328 Active False 1 CLIENT4...

Страница 760: ...163 show service management owner session Output Fields Field Description Field Name Name of the subscriber or name of the service session Name Type and IP address of the subscriber s interface Interf...

Страница 761: ...profile or RADIUS VSA Volume Volume left until the threshold is exceeded this value starts as the volume threshold value and is decremented as the service statistics measure volume Volume Expire Curre...

Страница 762: ...192 168 0 1 User Name CLIENT1 ISP COM Interface ip 192 168 0 1 Id 1 Owner AAA 4194326 Non volatile False State Active ServiceSessions Name mutex Owner Id State Operation tiered 2000000 3000000 AAA 41...

Страница 763: ...ervice session belongs mutex Method used to activate the subscriber session CLI AAA and ID number generated by the owner Acct Session ID for AAA Owner Id Status of the subscriber session active or ina...

Страница 764: ...tistics measure volume Volume Expire Current value of input bytes that the statistics configuration is measuring Input Bytes Current value of output bytes that the statistics configuration is measurin...

Страница 765: ...utput Fields Field Description Field Name Number of active subscriber sessions on the router Total Subscriber Sessions Number of active service sessions on the router Total Service Sessions Related To...

Страница 766: ...726 Monitoring the Number of Active Subscriber and Service Sessions with Service Manager JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 767: ...Part 7 Index Index on page 729 Index 727...

Страница 768: ...728 Index JUNOSe 11 0 x Broadband Access Configuration Guide...

Страница 769: ...aaa ipv6 nd ra prefix framed ipv6 prefix 90 aaa local database 41 aaa local select database 41 aaa local username 41 aaa new model 311 319 aaa parse direction 12 aaa parse order 12 aaa profile 63 68...

Страница 770: ...k Count RADIUS attribute 51 201 Acct Multi Session Id RADIUS attribute 50 201 Acct Off messages 175 Acct On messages 175 Acct Output Gigapackets RADIUS attribute 26 36 218 Acct Session Id RADIUS attri...

Страница 771: ...to domain 57 mapping backup address pool to domain 58 mapping IPv6 local address pool to domain 60 mapping user domain names to a virtual router 8 mapping user requests without a valid domain name 8 w...

Страница 772: ...a dual stack activating 665 backward compatibility 665 deactivating 665 example 696 performance impact 665 rate limiting and example 696 service interim accounting 670 statistics collection and extern...

Страница 773: ...process 464 local pool selection 464 overview 464 SRC Session and Resource Control software 455 local address pool group 480 551 local pool selection equal access 464 using domain name 465 using frame...

Страница 774: ...ls DHCPv6 local server IPv6 483 DHCPv6 Prefix Delegation and IPv6 Neighbor Discovery without configuring Delegated IPv6 Prefix 90 assigned prefix length of 128 in local address pools 103 enabling IPv6...

Страница 775: ...AAA access and accounting messages 182 DSLAMs digital subscriber line access multiplexers 4 DSLs digital subscriber lines 4 dual stack combined IPv4 and IPv6 services example of 696 IPv4 and IPv6 serv...

Страница 776: ...ion from Access Accept messages 90 Framed Ipv6 Route RADIUS attribute 99 211 Framed MTU RADIUS attribute 12 21 G giaddr 465 489 GRE Generic Routing Encapsulation tunnels dynamic subscriber interfaces...

Страница 777: ...s ip dhcp server 458 ip http commands ip http 690 ip http access class 690 ip http max connection time 690 ip http port 690 ip http redirecturl 690 ip http same host limit 690 ip http server 690 IP in...

Страница 778: ...DIUS attribute 26 46 219 Ipv6 NdRa Prefix RADIUS attribute 26 46 225 IPv6 NdRa Prefix attribute used for IPv6 Neighbor Discovery from Access Accept messages 90 IPv6 Primary DNS RADIUS attribute 26 47...

Страница 779: ...25 428 show l2tp destination profile command 431 l2tp rx connect speed when equal command 360 L2TP transmit connect speed and Transmit TX Speed AVP 24 394 calculation methods how to configure 394 moni...

Страница 780: ...enting IP spoofing 607 macros service definitions 636 Service Manager statistics 680 manuals comments on xxxix max sessions command 31 MBS RADIUS attribute 26 17 217 media access control addresses See...

Страница 781: ...lifetime for delegated prefixes configuring 105 default 105 setting without expiration 105 Prefix Delegation See DHCPv6 Prefix Delegation prefixes allocated to clients from interface configuration 10...

Страница 782: ...radius include access loop parameters 203 radius include acct authentic 197 radius include acct delay time 197 radius include acct link count 197 radius include acct multi session id 197 radius inclu...

Страница 783: ...ort format stacked 254 See also show radius commands RADIUS dynamic request server change of authorization messages 239 disconnect messages 237 how it works 237 message exchange 237 239 monitoring 244...

Страница 784: ...ovisioning services 671 674 QoS considerations 652 modifying configurations of 647 referencing configurations of 645 removing references of 647 RADIUS dynamic request server 688 RADIUS support 654 RAD...

Страница 785: ...al 705 show aaa statistics 125 show aaa subscriber per port limit 127 show aaa subscriber per vr limit 127 show aaa timeout 127 show aaa tunnel group 422 424 show aaa tunnel parameters 424 426 show aa...

Страница 786: ...est statistics 305 show radius ethernet port type 301 show radius icr partition accounting 310 show radius nas identifier 299 show radius nas port format 298 show radius override 297 show radius pppoe...

Страница 787: ...pport system log messages 33 T TACACS AAA services 311 accounting 311 authentication login process 311 authorization 311 configuring 316 daemon 311 312 host 312 NAS network access server 311 312 privi...

Страница 788: ...ain mapping to L2TP tunnel 353 User Name RADIUS attribute 1 10 user name command 588 user prefix command 588 usernames and passwords from a domain configuring 16 using shared tunnel server ports 370 V...

Отзывы:

Нет отзывов

Похожие инструкции для JUNOSE 11.0.X MULTICAST ROUTING

Wide Format 6030

Бренд: Xerox Страницы: 8

ANTI-VIRUS FOR MIMESWEEPER -

Бренд: F-SECURE Страницы: 44

Бренд: Juniper Страницы: 772

Бренд: Alcatel Страницы: 4

SNAP DEPLOY 2.0 -

Бренд: ACRONIS Страницы: 68

Бренд: Mitsubishi Страницы: 64

Persona Persona M30e

Бренд: Fargo Страницы: 31

SMART Notebook SE

Бренд: SMART Страницы: 20

Universal Storage Platform VM

Бренд: Hitachi Страницы: 62

Universal Storage Platform V

Бренд: Hitachi Страницы: 102

Бренд: Hitachi Страницы: 205

External OEMR 2800

Бренд: Dell Страницы: 32

Encryption Key Manager

Бренд: Dell Страницы: 66

External OEMR 2950

Бренд: Dell Страницы: 22

Бренд: Dell Страницы: 10

DVS Simplified Appliance

Бренд: Dell Страницы: 73

Бренд: Dell Страницы: 75

External OEMR 850

Бренд: Dell Страницы: 162

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды