Академический Документы
Профессиональный Документы
Культура Документы
Student Guide
The information in this document has been carefully verified and is believed to be accurate for software Release 7.3.0. Juniper Networks assumes no
responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary,
incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice.
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The JUNOS software has no
known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand
and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the
Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You
should consult the software license for further details.
Contents
Module 0: Course Introduction ..................................................................................... 0-1
Contents - iii
Module 7: Policy Management Overview ........................................................................ 7-1
Policy Management Overview .......................................................................... 7-3
Configuring Classifier Lists and Policy Lists.................................................. 7-11
Configuring Rate-Limit Profiles ..................................................................... 7-29
Configuring Policy Lists with Multiple Rules ................................................ 7-41
Troubleshooting Policies on the E-series Router .......................................... 7-58
Lab 7: Configuring Policy ............................................................................. 7-63
Contents - iv
Course Overview
The E-series B-RAS Configuration Basics course is designed to provide technical network professionals with
the skills needed to successfully install, configure, and troubleshoot the E-series platform to act as a broadband
remote access server (B-RAS). The course covers the fundamentals of B-RAS, ATM, IP over ATM, bridged
Ethernet, PPP over ATM, PPP over Ethernet, VLANs, dynamic interfaces, L2TP, policy management as well as
E-series router systems administration.
Objectives
After successfully completing this course, you should be able to:
• After successfully completing this course, you should be able to:
• Configure IP-over-ATM interfaces;
• Configure bridged Ethernet interfaces;
• Configure PPP-over-ATM interfaces;
• Configure PPP-over-Ethernet interfaces;
• Configure dynamic interfaces;
• Configure L2TP;
• Troubleshoot connectivity issues;
• Configure fundamental policy management; and
• Describe E-series router system administration tasks.
Intended Audience
This course is intended for technical network professionals responsible for the integration, configuration,
and management of E-series router networks.
Course Level
This is an intermediate-level course designed to provide a strong foundation for configuring the
B-RAS application on an E-series router.
Prerequisites
The prerequisites for the E-series B-RAS Configuration Basics course are knowledge of IP in an ISP
environment and the Introduction to Juniper Networks Routers-E-series course.
Course Overview - v
Course Agenda
Day 1
Module 0: Course Introduction
Module 1: DSL Overview and IP over ATM
Module 2: Bridged Ethernet and DHCP
Day 2
Module 3: PPP over ATM
Module 4: PPP over Ethernet
Day 3
Module 5: Dynamic Interfaces
Module 6: L2TP
Day 4
Module 7: Policy Management Overview
Module 8: System Administration
Course Agenda - vi
Additional Information
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
• Go to http://www.juniper.net/techpubs/ .
• Locate the specific software or hardware release and title you need, and choose the format in
which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or account
representative.
Module Objectives
After successfully completing this module, you will be able
to:
– Get to know one another
– Identify the objectives, prerequisites, facilities, and materials used
during this course
– Identify additional Juniper Networks courses
– Describe the Juniper Networks Technical Certification Program
(JNTCP)
Introductions
What is your name?
Where do you work?
What is your primary role in your organization?
What kind of network experience do you have?
What is the most important thing for you to learn in this
training session?
Introductions
This slide serves to break the ice by having you introduce yourself and state your reasons for attending
the class.
Course Contents
DSL Overview and IP over ATM
Bridged Ethernet and DHCP
PPP over ATM
PPP over Ethernet
Dynamic Interfaces
L2TP
Policy Management Overview
System Administration
Course Contents
This slide lists the topics we discuss in this course.
Prerequisites
Introduction to Juniper
Networks Routers—E-series
Prerequisites
This slide lists the prerequisites for this course.
Course Administration
Course objectives
Sign-in sheet
Schedule
– Class times
– Breaks
– Lunch
Break and restroom facilities
Communications
– Telephones
– Cellular phones and pagers
– Internet access
Education Materials
Available in class:
– Lecture material
– Lab guide
– Lab equipment
Available outside of class:
– Online documentation at www.juniper.net
– Juniper Networks Technical Assistance Center (JTAC)
Available through your account representative:
– Documentation CD
– Printed documentation
Satisfaction Feedback
Class Feedback
Satisfaction Feedback
Juniper Networks uses an electronic survey system to collect and analyze your comments and
feedback. Depending on the class you are taking, please complete the survey at the end of the class,
or be sure to look for an e-mail about two weeks from class completion that directs you to complete an
online survey form (be sure to provide us with your current e-mail address).
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance for
taking the time to help us improve our educational offerings.
Advanced
Policy
Advanced
Juniper Networks
Prerequisites: Familiarity Configuring Juniper Routing (AJNR)
with JUNOS software CLI, Networks Routers
general knowledge of (CJNR)
Juniper Networks
TCP/IP, and routing Security
Solutions (JNSS)
Prerequisites: Detailed
knowledge of E -series products
from attendance of IJNR-E class
or similar
Broadband
Remote Access
Server
Introduction to Configuration
Juniper Networks
Routers—E-series
(IJNR-E)
JNCIA
– Computer-based, written exam
– Delivered at Prometric testing centers worldwide
– 60 questions, 60 minutes
– Passing Score: 70%
– $125 USD
– Prerequisite certification: none
– Benefits provided to JNCIAs:
Certificate
Logo usage
Industry recognition
– Validates candidate’s general knowledge of IP technologies,
platform operating system, and hardware
JNCIS
– Computer-based, written exam
– Delivered at Prometric testing centers worldwide
– Prerequisite for the JNCIP lab exam
– 75 questions, 90 minutes
– Passing Score: 70%
– $125 USD
– Prerequisite certification: none
– Benefits provided to JNCISs:
Certificate
Logo usage
Provides ability to take JNCIP exam
Industry recognition as an IP and routing platform specialist
– Validates candidate’s advanced knowledge of platform operating
system, hardware, and IP technologies
JNCIP
– One-day, lab-based exam
– Tests candidate’s configuration and design skills for essential
technologies
– Testing centers: Sunnyvale, Amsterdam, Herndon, Westford, Remote
– Prerequisite for the JNCIE lab exam
– $1,250 USD
– Prerequisite certification: JNCIS
– Benefits provided to JNCIPs:
Certificate
Logo usage
Provides ability to take JNCIE exam
Industry recognition as an IP and routing platform professional
– Validates candidate’s practical platform configuration skills
Certification Preparation
Questions
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice
them now so that your instructor can best address your needs during class.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18
Module Objectives
After successfully completing this module, you will be able
to:
– Compare and contrast narrowband remote access services and
broadband remote access services
– Describe the different types of DSL connections
– List and describe the equipment used in a DSL network
– List and describe four different DSL connection types
– Describe the life of a packet in an IP-over-ATM environment
– Describe basic ATM concepts and terminology
– Compare and contrast IP addressing options in an IP-over-ATM
environment
– Configure an IP-over-ATM interface on the E-series router
Modem
RADIUS ISP2
paul@isp2.com
Dial-up
DSL
E-Series Router
Cable
GSM/GPRS
LMDS/UMTS IP Core
Fiber
FTTx
Laptop PC Wi-Fi
Laptop PC Hotspot
PDA
PDA
IP over ATM
Sonet/SDH
WiFi VPN
Hotspot SDX-300 RADIUS DHCP
GSM/GPRS GigEthernet
LMDS/UMTS
ISP2
Service
Access Network
Fiber
FTTx
Network Provider
DSL Overview
PC w/Ethernet
NIC
PC w/DSL
Modem
DSL
Modem
DSL DSL
Bridge Modem
Network
PC w/ATM NIC of PCs
DSL
Modem
DSL
DSLAM Concentrator
DSLAM
Customer
Network DSL ATM Internet
Router
Customer ATM
DSL Switch
Network
Router RADIUS
DHCP
DSL
DSLAM Concentrator
DSLAM
Customer
Network DSL ATM Internet
Router
Customer ATM
DSL Switch
Network
Router RADIUS
DHCP
DSL connection types:
– Asymmetric
– Symmetric
– Rate adaptive
– High bit rate
– Very high bit rate
Copyright © 2007, Juniper Networks, Inc.
DSL
DSLAM Concentrator
DSLAM
Customer
Network DSL ATM Internet
Router
Customer ATM
DSL Switch
Network
Router RADIUS
DHCP
How customers connect:
– Business customers connect LANs to DSL routers or bridges
– Residential customers:
Workstation with integrated DSL modem
Workstation with an Ethernet NIC connected to a standalone DSL bridge or
modem
DSL
DSLAM Concentrator
DSLAM
Customer
Network DSL ATM Internet
Router
Customer ATM
DSL Switch
Network
Router RADIUS
DHCP
Local POP
– One or more DSLAM
Central office
– ATM switch
– DSL concentrator
– RADIUS, DHCP servers
– PVC established from the DSL concentrator to the CPE Device
Copyright © 2007, Juniper Networks, Inc.
Local POP
In an DSL environment, thousands of subscriber lines connect to a digital subscriber line access
multiplexers (DSLAMs), which are typically located in the provider's local point of presence (POP). The
DSLAM contains DSL modems, which it aggregates onto high-speed ATM, Gigabit Ethernet, or 10
Gigabit Ethernet connections.
Central Office
At the central office, an ATM or Ethernet switch potentially aggregates the connections from the
DSLAM and ultimately terminates them on a DSL concentrator. RADIUS and the Dynamic Host
Configuration Protocol (DHCP) servers might also be located at the central office. They might be used
for user authentication and IP address assignment.
For ATM-based DSLAMS, the DSL concentrator establishes a permanent virtual circuit (PVC) to the
customer premise equipment (CPE) device. One or more users can use this PVC, depending on the
configuration. For Ethernet-based DSLAMs, the DSL concentrator might establish a VLAN to each
CPE device.
To Authenticate or Not... (1 of 2)
PC w/Ethernet
NIC
Bridged Ethernet PC w/DSL
Modem
DSL
Modem
DSL
DSL
Bridge Modem
Network
of PCs
DSL
Modem
PC w/ATM NIC
To Authenticate or Not... (2 of 2)
PC w/Ethernet
PPP over NIC
ATM PC w/DSL
Modem
DSL
Modem
DSL DSL
Bridge
Modem
PPP over
PC w/ATM NIC
DSL
Network Ethernet
Modem of PCs
DSLAM DSL
DSLAM Concentrator
Customer
DSL
Internet
Network ATM
Router
ATM
DSL Switch
Customer Router RADIUS
PPP over
Network
ATM
DA IP=2.2.2.2
SA IP=1.1.1.2
DA IP=2.2.2.2 DA IP=2.2.2.2 DA IP=2.2.2.2
Layer 3 SA IP=1.1.1.2 SA IP=1.1.1.2
SA IP=1.1.1.2 RFC 2684
EtherType=0x0800
EtherType=0x0800 OUI=0x00-00-00 EtherType=0x0800 EtherType=0x0800
Layer 2 DA MAC=B LLC=0xAA-AA-03 DA MAC=D DA MAC=F
SA MAC=A SA MAC=C SA MAC=E
ATM VPI/VCI=0/33
Life of a Packet
In the IP-over-ATM environment, a DSL-capable router or a router and a DSL modem are installed at
the customer's location. This router provides connectivity to the Internet for one or more networks at
the customer's location. The router or modem is connected over a phone line to a DSLAM, which is in
turn connected via ATM to the E-series router. A single ATM PVC is provisioned from the router to the
customer's CPE device.
If a user at the customer's location wants access to the Internet, the basic packet flow is as follows (for
this example, the customer uses Ethernet for the Layer 2 transport mechanism):
• The user's PC generates an IP packet, encapsulates it in an Ethernet frame, and addresses
it to a DSL router.
• The DSL router receives the Ethernet frame, sees that it is addressed to the router, and
strips off the Ethernet frame.
• The DSL router looks at the destination IP address, consults its routing table, and
determines that the next hop is the DSL interface.
• The DSL router adds an RFC 2684-defined ATM Layer 2 header (previously known as RFC
1483), indicating that the frame contains an IP datagram, and then segments the IP
datagram into 53-byte cells.
• The DSL router sends the cells across the PVC to the E-series router.
• The E-series router receives and reassembles the cells, strips off the RFC 2684 header,
looks at the destination IP address, and determines the next-hop interface.
• The E-series router encapsulates the IP datagram in the appropriate Layer 2 frame and
transmits the data into the Internet, repeating this process each step along the way to the
destination IP address.
Note that if a router receives a Layer 2 frame addressed to itself, it strips off the Layer 2 encapsulation,
determines the next-hop address based on the destination IP address, and encapsulates the IP
datagram in a new Layer 2 frame for the next leg of its journey. We will see that this behavior is very
different in a bridged Ethernet environment.
ATM Basics
DSL
Bridge
DSLAM VPI 0
Customer VCI 33
Network DSL
Router VCI 34
VCI 35
DSL
Customer Router
Network
DSL
Customer Router
Network
IP Address
Network IP Interface IP Interface Subnet Mask
Layer IP Description
VCD VPI/VCI
ATM PVC ATM PVC Encapsulation Type
ATM Subinterface ATM Subinterface Service Category
Data Link F5 OAM
Layer
ATM # VCs per Virtual Path
Major Interface F4 OAM
Slot/Port or Slot/Adapter/Port
ATM interfaces support the operations, administration, and management (OAM) standards. The E-
series router supports F4 and F5 OAM fault management, loopback, and continuity check cells. These
cells perform fault detection and notification, loopback testing, and link integrity. F4 cell flows, used to
monitor VPs, are configured at the ATM major interface level. You can configure F4 flows for a specific
VP or for all possible VPs on an interface.
For each logical connection, you configure an ATM subinterface and build the PVC at the subinterface
level. You can configure and manage ATM major interfaces, subinterfaces, and PVCs from any virtual
router context. You can configure F5 OAM flows on ATM PVCs. You can also configure a description
for the ATM subinterface.
Finally, you create an IP interface on top of the ATM subinterface. The IP interface must be created in
the appropriate virtual router. This IP interface can be a numbered or unnumbered IP interface. For
numbered interfaces, you must also configure a subnet mask. For unnumbered IP interfaces, a mask
is not specified. Instead, the unnumbered IP interface must reference some IP interface on the router,
typically a loopback interface. You can also configure an IP description.
Outbound Traffic
DSLAM VPI 0
Customer VCI 33
Network DSL
Router VCI 34
VCI 35
Customer
DSL
Network
Router
ATM VC Classes
ATM VC classes:
– Group or classify ATM circuits based on common attributes Easier to
create or modify large numbers of ATM PVCs
– - Template containing common ATM configuration parameters
Encapsulation method. service category. F5 OAM options. and Inverse ARP
erxl(config)#vc-class atm biz-user
erxl(config-vc-class)#encapsulation aal5snap
erxl(config-vc-class)#cbr 1000
erxl(config-vc-class)#exit
erxl(config)#vc-class atm res-user
erxl(config-vc-class)#encapsulation aal5snap
erx1(config-vc-class)#ubr 512
ATM VC Classes
What if you configured 1000 CBR ATM PVCs with a rate of 1 Mbps and now you want to change the
PCR to 1.5 Mbps. How would you do that? You would have to modify all 1000 PVCs individually,
changing the rate to 1.5 Mbps.
ATM VC classes provide a way to group or classify ATM circuits based on common attributes, such as
service category. An ATM VC class is a template that contains common ATM attributes, such as
encapsulation method, service category, F5 OAM options, and Inverse ARP.
For example, a service provider might have two types of customers. Its business users require 1-Mbps
CBR connections, and its residential users require UBR connections with a peak cell rate of 512 Kbps.
The slide shows the configuration of two ATM VC classes, one for the business users and one for
residential users. The ATM VC class contains the common ATM PVC attributes for each type of user.
The ATM VC class is then applied to each type of connection. If the service provider decides to
upgrade the business user's rate from 1 Mbps to 1.5 Mbps, a single change is made to the ATM VC
class. All PVCs using this ATM VC class are automatically changed.
Numbered IP Interfaces
40.40.0.0
DSL .2 172.10.1.0/30
Router .1
Internet
.6 172.10.1.4/30 .5
DSL
Router
20.20.0.0
30.30.0.0
IP Addressing: Option 1
In an IP-over-ATM environment, you can approach IP addressing two ways. The first way is to view
each ATM PVC as a unique, point-to-point network. With this approach, you assign each PVC a
unique subnet and assign a specific numbered IP address to each end of the ATM PVC. This approach
is very straightforward and easy to manage as there are no static routes to configure. It does, however,
use up IP addresses quickly. Many business DSL environments implement this addressing approach.
Unnumbered IP Interfaces
50.50.0.0
loopback 0
172.10.2.1/32
DSL 172.10.2.2/32
Router
unnumbered IP
loopback 0
Internet
NAT
172.10.2.3/32 unnumbered IP
DSL loopback 0
Router
10.0.0.0
IP Addressing: Option 2
With the second approach to IP address assignment in an IP-over-ATM environment, you view each
DSL router as an individual host instead of viewing the ATM PVC as a point-to-point link. Each CPE
DSL router is assigned a numbered IP address. On the E-series router, a loopback interface is created
and assigned an IP address. The ATM PVCs on the E-series router are not assigned numbered IP
addresses. Instead, the PVCs are configured as unnumbered IP interfaces referencing the loopback
interface. While this approach conserves valuable IP address space, it is a bit more difficult to
configure and manage.
40.40.0.0
0.0.0.0
DSL
172.10.1.2/30 172.10.1.1/30
Router
int atm 6/2.33 Internet
unnumbered IP
loopback 0
DSL 172.10.2.2/32
Router int atm 6/2.34
0.0.0.0
50.50.0.0
IP-over-ATM Configuration
This slide shows the configuration for the two routers on the previous page. To configure IP-over-ATM
interfaces, first configure the clocking for the SONET controller, which was shown on a previous page.
If you use unnumbered interfaces, configure a loopback interface, which will be used as a reference.
Next, create an ATM major interface specifying the number of VCs per VP if necessary. For each CPE,
configure an ATM subinterface and an ATM PVC. Configure a numbered or unnumbered IP interface
and an IP description to aid in troubleshooting. Finally, create the appropriate static routes. Notice that
the numbered IP interface does not require a host route.
Think in Layers!
When you troubleshoot any new configuration on the router, you must think in layers. First try to ping
the newly configured interface. If that does not work, start examining the configuration at the physical
layer and work your way up the interface column. Ask yourself the following questions when initially
troubleshooting an IP-over-ATM configuration:
• What is the state of the SONET controller?
• Am I transmitting and receiving frames on the entire ATM interface?
• Am I receiving errors on the ATM interface?
• Am I transmitting and receiving frames on the specific ATM PVC?
• Am I receiving errors on the ATM PVC? Verify the encapsulation method being used. Is it
the same at each end of the PVC?
• Am I transmitting and receiving frames at the IP layer?
• Am I dropping packets?
• Do I have a route to the CPE DSL router?
• Do I have a route to the networks beyond the CPE router?
• Does the CPE router have a default route to the E-series?
Review Questions
1. What are two types of DSL connections that maintain the
traditional dial-up remote access method?
2. What are four types of DSL connections, and how are they
different from one another?
3. On an E-series router, what identifies a PVC?
4. What is VP traffic shaping?
5. How can you use statistics baselines to aid in
troubleshooting a new configuration?
Lab Objectives:
Configure and troubleshoot IP-over-ATM interfaces.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 36
Module Objectives
After successfully completing this module, you will be able
to:
– Describe the life of a packet in a bridged Ethernet environment
– Describe IP addressing options in a bridged Ethernet
environment
– Compare and contrast E-series routing configuration options in a
bridged Ethernet environment
– Configure the DHCP relay agent and DHCP relay proxy
– Configure a bridged Ethernet ATM PVC
xDSL
IP over ATM Concentrator
DSLAM
DSLAM
Customer
Network DSL ATM
Router Internet
ATM
DSL Switch DHCP
Customer Router
Network Server
DA IP=2.2.2.2
SA IP=1.1.1.2
EtherType=0x0800
DA MAC=B
SA MAC=A
DA IP=2.2.2.2 DA IP=2.2.2.2 DA IP=2.2.2.2
Layer 3 SA IP=1.1.1.2 SA IP=1.1.1.2
SA IP=1.1.1.2 RFC 2684
PID=0x000-07
EtherType=0x0800 OUI=0x00-80-C2 EtherType=0x0800 EtherType=0x0800
Layer 2 DA MAC=B LLC=0xAA-AA-03 DA MAC=D DA MAC=F
SA MAC=A SA MAC=C SA MAC=E
ATM VPI/VCI=0/33
Life of a Packet
In the bridged Ethernet environment, a DSL-capable bridge or modem is installed at the customer's
location. This bridge provides connectivity to the Internet for the customer's networks. The bridge is
connected over a phone line to a digital subscriber line access multiplexer (DSLAM), which is in turn
connected via ATM to the E-series router. An ATM PVC is provisioned from the E-series router to the
customer's CPE device.
If a user at the customer's location wants access to the Internet, the basic packet flow is as follows. For
this example, the customer uses Ethernet for its Layer 2 transport mechanism.
• The user's PC generates an IP packet, encapsulates it in an Ethernet frame, and addresses
it to the E-series router.
• The DSL bridge receives the Ethernet frame and adds an RFC 2684 header, indicating that
the cell contains a bridged Ethernet frame.
• The DSL bridge then separates the entire frame into ATM cells and transmits them across
the PVC to the E-series router.
• The E-series router receives the cell, strips off the bridged RFC 2684 header, strips off the
Ethernet frame, looks at the destination IP address, and determines the next-hop interface.
• The router encapsulates the IP datagram in the appropriate Layer 2 frame and transmits the
data onto the Internet.
Notice that in a bridged Ethernet environment, the router examines the IP header, makes a routing
decision, and forwards the packet to the next router.
Internet
DSL 182.10.2.33/27
182.10.2.34
Bridge
182.10.2.35
Client workstation IP addressing options:
– Statically assigned
1 static address per customer
Small number of addresses per customer
– Dynamically obtained using DHCP
Router IP addressing options:
– Unnumbered interfaces
– Numbered interfaces
Copyright © 2007, Juniper Networks, Inc.
loopback 0
182.10.1.1/32
DSL unnumbered IP
182.10.1.2 Bridge
0.0.0.0 int atm 6/2.36
Internet
182.10.2.33/27
DSL
182.10.2.34 Bridge int atm 6/2.37
0.0.0.0
182.10.2.35
0.0.0.0
Router Configuration
Network Statements or
loopback 0 Route Redistribution
182.10.1.1/32 182.10.1.0/24
DSL unnumbered IP 182.10.2.0/24
182.10.1.2 Bridge
0.0.0.0 int atm 6/2.36
182.10.1.33/27 Internet
DSL
182.10.1.34 Bridge int atm 6/2.37
0.0.0.0
Prefix/Length Type Next Hop Dst/Met Intf
0.0.0.0 Static 182.10.100.1 1/0 GE5/0
182.10.1.0/24 Static 255.255.255.255 1/0 null0
182.10.1.35 182.10.2.32/27 Connect 182.10.2.33 0/0 ATM6/2.37
0.0.0.0 182.10.1.1/32 Connect 182.10.1.1 0/0 loopback0
182.10.1.2/32 Static 0.0.0.0 1/0 ATM6/2.36
Router configuration using static addressing:
– Create static routes to each client workstation or group of
workstations
– Next-hop interface must be the appropriate ATM subinterface
– For localized IP address ranges, consider creating a static route
for the range using null0 as the next-hop address
– Advertise appropriate networks using route maps and network
statements or route redistribution
Copyright © 2007, Juniper Networks, Inc.
Internet
unnumbered IP DHCP
DSL Server
182.10.3.4 Bridge loopback 1
182.10.3.5
Routing Configuration—DHCP
Network Statements or
loopback 1 Route Redistribution
182.10.3.1/32 182.10.1.0/24 DHCP
DSL 182.10.2.0/24 Server
182.10.3.2 unnumbered IP
Bridge
0.0.0.0 int atm 6/2.38
Internet
unnumbered IP
DSL
182.10.3.3 int atm 6/2.39
Bridge
0.0.0.0
Prefix/Length Type Next Hop Dst/Met Intf
182.10.3.1/32 Connect 182.10.3.1 0/0 loopback0
182.10.3.2/32 AccIntern 0.0.0.0 2/0 ATM6/2.38
182.10.3.4
0.0.0.0 182.10.3.3/32 AccIntern 0.0.0.0 2/0 ATM6/2.39
182.10.3.4/32 AccIntern 0.0.0.0 2/0 ATM6/2.39
Internet
DSL 182.10.2.33/27
182.10.2.34 Bridge
Network Numbered or
Layer IP Interface IP Interface Unnumbered
IP Interface
182.10.2.35
Bridged Ethernet Bridged Ethernet
Encapsulation Method
Data Link ATM PVC VCD VPI/VCI
ATM PVC
Layer ATM Subinterface ATM Subinterface Traffic Management
Think in Layers
When you configure the E-series router, remember to think in layers! Configure interface columns on
the E-series router from the bottom up:
• Configure physical layer parameters first. In an ATM environment, physical parameters
include slot/port or slot/adapter/port, clock source, and framing (SONET or SDH).
• Data link layer parameters include ATM PVC information, encapsulation method, and ATM
framing. Note that you must configure the E-series router to expect a different type of
encapsulation on a PVC connected to a bridge. By default, the E-series router expects to
see an ATM header followed by an IP-over-ATM header, followed by an IP datagram. In a
bridged Ethernet environment, you must configure the E-series router to expect an ATM
header, a bridged Ethernet header, an Ethernet frame, and then the IP datagram. This
encapsulation method is known as bridged Ethernet, although the actual CLI configuration
command is encapsulation bridge1483, referring to the first RFC describing this
environment.
• Network layer parameters include IP addresses, subnet masks, and routing protocols or
static routes.
Note that each layer is dependant on the others.
182.10.3.4
DHCP relay agent configuration:
– Relay agent configured per virtual router
– Up to 5 DHCP servers
– Relay agent and DHCP local server are mutually exclusive
– Router does not manage or monitor DHCP leases
– DHCP-installed host routes are preserved after reboot
erx7(config)#set dhcp relay 1.1.1.1
erx7(config)#set dhcp relay 2.2.2.2
erx7(config)#set dhcp relay agent
Copyright © 2007, Juniper Networks, Inc.
Router 2.2.2.2
DSL
Bridge
182.10.1.14
Router 2.2.2.2
DSL
Bridge
182.10.1.14
Review Questions
1. How does a bridged Ethernet environment differ from an IP-
over-ATM environment?
2. How would you describe the basic packet flow from PC to
Internet in a bridged Ethernet environment?
3. Compare and contrast static IP address assignment and
dynamic IP address assignment using DHCP?
4. What are some of the E-series routing configuration options
in a bridged Ethernet environment?
5. What is the difference between DHCP relay agent and DHCP
relay proxy?
Lab Objectives:
Configure a bridged Ethernet interface
and static routes.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20
Module Objectives
Modem
RADIUS
tyler@isp1.com
Routers ISP1
RAS
PPP Session
Modem
RADIUS ISP2
paul@isp2.com
IP over ATM
DSLAM DSL
DSLAM Concentrator
Customer
Network DSL
Router ATM
Internet
PPP over ATM
ATM
DSL
Switch
Customer Router RADIUS
Network
DHCP
Private DSL
Network Router
home1@isp1.com
Router with
PPPoA Support ISP2 RADIUS
DSL
Modem
The second connection type is a small business or residence using a DSL router with an integrated
DSL/ATM interface and an Ethernet interface. In this setup, the PPP login information is configured on
the router. This router might provide NAT services to devices within the customer's network. The router
receives frames from the customer's PCs, performs any necessary address translation, and
encapsulates the IP datagrams in a PPP frame. This is the most common PPP-over-ATM connection
method.
The third type is a single user or PC connecting to a DSL modem supporting PPP over ATM. This
user's workstation typically connects to the modem using either a USB or PCI interface, and the
workstation runs PPP client software. The user's IP traffic is encapsulated in a PPP frame and sent to
the DSL modem, which forwards it along to the DSLAM.
With all three methods, the user's IP datagrams are first encapsulated into a PPP frame. Next, the PPP
frame is fragmented into 53-byte ATM cells and sent over the appropriate ATM interface. These cells
are then transmitted across the POTS connection, to the DSLAM, across the ATM switch (if
necessary), and are received by the E-series router.
From the router's perspective, all approaches are equivalent in that the ATM cells received have an
RFC 2364 header indicating PPP, then the PPP frame, and finally the IP datagram. The router
reassembles the PPP frame and routes the packet out the appropriate interface.
From this point on, we focus our attention on the PPP side of the connection, remembering that this
PPP session is carried in an ATM PVC.
DA IP=2.2.2.2
SA IP=1.1.1.2
Layer 3 DA IP=2.2.2.2 DA IP=2.2.2.2 DA IP=2.2.2.2
SA IP=192.168.1.10 PPP Header SA IP=1.1.1.2 SA IP=1.1.1.2
RFC 2364
EtherType=0x0800 NLPID=0xCF EtherType=0x0800 EtherType=0x0800
Layer 2 DA MAC=B DA MAC=D DA MAC=F
SA MAC=A ATM VPI/VCI=0/33 SA MAC=C SA MAC=E
Life of a Packet
In this PPP-over-ATM environment, a PPP-over-ATM-capable DSL router is installed at the customer's
location. This router is providing NAT services to the workstations on the LAN. The router is connected
over a phone line to a DSLAM, which is in turn connected using ATM to the router. An ATM PVC is
provisioned from the router to the customer's DSL router. The user's PCs in this network do not have
any extra software installed. If a user at the customer's location wants access to the Internet, the basic
packet flow is as follows:
• The user's PC generates an IP packet that is forwarded to the DSL router.
• The router NATs the packet and encapsulates the IP packet in a PPP frame. It then
segments the frame into ATM cells and adds an ATM RFC 2364 header indicating that the
cell contains a PPP frame.
• The cells are then transmitted across PVC to the router.
• The router receives the cells and reassembles the PPP frame. Then the router strips the
PPP frame, looks at the destination IP address, and determines the next-hop interface.
• The router encapsulates the IP datagram in the appropriate Layer 2 frame and transmits the
data onto the Internet.
loopback 0
DSL
Modem
192.168.100.1/32
gary@isp1.com
Internet
182.16.3.3
DSL
Modem
unnumbered IP
rich@isp1.com loopback 0
182.16.3.4
Typical IP configuration:
– Workstation obtains IP address dynamically
– Router uses unnumbered IP interfaces
– Router dynamically installs workstation’s host routes into routing
table
– Router advertises appropriate networks using network statements
or route redistribution techniques
E-series Router
DSL
Modem
2 -PPP LCP default
Tyler@isp1.com Request - Chap
ISP1
AAA
Process
RADIUS
VR2
DSL
Modem ISP2
Paul@isp2.com
RADIUS
Session initiation:
– User initiates PPP connection using LCP
– PPP client and E-series router agree on PPP authentication
protocol (CHAP or PAP)
Session Initiation
Let's take a look at the details of the configuration as well as how a user's session is established using
this configuration.
The E-series router shown on the slide is configured for two virtual routers. ISP1 is using the default
virtual router, and ISP2 is using the virtual router VR2.
Tyler@isp1.com (the PPP client) initiates a network connection using PPP Link Control Protocol (LCP)
to the E-series router. LCP negotiation occurs. Some of the LCP options that the router can negotiate
include the MRU, magic number (for loopback detection), and authentication protocol—Password
Authentication Protocol (PAP) or the Challenge-Handshake Authentication Protocol (CHAP)).
VR2 RADIUS
DSL
Modem
ISP2
Paul@isp2.com
RADIUS
Determine authentication server:
– User sends login: Tyler@isp1.com
– Router examines login for domain name “@isp1.com”
– Router searches the domain map for user’s domain name
– Domain/realm. Delimiter, and parsing order configurable
Copyright © 2007, Juniper Networks, Inc.
If no domain is in Tyler's login, the router first searches the domain map for an entry mapping the
domain called none to a specific virtual router. If the router finds a match, it sends the request to the
RADIUS server in the specified virtual router. If it finds no match, the router next searches for the
domain called default. If it finds no match, the request is sent to the RADIUS server configured in the
default virtual router.
The router is able to use a delimiter other than the at (@) sign. The router is also able to use the realm
name as the domain name, use delimiters other than the forward slash (/) to designate the realm name,
and use either the domain or the realm as the domain name when the username contains both. You
can also change the direction in which the router searches for the domain name or the realm name.
DSL RADIUS
Modem default Access Request 1.1.1.1
Tyler@isp1.com Tyler@isp1.com
RADIUS=1.1.1.1
UDP=1645 ISP1
key=training
Access Accept
VR2 Tyler@isp1.com
IP=192.168.1.10
RADIUS=2.2.2.1
UDP=1645
key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
RADIUS Timers
DSL RADIUS
Modem default Access Request 1.1.1.1
Tyler@isp1.com Tyler@isp1.com
RADIUS=1.1.1.1
UDP=1645 ISP1
key=training
Access Accept
Tyler@isp1.com
VR2
IP=192.168.1.10
RADIUS=2.2.2.1
UDP=1645
key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
1.1.1.1
DSL Access Request
Modem default DA = 1.1.1.1 RADIUS
Tyler@isp1.com Router ID= SA = 192.168.100.1
172.10.1.1
loopback 0=
192.168.100.1
RADIUS=1.1.1.1 ISP1 Access Accept
DA = 192.168.100.1
VR2 SA = 1.1.1.1
Router ID=
10.1.1.1
loopback 0=
172.16.100.1
DSL RADIUS=2.2.2.1 2.2.2.1
Modem
ISP2 RADIUS
Paul@isp2.com
DSL RADIUS
Modem default 1.1.1.1
Tyler@isp1.com
RADIUS=1.1.1.1
RADIUS=1.1.1.2
ISP1 RADIUS
1.1.1.2
RADIUS=1.1.1.3
VR2
RADIUS
1.1.1.3
RADIUS=2.2.2.1
RADIUS=2.2.2.2
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
RADIUS
2.2.2.2
Two algorithms:
– Direct mode
– Round robin
IP Address Assignment
AAA Domain Map
Domain Router Name Local Interface
isp1.com default loopback0
isp2.com VR2
DSL RADIUS
Modem default 1.1.1.1
Tyler@isp1.com DHCP
RADIUS=1.1.1.1 1.1.2.1
UDP=1645
ISP1
key=training Access Accept
Tyler@isp1.com
192.168.1.10
VR2
RADIUS=2.2.2.1
UDP=1645
key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
IP Address Assignment
The user can obtain an IP address in three different ways. The RADIUS server can provide an IP
address, the router can provide an address from address pool configured on the router, or the router
can obtain an address via a DHCP server.
On the slide, the RADIUS server returned an IP address from a pool configured on the RADIUS server.
This IP address will be assigned to Tyler's PC during the IP NCP negotiation process.
DSL
Modem default RADIUS
Tyler@isp1.com 1.1.1.1
RADIUS=1.1.1.1 ISP1 Access Accept
UDP=1645 Tyler@isp1.com
key=training 255.255.255.254
VR2
RADIUS=2.2.2.1
UDP=1645
DSL key=training
Modem
RADIUS
ISP2 2.2.2.1
Paul@isp2.com
DSL
Access Accept
Modem default Tyler@isp1.com
RADIUS
Tyler@isp1.com 255.255.255.254
RADIUS=1.1.1.1
ISP1 1.1.1.1
UDP=1645
key=training
VR2 DHCP
1.1.2.1
RADIUS=2.2.2.1
UDP=1645
key=training
DSL
Modem
ISP2
Paul@isp2.com RADIUS
2.2.2.1
VR2
loopback 0 = Access Accept
172.16.100.1/32 Tyler@isp1.com
IP=192.168.1.10
DSL
Modem
RADIUS
2.2.2.1
Paul@isp2.com ISP2
Determining the virtual router:
– Statically configured unnumbered interfaces reference a loopback
– Loopback interfaces configured per virtual router
– Dynamically created IP interfaces built when the user logs in
– Which virtual router and loopback interface should be used?
Domain map
RADIUS vendor-specific attribute
Profile
Copyright © 2007, Juniper Networks, Inc.
IP NCP Negotiation
AAA Domain Map
Domain Router Name Local Interface
isp1.com default loopback0
isp2.com VR2
IPConf Req 192.168.100.1 RADIUS
DSL
Modem default Access Request 1.1.1.1
Tyler@isp1.com
Tyler@isp1.com
IPConf Req 0.0.0.0 loopback 0 = ISP1
IPConf Nak 192.168.1.10 192.168.100.1/32
Access Accept
VR2
Tyler@isp1.com
IPConf Ack 192.168.100.1 loopback 0 = IP=192.168.1.10
172.16.100.1/32
IPConf Req 192.168.1.10
RADIUS
ISP2 2.2.2.1
IPConf Ack 192.168.1.10
IP NCP Negotiation
Now the router knows the IP address of the user (either from RADIUS, a local address pool, or DHCP),
the virtual router this IP interface will use, and the appropriate IP address to use during IP NCP
negotiation. The router and the user now perform standard IP NCP negotiations.
On the slide, isp1.com is listed in the domain map. Therefore, all dynamic IP interfaces for isp1.com
are created in the router specified in the domain map. In this example, Tyler's IP interface is created in
the default virtual router. In addition, the router uses 192.168.100.1, which is the loopback interface
specified in the domain map, during IP NCP negotiations.
If no entry exists in the domain map for isp1.com, the router determines if the RADIUS server returned
the Juniper-Virtual-Router VSA and the Local-Interface VSA, configuration information needed for IP
interface creation and negotiation. If RADIUS did not return this information, the router determines if
this information is listed in the profile specified for this interface. If the virtual router and/or loopback
interface information is not specified in one of these three places, the IP interface is not created.
If the ip access-routes configuration command is included with the IP interface definition, either
statically defined or in a profile, the router installs the user's IP host route into the appropriate virtual
router's routing table. In this case, Tyler's IP address, which is 192.168.1.10, is installed in the default
router's IP routing table as a 32-bit host route.
VR2
DNS/WINS
1.1.1.11
RADIUS=2.2.2.1
RADIUS
ISP2 2.2.2.1
RADIUS Accounting
default
DSL RADIUS
Modem
RADIUS=1.1.1.1 1.1.1.1
Tyler@isp1.com UDP=1646 ISP1
key=training
VR2
B-RAS Licensing
Each E-series router requires:
– JUNOSe software version
– Subscriber access license to use
– B-RAS subscriber license for each IP-over-ATM session
4k, 8k, 16k, 32k, or 48k simultaneous active IP, LAC, and bridge d interfaces
License configuration:
erx7(config)#license b-ras DeMo
NOTICE: The Subscriber Management Feature Pack
software installed on this system is licensed to
support a specific number of simultaneous DSL users.
Configuration or operational support for more
concurrent users than what has been purchased is in
direct violation of the product license agreement.
Proceed with 'license b-ras' command? [confirm]
license for 100 subscribers configured.
erx7(config)#
Copyright © 2007, Juniper Networks, Inc.
B-RAS Licensing
In a B-RAS configuration, each E-series router requires a JUNOSe software license as well as a
Subscriber Access software license-to-use (LTU). Each router must also have a B-RAS subscriber
license for each active IP, LAC, and bridged interface. Subscriber licenses come in chunks of 4 k, 8 k,
16 k, 32 k, 48 k (ERX-1440 or E32 platforms), 64 k (E320 platform), or 96k (E320 platform) active
subscribers. The license activation key is shipped with the router. The router provides a grace of 100
subscribers for 4 k, 8 k, and 16 k subscribers. The router does not provide a 100 subscriber grace
license for the 32 k, 48 k, 64 k, or the 96 k licenses. If a 4 k license is configured, the router generates
a warning log message, and the next 100 users are permitted to log in. In this example, the router
denies the 4101st user.
If no license is configured, the router generates a log message when the 100th subscriber logs in. The
101st active subscriber will be denied access.
In this example, a demo license is configured. The demo license allows 100 active subscribers. This
license allows 100 active subscribers plus a 100-subscriber grace. A log message is generated with
the 100th active subscriber and the 201st active subscriber will be denied.
Using the current JUNOSe software, a few cases might exist where the licensing enforcement and log
messages are not in line with the licensing scheme. Future software releases will fix these
inconsistencies.
OCx/STMx
Remember that all Layer land Layer 2 information (0Cx/STMx, ATM major interfaces and subinterfaces,
and PPP interfaces) are global in nature, or independent of the virtual router configuration. The only
part of the protocol stack or interface column that is specific to a virtual router is the IP interface.
A profile defines properties or common configuration parameters of an IP interface, such as the
assignment of the IP interface to specific virtual router, the loopback interface to reference for
unnumbered interfaces, or the option to cache the host route in the routing table. You create a profile
once globally on the router and then you apply it to as many interfaces you want.
All examples in this module use dynamically created IP interfaces.
VR2
RADIUS=2.2.2.1
UDP=1645
key=training
ISP2 RADIUS
2.2.2.1
Tyler@isp1.com RADIUS=1.1.1.1
ISP1 RADIUS
UDP=1645 1.1.1.1
key=training
VR2
RADIUS=2.2.2.1
UDP=1645
Is the link key=training
VR2
RADIUS=2.2.2.1
UDP=1645
key=training
ISP2 RADIUS
2.2.2.1
Think in Layers!
The slide shows a summary of the show commands used at each layer to troubleshoot a PPP-over-
ATM configuration.
Logging Overview
Logging system events:
– System events are classified into categories
pppPacket, aaaUserAccess, cliCommand, l2tp, radiusAttributes,
radiusSendAttriubutes, snmp
– System events have an assigned severity level
Emergency 0
Alert 1
Critical 2
Error 3
Warning 4
Notice 5
Info 6
Debug 7
– System events have different verbosity levels
Low, medium, and high
– Use filters to limit and control the amount of logging
Console
Telnet Syslog
Configuring Syslog
Configuring syslog:
– Send only cliCommand log messages to syslog facility ID 2 on
syslog server 10.13.7.56:
erx7(config)#log dest syslog 10.13.7.56 facility 2
erx7(config)#log dest syslog 10.13.7.56 include
cliCommand
– Send all log messages with a severity of warning or higher to syslog
facility 6 on 10.13.7.60:
erx7(config)#log dest syslog 10.13.7.60 facili 6 sev
warning
– Send all log messages with a severity of warning or higher to syslog
facility 5 on 10.13.7.70 except ipRoutePolicy, cliGeneral, ipInterface:
erx7(config)#log dest syslog 10.13.7.70 facil 5 sev
warning
erx7(config)#log dest syslog 10.13.7.70 exclude
ipRoutePolicy cliGeneral ipInterface
Configuring Syslog
This slide shows several syslog configuration examples. The first example shows a way to steer only
cliCommand log messages to a specific syslog server. You might use this log file as an audit trail of
any CLI command executed on the router. The keyword include provides a way to limit the amount and
type of log messages sent to syslog servers.
The second example shows a way to send all WARNING, ERROR, CRITICAL, ALERT, and
EMERGENCY log messages to a specific facility on the syslog server, 10.13.7.60. This example sends
all log messages regardless of category and limits the amount based on severity level.
The last example sends all log messages with a severity of WARNING or higher to a syslog server
except for the categories ipRoutePolicy, cli General, and ip Interface. This example might send many
more log messages to this server than actually required. It might be wise to review the type and
amount of log messages sent to the syslog server. Next, you would configure a new exclude list
containing a list of all categories to exclude—even the ones that were previously excluded.
Module Review
1. What are the benefits of using PPP over ATM?
2. What are the differences between the IP addressing options
in a PPP-over-ATM environment?
3. How would you describe the basic life of a packet in a
PPP-over-ATM environment?
4. What are the three different ways a PC can obtain its IP
address dynamically in a PPP-over-ATM environment?
5. What is the purpose of the domain map?
6. How would you describe the function and use of profiles?
7. How do you configure the E-series router for PPP over
ATM?
8. How do you verify PPP-over-ATM operation using show
commands and logging?
9. What are the E-series router’s logging capabilities?
Copyright © 2007, Juniper Networks, Inc.
Lab Objectives:
Configure and troubleshoot
PPP-over-ATM interfaces on the E-series router.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 54
.
E-series B-RAS Configuration
Module Objectives
After successfully completing this module, you will be able
to:
– List the benefits of using PPP over Ethernet
– Describe the two stages of PPP over Ethernet
– Describe the basic life of a packet for PPP over Ethernet
– Configure the E-series router for PPP over Ethernet
– Verify PPP-over-Ethernet operation using show commands and
logging
Modem
RADIUS
tyler@isp1.com
Routers ISP1
RAS
PPP Session
Modem
RADIUS ISP2
paul@isp2.com
ATM
DSL
ralph@isp2.com Modem
ATM
ISP2
DSLAM
Switch
ken@isp2.com
PPPoE―RFC 2516
DSL
diane@isp1.com Modem
ISP1
tim@isp1.com
MAC=A
DA IP=2.2.2.2
SA IP=1.1.1.2
EtherType=0x8864
ISP2
ISP2
DA MAC=X
SA MAC=A
RFC 2516:
Physical
– General frame format
– PC requirements
– Two stages of PPPoE:
Discovery stage
PPP session stage
RFC 2516
When the user PC transmits IP data, the PC creates an IP datagram, encapsulates the IP datagram in
PPP and PPPoE, and finally inserts this data into an Ethernet frame addressed to the E-series router—
hence, the name PPP over Ethernet.
To transmit data using PPPoE, the user's PC requires special PPPoE software that installs a shim
between the existing dial-up networking PPP stack and the Ethernet driver, which enables PPP
sessions to be carried directly in standard Ethernet frames. Although the PC uses PPPoE, the actual
user experience mirrors dial-up networking—a familiar experience to most current remote access
users.
Because the PPP frames are encapsulated in Ethernet frames, multiple users can share the same
DSL line.
PPPoE has two distinct stages:
• Discovery stage: When a PC initiates a PPPoE session, it performs the discovery stage to
determine which B-RAS to use, the Ethernet MAC address of the B-RAS, and a unique
session ID. This discovery stage is a client-server relationship, where the PC is the client
and the E-series router is the PPPoE server.
PPP session stage: Once the PC determines which B-RAS to use, the B-RAS MAC address, and the
session ID, the connection transitions into a peer-to-peer relationship and initiates a standard PPP
session using LCP.
DSL
diane@isp1.com Modem
ISP1
tim@isp1.com
MAC=A
DSL
diane@isp1.com Modem
ISP1
tim@isp1.com
MAC=A
DA=X
SA=A
PPP LCP Type=PPP
PPPoE MAC=X
SessionID=
1234
PPP LCP
DA=A ISP2
ISP2
SA=X
Type=PPP
PPPoE
SessionID=
1234
DA IP=2.2.2.2
SA IP=1.1.1.2
PPP Header
PPPoE Header
Layer 3 DA IP=2.2.2.2 SessionID=0x123
SA IP=1.1.1.2
EtherType=0x8864
PPP Header DA MAC=B
SA MAC=A
DA IP=2.2.2.2 DA IP=2.2.2.2
PPPoE Header SA IP=1.1.1.2 SA IP=1.1.1.2
SessionID=0x123 RFC 2684
Layer 2 PID=0x000-07
EtherType=0x8864 OUI=0x00-80-C2 EtherType=0x0800 EtherType=0x0800
DA MAC=B LLC=0xAA -AA-03 DA MAC=D DA MAC=F
SA MAC=A SA MAC=C SA MAC=E
ATM VPI/VCI=0/33
Life of a Packet
In the PPP-over-Ethernet environment using ATM as the Layer 2 connection method, a DSL-capable
bridge or modem is installed at the customer's location. The bridge is connected over a phone line to a
DSLAM, which is in turn connected using ATM to the E-series router. An ATM PVC is provisioned from
the E-series router to the customer's CPE device. Each PC has PPP-over-Ethernet client software
installed. If a user at the customer's location wants access to the Internet, the basic packet flow is as
follows:
• The user's PC generates an IP packet that is encapsulated in a PPP frame. A PPPoE
header is added to this frame, which is then encapsulated in an Ethernet frame addressed to
the E-series router. The Ethernet type field indicates that the upper-layer protocol is PPPoE.
• The DSL bridge receives the Ethernet frame and encapsulates the entire frame into an ATM
cell. An RFC 2684 header is added at the beginning of the cell, indicating that the cell
contains a bridged Ethernet frame.
• The cell(s) are then transmitted across PVC to the E-series router.
• The E-series router receives the cell, strips off the bridged Ethernet header, strips off the
Ethernet frame, and verifies that the type field is PPP over Ethernet. If the type field is not
PPP over Ethernet, the E-series router discards the frame. If it is PPP over Ethernet, the
router strips the PPP frame and looks at the destination IP address, and determines the
next-hop interface.
• The router encapsulates the IP datagram in the appropriate Layer 2 frame and transmits the
data onto the Internet.
PPPoE PPPoE
Major Interface Major Interface
1 per Modem 1 per Modem
ATM PVC ATM PVC
ATM Subinterface ATM Subinterface
1 per Modem 1 per Modem
ATM
Major Interface
OCxc/STMx
VLANs
VLAN 100 VLAN 100
S -VLAN Encap
VLAN Encap
VLAN options :
– Single-tagged VLANs
– Double-tagged VLANs or stacked VLANs
S-VLANs
– Service provider VLANs (S-VLAN) and customer VLANs (C-VLAN)
– Similar to ATM VPI/VCI
– Improve VLAN scaling
– CPE or access node adds inner tag (C-Tag)
– Access node or aggregation device adds outer tag (S-Tag)
Copyright © 2007, Juniper Networks, Inc.
VLAN Options
In these Ethernet-based networks, the E-series router is terminating thousands of users on some type
of Ethernet interface. Virtual local area networks (VLANs) are implemented to manage large numbers
of users coming in over a single physical interface. A VLAN enables multiplexing multiple IP and
PPPoE interfaces over a single physical port using subinterfaces. VLANs are similar to ATM PVCs
with a VLAN ID acting like the ATM PVC's VPI. The IEEE 802.1Q-tagged frames provide a 12-bit
VLAN identifier. Therefore, one physical interface can support up to 4096 unique VLANs. Each VLAN
has a single, unique VLAN ID or tag assigned to it. On the slide, the diagram on the left uses this single
tagged approach. Notice that VLAN IDs must be unique within the access network.
In some Ethernet B-RAS environments where multiple access nodes are aggregated onto a single
Gigabit Ethernet or 10-Gigabit Ethernet connection, this VLAN limit is inadequate. A stacked VLAN (S-
VLAN) or double-tagged VLAN provides a two-level VLAN tag structure, extending the VLAN ID space
to more than 16 million VLANs.
S-VLANs
Stacked VLANs were developed by the IEEE as a way to segregate the customer VLAN ID space (C-
VLAN) from the service provider VLAN space (S-VLAN) and improve scaling. It is unfortunate that the
IEEE 802.1ad standard uses the term S-VLAN to mean service provider VLAN space because the E-
series router uses the term S-VLAN to mean any doubly tagged VLAN. Stacked VLANs require two
different tags or IDs. The outer tag is called the service provider tag (S-Tag) and the inner tag is called
the customer tag (C-Tag). These two tags are similar to the ATM VPI/VCI. Depending on the
installation, the CPE device or access node adds the C-Tag and the access node or aggregation
device adds the S-Tag. The E-series router performs decapsulation twice—once to get the S-Tag and
once to get the C-Tag.
On the slide, the diagram on the right uses the double-tagged approach. In this environment, each
access node is assigned a unique S-Tag, allowing the C-Tags to be reused.
DSLAM
1:1 VLAN:
– VLAN or S-VLAN per CPE
– S-Tag or S-Tag/C-Tag must be unique across access network
N:1 VLAN
– VLAN per type of traffic o per access node
– S-Tag shared by many users
– Video or multicast services
1:1 VLAN
Service providers might use different VLAN deployment options or models. Some providers make use
of both options in the same network. The first approach, 1:1 VLAN, a single VLAN or S-VLAN is
assigned to a single CPE device. The S-Tag or S-Tag/ C-Tag must be unique across the access
network. This approach closely mimics the ATM VPI/VCI model. On the slide, the diagram on the left
implements the 1:1 VLAN approach. Notice that each CPE device is assigned a unique S-Tag/C-Tag
within the access network.
N:1 VLAN
With the N:1 VLAN approach, traffic is single-tagged with an S-Tag throughout the access network.
There might be an S-Tag for a specific type of traffic or for each access node. With this approach,
multiple users share the same S-Tag. A video or multicast service might take advantage of this
scheme. On the slide, the diagram on the right implements the N:1 VLAN approach as well as the 1:1
VLAN deployment model. Each CPE device is a member of the 300 VLAN. This VLAN is used for a
video multicast service. In addition, each CPE device is assigned a unique VLAN ID for user data
traffic.
IP IP IP IP IP IP
PPPoE Sub PPPoE Sub PPPoE Sub PPPoE Sub PPPoE Sub PPPoE Sub
IP over VLAN
S-VLAN
VLAN 300 VLAN 100 VLAN 200
1 100
VLAN Sub VLAN Sub VLAN Sub
VLAN Sub
GE
10 GE
Copyright © 2007, Juniper Networks, Inc.
IP Configuration
Dynamic IP interface configuration using RADIUS VSAs:
–Virtual-Router-Name
–Local-Interface-Name
– Local-Address-Pool-Name
erx7(config)#profile generic-ip
erx7(config-profile)#ip sa-validate
erx7(config-profile)#exit
Local address pool configuration:
– Both address pools are localized to these virtual routers
erx7(config)#ip local pool isp1pool 172.16.3.2 172.16.3.254
erx7(config)#ip route 172.16.3.0 255.255.255.0 null 0
erx7(config)#vir VR2
erx7:VR2(config)#ip local pool isp2pool 182.16.3.2 182.16.3.254
erx7:VR2(config)#ip route 182.16.3.0 255.255.255.0 null0
erx7(config-if)#encapsulation ppp
ATM PVC
erx7(config-if)#ppp authentication chap ATM Subinterface
erx7(config-if)#profile ip generic-ip
ATM
Major Interface
T3A / E3A
OCxc/STM1
OCx/STMx
IP IP
erx7(config)#interface fastEthernet 3/1
erx7(config-if)#encapsulation vlan
PPP PPP
erx7(config)#interface fast 3/1.100
erx7(config-if)#vlan id 100
PPPoE Sub PPPoE Sub
erx7(config-if)#pppoe
erx7(config-if)#pppoe subint fast 3/1.100.1
erx7(config-if)#encapsulation ppp PPPoE
Major
erx7(config-if)#ppp auth chap
erx7(config-if)#profile ip generic-ip VLAN 100
VLAN Sub
erx7(config-if)#pppoe subint fast 3/1.100.2
erx7(config-if)#encapsulation ppp VLAN
Major
erx7(config-if)#ppp auth chap Interface
erx7(config-if)#profile ip generic-ip
GE
10 GE
erx7(config-if)#encapsulation vlan
erx7(config)#interface fast 3/1.200 PPP PPP
erx7(config-if)#vlan id 200
erx7(config-if)#ip address 172.16.100.1/24 PPPoE Sub PPPoE Sub
erx7(config-if)#pppoe
erx7(config-if)#pppoe sub fast 3/1.200.1
IP PPPoE Major
erx7(config-if)#encapsulation ppp
erx7(config-if)#ppp auth chap
VLAN 200
erx7(config-if)#profile ip generic-ip VLAN Sub
erx7(config-if)#pppoe sub fast 3/1.200.2
erx7(config-if)#encapsulation ppp VLAN Major
Is the physical link between the user and the router working?
erx7#show controller sonet slot/port
erx7#show interface gigabitEthernet slot/port brief
erx7#show atm vc atm slot/port vcd
erx7#show interface gigabitEthernet slot/port.subinterface
Is the user successfully completing both stages of PPPoE?
erx7#show pppoe interface
erx7#show pppoe interface interface
erx7#show pppoe subinterface
erx7#show pppoe subinterface interface
Copyright © 2007, Juniper Networks, Inc.
ATM Sub- show atm subinterface atm 6/2/0/112 Subinterface configuration and
interface show atm subinterface atm 6/2.12 statistics
ATM Major show atm interface atm 6/2 ATM major interface status and
statistics
Review Questions
1. How is PPP over Ethernet different from PPP over ATM?
2. What are the two different stages of PPP over Ethernet?
3. What is the basic life of a packet for PPP over Ethernet?
4. How do you configure the E-series router for PPP over
Ethernet?
5. What steps would you take to troubleshoot a
PPP-over-Ethernet interface?
Lab Objectives:
Configure and troubleshoot static PPP-over-Ethernet
interfaces on the E-series router.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 36
.
E-series B-RAS Configuration
Module Objectives
After successfully completing this module, you will be able
to:
− Explain how dynamic interfaces are built
− Configure the E-series router to support dynamic interface
detection and creation using PPP
− Compare and contrast dynamic interface creation in a bridged
Ethernet and IP-over-ATM environment versus a PPP
environment
− Configure the router to dynamically create ATM subinterfaces
− Configure the router to create dynamic subscriber interfaces
Dynamic IP Interfaces
How are dynamic IP interfaces IP IP IP IP
Interface Interface Interface Interface
created?
− External event triggers creation PPP PPP PPP PPP
Interface Interface Interface Interface
− Router receives packets
− User is authenticated PPPoE
Subint
PPPoE
Subint
PPPoE
Subint
PPPoE
Subint
− IP interface is created using
PPPoE PPPoE
information from RADIUS or profile Major Int Major Int
− PPP-over-ATM and
VLAN ATM PVC
PPP-over-Ethernet interfaces Sub Int ATM Sub
Creating Profiles
Ryan@ Mark@ Ralph@ Pam@
Profiles contain common isp1.com isp2.com isp2.com isp1.com
configuration parameters: IP
Interface
IP IP
Interface
IP
Interface Interface
− IP
Address, virtual router, source PPP PPP PPP PPP
address validation, policy Interface Interface Interface Interface
− PPP
PPPoE PPPoE PPPoE PPPoE
Authentication method, MRU, Subint Subint Subint Subint
keepalive, CHAP challenge length
− PPPoE PPPoE PPPoE
Maximum number of sessions, MTU, Major Int Major Int
duplicate protection
− Flexible configuration VLAN ATM PVC
Profile per protocol type Sub Int ATM Sub
GE/10 GE OCx/STMx
the profile
Assigning Profiles
Once the profile is created, you assign it to static subinterfaces. When the profile is assigned, it
specifies the protocol or protocols to be supported directly above the static portion of the interface
column. In this example. the profile is assigned to the static ATM subinterface, which is the highest
static layer of the interface column. When you assign a profile, you indicate the encapsulation type to
which the profile applies using the keyword ppp, pppoe, bridgedEthernet, or ip.
Generic Profile
You can configure one profile and support any interface above the static subinterface by using the key
word any when assigning the profile. This key word indicates that one profile will be used for all
encapsulation types supported above the static subinterface. The profile must contain all the
configuration parameters (IP, PPP, PPPoE), and if a PPP interface is detected, the E-series router only
uses the appropriate configuration parameters when building the interface and ignores the rest, such
as the PPPoE parameters.
Protocol Specific Profile
Within an interface definition, you can specify multiple profile commands each referencing a different
upper-layer protocol. With this method, you can configure a different profile for each type of protocol.
The profile would only include parameters specific to the protocol being configured.
IP IP
erx7(config-if)#auto-configure [ip | Interface Interface
ppp | pppoe | bridgedEthernet]
PPP PPP
− On receipt of first packet automatically detects Interface Interface
and build the specified layer and above
PPPoE PPPoE
− Works hand in hand with the applied profile Subint Subint
− To limit traffic to a single protocol, use a single
auto-configure command PPPoE
Major Int
− To dynamically detect the upper-layer protocol
and configure the appropriate stack (either ATM PVC
ATM Sub
PPPoE or PPPoA), use multiple auto-configure
commands referencing the different protocols ATM
Major Int
OCx/STMx
ATM
Major Int
OCx/STMx
IP IP
over static VLAN and static PPPoE major interface: Interface Interface
erx7(config)#int gigabitEthernet 5/0
PPP PPP
erx7(config-if)#encap vlan Interface Interface
erx7(config-if)#int gigabitEthernet 5/0.100
PPPoE PPPoE
erx7(config-if)#vlan id 100 Subint Subint
erx7(config-if)#pppoe
PPPoE
erx7(config-if)#pppoe profile pppoe-info Major Int
erx7(config-if)#pppoe auto-configure VLAN
Subint
VLAN
Major Int
GE/10GE
Debug Profiles
It is fairly straightforward to troubleshoot statically defined PPP and PPPoE interfaces using logging
when necessary. When you enable logging on a PPP-over-ATM or PPP-over-Ethernet interface, you
must reference a static subinterface. Unfortunately, when you start using dynamically created
interfaces, you no longer have an subinterface to reference. The subinterface is dynamically created
upon the receipt of traffic. You can, however, create a special profile that can be used solely for
debugging dynamic interfaces. In this debug profile you include all the IP, PPP, and PPPoE commands
found in the production profile as well as any logging categories you might want to enable.
Using Debug Profiles
To use this special debug profile, first set the console logging filter level to debug. If you are using
Telnet, remember to direct log messages to your session using the log here command. Next, navigate
to the static portion of the interface on which you want to enable logging. Shut the interface down,
remove the production profile, add the debug profile, and enable the interface. Log messages should
appear on your console session. Once the problem is solved, remember to restore the original
production profile.
You can only perform PPP packet logging on a total of 32 static and dynamic PPP interfaces per
chassis. The first 32 PPP interfaces that come up perform PPP packet logging. The remaining PPP
interfaces will not log PPP packets.
Dynamic Interfaces
How are dynamic interfaces created?
IP IP
− Router receives a packet Interface Interface
− ATM encapsulation detected
PPP PPP
− Upper-layer protocols detected Interface Interface
− PPPoE and/or PPP interfaces built
PPPoE PPPoE
− IP interface built using information Subint Subint
from a profile and RADIUS
Can we do the same with IP-over-ATM IP PPPoE
Interface Major Int
and bridged Ethernet interfaces?
− No direct user authentication ATM PVC
ATM Sub
ATM PVC
ATM Sub
− Statically configure user authentication
information on the router ATM
− RADIUS authenticates user Major Int
30.30.30.30
Remote Network Internet
40.40.40.0/24
Router configuration:
erx7(config) #profile small-business-IPoA
erx7(config-profile) #ip unnumbered loopback 0
erx7(config-profile) #ip virtual-router default
erx7(config-profile) #interface atm 6/1.45
erx7(config-subif) #atm pvc 45 0 45 aal5autoconfig
erx7(config-subif) #profile ip small-business -IPoA
erx7(config-subif) #subscriber ip user CompanyX domain
isp1.com password companyx
erx7(config-subif) #auto-configure ip
Copyright © 2007, Juniper Networks, Inc.
RADIUS Configuration
Prefix/Length Type Next Hop Dist/Met Interface
30.30.30.1/32 Connect 30.30.30.1 0/0 loopback0
30.30.30.30/32 AccessInternal 0.0.0.0 2/1 atm 6/1.45
40.40.40.0/24 Access 0.0.0.0 2/1 atm 6/1.45
Company X Loopback 0
User=CompanyX@isp1.com
30.30.30.1/32 Password = companyx
RADIUS Return RADIUS attributes
DSL Framed IP = 30.30.30.30
Router Framed Route = 40.40.40.0/24
30.30.30.30
Remote Network Internet
40.40.40.0/24
RADIUS configuration:
− Same user name and password
− Framed IP address for customer’s router interface
− Framed IP route for customer’s remote network
RADIUS Configuration
Keep in mind that in an IP-over-ATM environment, the customer's router's WAN interface has a static
IP address assigned and configured. An IP-over-ATM environment does not run PPP or DHCP, where
the IP address is negotiated or handed out dynamically.
You just configured the user information on the customer's interface on the router using the subscriber
command. The router will use this information to obtain the routing configuration information for this
customer from the RADIUS server and cache it in the routing table. In the example on the slide, once
RADIUS authenticates the user, the RADIUS server passes back an access grant, which might include
additional RADIUS return attributes to further configure the user's interface on the router. In this IP-
over-ATM example, the RADIUS server returns a framed IP address corresponding to the customer's
WAN interface (that is, 30.30.30.30) and a framed IP route corresponding to the customer's remote
network (that is, 40.40.40.0/24). Based on the router's configuration, these entries are inserted into the
routing table bound to the customer's ATM subinterface. The RADIUS server could pass back policy
configuration as well.
Router configuration:
erx7(config) #profile static-ip
erx7(config-profile) #ip unnumbered loopback 0
erx7(config-profile) #ip virtual-router default
erx7(config-profile) #interface atm 6/1.46
erx7(config-subif) #atm pvc 46 0 46 aal5autoconfig
erx7(config-subif) #profile bridgedEthernet static-ip
subscriber ip user user1 domain isp1.com
erx7(config-subif) #auto-configure bridgedEthernet
Copyright © 2007, Juniper Networks, Inc.
Sample Log
Note that traffic must be received on the interface to trigger dynamic interface creation and cause
packets to be sent to RADIUS.
interfaces created? IP IP IP IP
Interface Interface Interface Interface
− Router receives a packet
− Upper-layer protocols detected PPP PPP PPP PPP
Interface Interface Interface Interface
− Interface columns built using
information from a RADIUS & profile PPPoE PPPoE PPPoE PPPoE
Subint Subint Subint Subint
Can we do the same with
PPPoE PPPoE
ATM and VLAN subnterfaces ? Major Int Major Int
ATM
Major Interface
OCx/STMx
Agent-circuit-identifier VLANs
Bulk configuration of S-VLAN subinterfaces using
agent-circuit-identifier:
−Double-tagged S-VLANs uniquely identify each subscriber
−Direct Ethernet connectivity or N:1 VLAN single-tagged VLANs
might not uniquely identify each subscriber
−Identify user using agent-circuit-identifier in PPPoE or DHCP
control messages instead of double-tagged S-VLAN ID
−Identifies the subscriber's DSLAM and the DSL line on the
DSLAM
−agent-circuit-identifier dynamic S-VLANs can coexist with
double-tagged S-VLANs
−For DHCP subscribers, DHCP local or external server must be
properly configured
The ability to dynamically create S-VLANs using agent-circuit-identifier information only affects
untagged or single-tagged packets containing the identifier. All double-tagged or untagged and single-
tagged packets that do not contain the identifier are unaffected. Therefore, double-tagged S-VLANs
and S-VLANs based on agent-circuit-identifier can coexist on the same interface.
In the case of DHCP, the E-series router must be configured as a DHCP local server or a DHCP
external server so that it can monitor the DHCP discover and address request messages. The DHCP
local or external server must be configured to dynamically create subscriber interfaces based on the
agent-circuit-identifier contain in the option 82 field of DHCP discover packets. We discuss dynamic
subscriber interfaces later in the chapter.
Review Questions
1. How is a dynamic interface created?
2. What is the purpose of a profile?
3. When would you specify multiple auto-configure
commands?
4. What command facilitates dynamic interface creation in a IP-
over-ATM or bridged Ethernet environment?
5. How do you configure the router to create dynamic ATM
subinterfaces?
6. What triggers the creation of a dynamic subscriber
interface?
Lab Objectives:
Configure and troubleshoot dynamic interfaces.
Questions
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 38
Module 6: L2TP
Module Objectives
After successfully completing this module, you will be able
to:
– Describe the two common L2TP applications
– Explain the basic life of a packet in an L2TP environment
– Configure the E-series router as a LAC and an LNS
– Compare and contrast different tunnel failover and tunnel
selection methods
– Verify L2TP operation using show commands and logging
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
L2TP Overview
The slide lists the topics we discuss in this chapter. We discuss the highlighted topic first.
Modem IP
tyler default
ISP1
@isp1.com PPP
DSL IP
IP Core
Router
isp2
home1 PPP ISP2
@isp2.com RADIUS
Termination points:
– Layer 2 connection between user and B-RAS
– PPP session terminated on the B-RAS
– Local or remote RADIUS server provides authentication
– User’s IP interface created on the B-RAS
– User’s IP packets routed into the core
Termination Points
With a traditional remote access connection, a user establishes a connection to a network access
server, such as the E-series router, using some type of Layer 2 access method such as ATM or
Ethernet. Over this Layer 2 connection, the user runs PPP, is authenticated using either a local or
remote RADIUS server, and establishes IP connectivity into the network. In this environment, the Layer
2 connection and the PPP session terminate on the same device, the E-series router. This edge router
manages the user's associated IP interface and routes the user's traffic into the core network.
Modem IP
tyler ISP1
@isp1.com PPP RADIUS
IP Core
DSL IP
Router
Using L2TP
L2TP extends the traditional PPP model by allowing the physical or Layer 2 termination point and the
PPP termination point to occur on different devices. L2TP is a client/server protocol that allows PPP to
be tunneled across a network. RFC 2661 describes and defines L2TP. With L2TP, a user still has a
Layer 2 connection to the access concentrator. The PPP connection, however, is now terminated at a
remote location. A local or remote RADIUS server provides authentication and accounting services. In
this environment, the remote device manages the user's associated IP interface and routes the user's
IP traffic to the appropriate network. The edge device or access concentrator only processes PPP
frames from the user; it has no visibility into the IP portion of the user's packets. From a user's
perspective, there is no functional difference between having the PPP session terminate on the edge
device or at a remote location using L2TP.
L2TP Components
RADIUS
Modem IP
tyler LNS ISP1
@isp1.com PPP RADIUS
LAC L2TP Tunnels
DSL IP
LNS ISP2
Router
home1 PPP
@isp2.com RADIUS
LAC:
– Physical or Layer 2 link termination
– Located at the ISP’s point of presence
– Initiates L2TP tunnel and session
LNS:
– Located at the tunnel termination point
– Same provider, different provider, or customer site
– Terminates the PPP session
– Manages the user’s IP interface
Modem IP
tyler LNS ISP1
@isp1.com PPP RADIUS
LAC L2TP Tunnels
DSL IP
LNS ISP2
Router
home1 PPP
@isp2.com RADIUS
Company A
jen@CompanyA.com IP Core Headquarters
LNS
dave@CompanyA.com
LAC
LNS
Company B
Remote Offices RADIUS
Company B Headquarters
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
L2TP Operation
The slide highlights the topic we discuss next.
Physical
Life of a Packet
On this slide, the user is using PPP over ATM to establish the connection. The user's IP datagrams are
first encapsulated into a PPP frame. Next, the PPP frame is fragmented into 53-byte ATM cells and
sent over the appropriate ATM interface using RFC 2364 encapsulation. These cells are then
transmitted across the POTS connection, to the DSLAM, across the ATM switch (if necessary), and
are received by the LAC. In this case, the LAC is an E-series router.
During the authentication process, the LAC determines that the PPP session will to be tunneled using
L2TP. The LAC establishes a new tunnel (if necessary) and a new session to the appropriate LNS.
The LAC encapsulates the user's IP-over-PPP frames using L2TP and adds a new IP header to the
packet. In this new header, the destination IP address is the LNS and the source IP address is the
LAC. Based on the new destination IP address, the LAC routes the packet into the core using the
appropriate data link layer encapsulation. Note that the LAC never examined the user's IP datagram.
When the LNS receives the packet, it strips off the new IP header and the L2TP header, and
terminates the PPP session. It then examines the destination IP address of the user's datagram and
routes it to the appropriate location. In this example, only the LNS examined the user's IP datagram,
not the LAC.
RADIUS
LNS
LNS ISP2
erx1
dave@isp2.com LAC
LAC lo0=33.33.33.1
LCP ConfReq erx3
erx3
lo0=3.3.3.1
LCP ConfReq
LCP ConfAck
LCP ConfAck
Initial Authentication
Session Initiation
The user initiates a PPP connection to the LAC. In the example on the slide, dave@isp2.com initiates
a PPP session to the LAC, which is an E-series router. The router performs the initial authentication
and determines whether to terminate the PPP session or tunnel the PPP session using L2TP. If the
session is to be tunneled, the router must determine several L2TP tunnel attributes, such as the IP
address of the LNS and the tunnel password, to initiate and build the L2TP tunnel and session.
The E-series router parses the user's login for the realm or domain name. In this example, the domain
name is isp2.com. The router looks for an entry of isp2.com in the configured domain map, which can
also include L2TP tunnel attributes. If the domain map includes L2TP tunnel attributes, the router
knows that all PPP sessions for this domain, that is, isp2.com, must be tunneled using L2TP.
If the domain map contains an entry for the domain in question but does not contain L2TP tunnel
attributes, the E-series router sends the authentication request to the appropriate virtual router's
RADIUS server. If the domain map does not contain an entry for the domain, the router sends the
authentication request to the RADIUS server configured in the default virtual router. You can also
configure the RADIUS server to return L2TP tunnel attributes for a particular realm or domain name.
Hello
Hello
Session Establishment
Once the tunnel is established, the data session for the remote user is created. The LAC accomplishes
this by sending an incoming call request (ICRQ) message to the LNS. The ICRQ message contains
the assigned session ID and call serial number for the proposed session. The LNS responds with an
incoming call reply (ICRP) containing its assigned session ID, which indicates success with the ICRQ
sent.
The LAC responds with an incoming call connected (ICCN) message to indicate acceptance of the
ICRP message sent by the LNS. Additionally, the LAC uses ICCN messages to convey authentication
information if proxy authentication is implemented. For example, this message might contain the CHAP
challenge, response, and success information. The user's authentication process completes, and the
user obtains an IP address using PPP's Network Control Protocol (NCP).
When a session terminates, the LAC sends a call disconnect notify (CDN) message. Either the LAC or
the LNS can use this message type to terminate a session.
jen@isp2.com
L2TP Tunnel RADIUS
Session (jen@isp2.com) LNS
LNS ISP2
erx1
dave@isp2.com
LCP ConfReq LAC
LAC lo0=33.33.33.1
1.1.1.2 erx3
erx3 Control Connection
LCP ConfReq lo0=3.3.3.1
lo0=3.3.3.1
LCP ConfAck
LCP ConfAck
Initial Authentication Incoming Call Request (ICRQ)
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
RADIUS
LNS
LNS ISP2
erx1
dave@isp2.com LAC
LAC lo0=33.33.33.1
1.1.1.2 erx3
erx3
lo0=3.3.3.1
RADIUS
LNS
LNS ISP2
erx1
dave@isp2.com LAC
LAC lo0=33.33.33.1
1.1.1.2 erx3
erx3
lo0=3.3.3.1
Domain map:
erx3(config)#aaa domain-map isp2.com
erx3(config-domain-map)#tunnel 1
erx3(config-domain-map-tunnel)#address 33.33.33.1
erx3(config-domain-map-tunnel)#source-address 3.3.3.1
erx3(config-domain-map-tunnel)#client-name erx3
erx3(config-domain-map-tunnel)#server-name erx1
erx3(config-domain-map-tunnel)#identif erx3-primary-tunnel
erx3(config-domain-map-tunnel)#password training
RADIUS
LNS
LNS ISP2
erx1
dave@isp2.com LAC
LAC lo0=33.33.33.1
1.1.1.2 erx3
erx3
lo0=3.3.3.1
RADIUS:
dave@isp2.com Password = “dave”
Framed-Protocol = PPP,
Service-Type = Framed-User,
Tunnel-Type=1:L2TP,
Tunnel-Medium-Type=1:IP,
Tunnel-Client-Endpoint=1:3.3.3.1,
Tunnel-Server-Endpoint=1:33.33.33.1,
Tunnel-Client-Auth-ID=1:erx3,
Tunnel-Assignment-ID=1:erx3-primary-tunnel
Tunnel-Password=1:training
Copyright © 2007, Juniper Networks, Inc.
RADIUS Configuration
The second and more common way the E-series router determines it should tunnel a PPP session is by obtaining
L2TP tunnel attributes from a centralized RADIUS server. The LAC uses the following L2TP configuration
parameters and standard RADIUS attributes to establish the tunnel and control connection. The "1:" notation on
the slide indicates a tagged RADIUS attribute.
• Framed Protocol: The framed protocol indicates that the user is using PPP as the Layer 2 protocol.
• Service type: This attribute indicates the service the B-RAS should provide to the user. In this case,
the B-RAS will provide a framed-user service, such as PPP.
• Tunnel type: Currently, the E-series router only supports L2TP as the tunnel type.
• Tunnel medium type: Currently, the E-series router only supports IPv4 as the tunnel medium.
• Tunnel client endpoint: In the example on the slide, the IP address of the LAC is 3.3.3.1. We also refer
to this attribute as the tunnel endpoint or tunnel source address. Typically, this IP address is a
loopback address that is also configured as the LAC's router ID.
• Tunnel server endpoint: In the example on the slide, the IP address of the LNS is 33.33.33.1. We also
refer to this attribute as the tunnel endpoint or tunnel destination address. Typically, this IP address is
a loopback address that is also configured as the LNS's router ID.
• Tunnel client auth ID: This optional L2TP attribute identifies the client name configured on the LAC. To
establish a tunnel, these two parameters must match. Some vendors' LNSs use the LACs hostname
to identify multiple tunnels on a single LNS from different LACs.
• Tunnel assignment ID: On the LAC, the tunnel identification or tunnel assignment ID uniquely
identifies an L2TP tunnel between the LAC and the LNS. You can have multiple tunnels between a
LAC and an LNS. The tunnel ID distinguishes between these tunnels. You can also have different
domains share a tunnel, if you want. To have multiple domains use the same tunnel, configure the
same tunnel ID for both domains. The tunnel identification is locally significant to the LAC.
• Tunnel password: This password is a shared secret used for optional tunnel authentication and AVP
hiding. AVPs encode operational parameters, such as tunnel ID, over the L2TP control channel. The
authentication mechanism is CHAP-like and use the MD5 algorithm.
L2TP Tunnel
LNS
LNS RADIUS
erx1 ISP2
dave@isp2.com LAC
LAC lo0=33.33.33.1
1.1.1.2 erx3
erx3 Control Connection
lo0=3.3.3.1 vr2
eural@isp2.com LAC
4.4.4.4
LNS
LNS RADIUS
erx1 ISP2
LAC
LAC lo0=33.33.33.1
dave@isp2.com
1.1.1.2
vr2
LAC
LAC
john@isp2.com
5.5.5.5
User Authentication
RADIUS
Company A
jen@CompanyA.com Headquarters
LNS
LNS
LAC
LAC erx1
dave@CompanyA.com lo0=33.33.33.1
erx3
erx3
1.1.1.2 lo0=3.3.3.1
lo0=3.3.3.1
DSL
Router
LNS ISP2
home1@isp2.com
LAC Processing
The LAC initiates user authentication. Once the LAC determines to tunnel the user's session, it hands
the PPP session off to the LNS. The LAC on the [-series router always sends the user authentication
response to the LNS. You cannot disable this functionality on the E-series router. This response or
proxy authentication data includes the username and password, or the username, CHAP challenge,
CHAP challenge ID, and the CHAP response.
LNS Processing
Once the LNS receives the proxy authentication response, the LNS can either accept the response
and authenticate the user, or the LNS can discard the response and restart the authentication process.
By default, the LNS on the [-series router always discards the proxy authentication response and
restarts the authentication process with the user. You can configure the LNS to accept and use the
proxy authentication data per L2TP destination remote host using the command enable proxy
authenticate.
LNS
erx1
erx1
lo0=33.33.33.1
RADIUS
dave@isp2.com LAC
LAC ISP2
1.1.1.2 erx3
erx3
lo0=3.3.3.1 LNS
LNS
erx2
lo0=33.33.33.2
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
LNS
erx1
erx1
ry ? lo0=33.33.33.1
prima
RADIUS
dave@isp2.com LAC
LAC ISP2
1.1.1.2 erx3
erx3
lo0=3.3.3.1 LNS
LNS
backup?
erx2
lo0=33.33.33.2
Tunnel Switching
RADIUS
RADIUS
ricardo@isp1.com LAC
LAC
7.7.1.2
LAC
LAC LNS LAC LNS isp1.com
peter@isp1.com
7.7.2.2
LAC
LAC
phil@isp1.com
7.7.3.2
Tunnel switching:
erx3(config)#l2tp tunnel-switching
– Terminates tunnels from multiple LACs and forwards the sessions
through new L2TP tunnels
– Aids in L2TP tunnel scaling
Tunnel Switching
L2TP tunnel switching allows you to switch packets between one session terminating at an L2TP LNS
and another session originating at an L2TP LAC. What distinguishes a tunnel-switched LAC from a
conventional one is that there are two interface columns: one for the incoming session (LNS) and one
for the outgoing session (LAC). The router forwards traffic from the incoming session to the outgoing
session and vice versa. You can select tunnel switching on a per-chassis basis. By default, tunnel
switching is
disabled. This preserves current behavior and prevents inadvertent attempts to switch tunnels.
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
LAC processing:
– Layer 2 encapsulation stripped, leaving the user’s IP/PPP packet
– Client’s PPP interface identifies session and tunnel ID, which is
mapped to the tunnel destination IP address
– IP route lookup using tunnel destination IP address
– IP/PPP packet tagged with session ID and outgoing interface and
sent across switch fabric to egress line module
– Egress line module encapsulates packet with the tunnel’s
IP/PPP/L2TP headers and the Layer 2 encapsulation
Copyright © 2007, Juniper Networks, Inc.
LAC Processing
L2TP-encapsulated packets require a bit more processing due to the extra encapsulation. The next
few slides discuss the life of a packet traveling from a user through the LAC and arriving at the LNS.
When a user's IP/PPP packet arrives on the LAC's interface, the ingress processor strips the Layer 2
encapsulation, leaving the user's IP/PPP encapsulated frame. Remember that the user's interface
column on the LAC only includes PPP, not IP. The user's PPP interface on the LAC identifies the L2TP
session and tunnel ID, which is then mapped to the tunnel destination IP address. The ingress
processor does a route lookup on this destination IP address, which, in this case, is the tunnel
endpoint—not the user's destination IP address—to determine the egress line module and outgoing
interface. The ingress line module tags the user's IP/PPP packet with the session ID and outgoing
interface and sends the packet across the switch fabric to the egress line module. The egress
processor then adds the IP/UDP/L2TP headers to the user's IP/PPP packet and encapsulates this with
the appropriate Layer 2 framing.
Ing ress
Egress
Traffic Ingress Egress
from Line Switch Switch
Line
User Fabric Fabric
Module Module
via User’s
Ingress FC Egress FC Destination
LAC
Ing ress
Egress
Traffic Ingress Egress
Line Switch Switch
from Line
Fabric Fabric
User Module Module
User’s
via Ingress FC Egress FC Destination
LAC
Ing ress
Egress
Ingress Egress
Traffic Line Switch Switch
Line
from Fabric Fabric
Module Module
User User’s
Ingress FC Egress FC Destination
via
LAC
User IP/PPP User IP/PPP User IP/PPP User IP User IP
L2TP header L2TP/IP/UDP Tagged with Tagged Layer 2
L2TP IP/UDP Tagged with SM with Next Frame
Layer 2 Session ID Loopback Hop/Next Int.
L2TP Fragmentation
While traversing several hops in an IP network, packets can become fragmented for several reasons. For
example, the maximum transmission unit (MTU) size of a link between two hops (routers) is smaller than the one
of the previous hops. Recall that in an L2TP environment, the PPP session is negotiated between the user and
the LAC or the user and the LNS. Unfortunately, this PPP session rides within a tunnel that might traverse several
networks links with different MTU sizes. If the user and LAC negotiate PPP maximum receive unit (MRU) sizes, it
does not encompass the entire path the packets will traverse. Likewise, if the user and LNS negotiate the PPP
MRU size, the LNS is blind to the MTU sizes of the intervening links. Unfortunately, either way, this negotiation
does not account for the different MTU sizes of the links along the path. When user data is sent across the tunnel,
the user's IP/PPP packet is encapsulated and tunneled, potentially making the packet quite large. If this tunneled
packet becomes too large for a specific Layer 2 link, it will be fragmented packets and routed and forwarded like
all other IP packets. The terminating end station (destination) must perform the IP reassembly of the fragmented
packets. In the case where already fragmented packets are tunneled, and the tunnel packets themselves become
fragmented, the fragmented tunnel packets must be reassembled first—before the actual packet can be
reassembled and processed. IP reassembly requires buffering and potential reordering of all fragmented packets
because the original IP packet cannot be reassembled until the last fragment is received. Fragmented packets
can arrive on any physical port of potentially different line cards so the reassembly of packets must be centralized
on a tunnel-server port.
Tunnel-Server Port Performs IP Reassembly
IP reassembly in the E-series router uses a dedicated or shared tunnel-server port. Remember that the LNS
requires a tunnel-server port and therefore can handle packet reassembly naturally. The LAC, however, does not
require a tunnel-server port and, by default, it does not perform any reassembly of IP packets. If the LAC must
perform IP reassembly, it requires a dedicated or shared tunnel-server port. Unfortunately, the dedicated tunnel-
server port can be quite expensive, and only specific line modules support shared tunnel-server ports. It can also
negatively impact performance. IP reassembly is enabled/disabled by virtual routers. It is disabled on all virtual
routers by default, and must be enabled explicitly.
LAC processing:
– Layer 2 encapsulation stripped leaving the L2TP encapsulated IP/PPP
packet
– IP route lookup using IP address in L2TP encapsulation
– Destination IP address local to LAC and UDP port = 1701
– Terminate tunnel, remove L2TP IP/UDP and L2TP headers and obtain
session ID
– Using session ID, obtain outgoing user’s interface
– User’s IP/PPP packet tagged and sent across switch fabric to egress line
module
– Egress line module encapsulates IP/PPP packet in Layer 2 encapsulation
Copyright © 2007, Juniper Networks, Inc.
LAC Processing
When the LAC receives packets from the tunnel, the ingress processor strips the Layer 2
encapsulation leaving the user's IP/UDP/L2TP-encapsulated PPP packet. Then the ingress processor
performs one lookup. It examines the destination IP address, which in this case is the tunnel endpoint,
not the user's destination IP address. The ingress processor determines that the destination IP
address is a local IP address associated with the LAC. Because the IP address is local, the ingress
line module examines the IP packet and determines it is a UDP packet encapsulating an L2TP frame
(UDP port
1701).
Once the LAC's ingress processor determines it is an L2TP-encapsulated packet, it terminates the
tunnel, removes the L2TP IP/UDP headers, obtains the L2TP session ID, and removes the L2TP
header. Using the session ID, it determines the outgoing client interface. It then tags the user's IP/PPP
packet with the outgoing client interface and sends the packet across the switch fabric to the egress
line module. The egress FC receives the user's IP/PPP packets and encapsulates them in the
appropriate Layer 2 framing.
Note that the user's interface on the egress FC acts as the centralized anchor point. This interface
expects to receive complete IP/PPP-encapsulated packets. On the LAC, however, any number of
ingress FCs can receive tunneled packets destined for a single user. If tunneled packets were
fragmented along the way, different fragments could arrive on different line modules at the LAC. If this
is the case, the LAC has no way of reassembling fragmented packets before they are sent to the user's
outgoing interface. If tunneled packets are fragmented, the LAC requires additional hardware to act as
a single aggregation point for all incoming tunneled packets.
Avoiding Fragmentation
L2TP fragmentation avoidance:
– Configure an MRU lower than the minimum size between LAC/LNS
– MRU = (Min MTU between LAC/LNS) – (L2TP UDP/IP) – (Max L2TP
header)
– Ethernet example:
Minimum link MTU 1500
L2TP IP header - 20
L2TP UDP header -8
L2TP header -6
PPP header -4
MRU size to specify 1462
E-series router acting as a LAC:
– Configure the MTU on the access link
E-series router acting as an LNS:
– Configure PPP MRU within the profile referenced in the L2TP
remote host definition
Copyright © 2007, Juniper Networks, Inc.
L2TP Licensing
What licenses are required for L2TP?
– LAC requires a B-RAS subscriber license for each PPP session
– LNS requires a B-RAS subscriber license for each IP interface
– LNS requires an L2TP session license for each tunneled session
– Tunnel switching: 2 L2TP session licenses—1 for inbound
session and 1 for outbound session
L2TP Licensing
In an L2TP environment, additional software licenses are required. If an E-series router acts as a LAC,
it requires a B-RAS subscriber license for each tunneled PPP session or PPP interface. If an E-series
router acts as a LNS, it requires a B-RAS subscriber license for each terminated IP session or IP
interface. The LNS also requires an LNS session license for each L2TP session it manages. If an E-
series router performs L2TP tunnel switching, each switched sessions counts as two session licenses.
Agenda: L2TP
L2TP Overview
L2TP Operation
E-series Router L2TP Configuration
L2TP Tunnel Failover and Tunnel Selection
E-series Router Requirements
Troubleshooting L2TP
Troubleshooting L2TP
The slide highlights the topic we discuss next.
pete@erx3.com
LNS erx3-
erx3 -lns erx3.com
lo0=33.33.33.1
LAC
LAC
holly@erx3.com rtr id=33.33.33.1
erx3
erx3
1.1.1.2 lo0=3.3.3.1 LNS vr2
DSL rtr id 3.3.3.1 lo0=33.33.33.2 ISP2
Router
rtr id=33.33.33.2
home1@isp2.com
RADIUS
L2TP destinations:
erx3#show l2tp destination
L2TP destination 1 is Up with 1 active tunnel and 2 active sessions
L2TP destination 2 is Up with no active tunnels
2 L2TP destinations found
erx3#show l2tp destination detail
L2TP tunnels:
erx3#show l2tp tunnel
L2TP tunnel 1/lac-erx3-to-erx1 is Up with no active sessions
1 L2TP tunnel found
L2TP sessions:
erx3#show l2tp session
L2TP session 1/lac-erx3-to-erx1/1 is Up
L2TP session 1/lac-erx3-to-erx1/2 is Up
2 L2TP sessions found
Copyright © 2007, Juniper Networks, Inc.
L2TP Destinations
An L2TP destination corresponds to a LAC/LNS pair and is identified by the router's router ID. Keep in
mind that the E-series router supports virtual routers, and destinations are identified using the router
ID. For example, one LAC could have several destinations to the same physical router. In the example
on the slide, erx3 has two destinations: destination 1 is between 3.3.3.1, and 33.33.33.1 and
destination 2 is between 3.3.3.1 and 33.33.33.2. On the E-series routers, destination identifiers are
assigned sequentially by the system. You cannot configure a destination identifier.
L2TP Tunnels
A single L2TP destination can support multiple tunnels. On the LAC. tunnels are identified by
destination identifier and tunnel identification. You can configure the tunnel identification on the LAC to
aid in troubleshooting. On the LNS, tunnels are identified by destination identifier and tunnel ID. Tunnel
IDs are assigned sequentially by the LNS and are not configurable. The example on the slide shows
the active tunnel on the LAC.
L2TP Sessions
A single L2TP tunnel can support multiple sessions. On the LAC, tunnels are identified by destination
identifier, tunnel identification, and session ID. Session IDs are assigned sequentially by the LNS and
are not configurable. The example on the slide shows the active sessions on the LAC.
Module Review
1. What are two common applications for L2TP?
2. What are the steps for tunnel establishment?
3. How does the E-series router determine if a PPP session is
to be tunneled or terminated?
4. What L2TP parameters must you configure on the LNS?
5. What are the different L2TP tunnel failover methods, and
how do they differ?
6. What special hardware is required for the LAC? What
special hardware is required for the LNS?
Lab Objectives:
Configure and troubleshoot an E-series router as both
a LAC and an LNS.
Questions
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice them
now so that your instructor can best address your needs during class.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 58
Module Objectives
After successfully completing this module, you will be able
to:
– Define the policy management function
– Follow the packet flow through the E-series router
– Identify the line module components that implement policy
management
– Configure classifier access control lists
– Configure policy lists
– Configure rate-limit profiles
– Use show commands and logging to troubleshoot policy
configuration
What Is a Policy?
Captive Portal FTP server
192.168.254.1 10.10.10.10
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
What Is a Policy?
A policy is a condition and an action that is attached to an interface. The condition and action cause
the router to handle the packets passing through the interface in a certain way.
Policy Attachment Points
A policy can be attached to IP interfaces and certain Layer 2 interfaces such as Frame Relay, L2TP,
MPLS, and VLAN interfaces. This chapter focuses on attaching policies to IPv4 interfaces. An interface
can have one policy attached that evaluates inbound traffic and a different policy attached that
evaluates outbound traffic. The policies do not need to be the same in both directions.
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
Policy Examples
Captive Portal FTP server
192.168.254.1 10.10.10.10
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
Policy examples:
– Filter specific types of traffic
Drop any Telnet traffic going to the user
Drop any NetBIOS traffic coming from the user
– Rate-limit traffic
Rate-limit inbound and outbound traffic to 512 Kbps
– Provide higher bandwidth to specific types of traffic
FTP traffic rate-limited to 1 Mbps, all other traffic 512 Kbps
– Steer traffic to a specific interface or IP address
Forward traffic destined for a content network to a captive portal
Policy Examples
In this chapter we discuss how to create several types of simple policy rules. Our first example shows
how to filter specific types of traffic. Our second example shows how to rate-limit all traffic going to and
coming from a user to a rate lower than the physical link speed. In our network, this rate limiting occurs
at the IP interface. Next, we
discuss how to differentiate different traffic flows and provide higher bandwidth to certain types of
traffic. In our simple network, we show how to give more bandwidth to FTP traffic. Finally, we discuss
the concept of policy routing. We use this concept to steer traffic destined for a specific IP address
range to a captive portal for additional processing. With policy routing, the router does not perform a
route table lookup using the packet's destination IP address. Instead, the policy identifies which IP
address to use as the next-hop address or across which interface to forward the packet by passing the
normal routing function.
traffic-
traffic -class
class
user-packet-
user-packet-
class
class
Copyright © 2007, Juniper Networks, Inc.
Input
Input Classification
Classification If input policy attached, do classifier lookup.
Input If classification match. take policy action' policy route. rate limit, mark, filter. log,
Input Policy
Policy
traffic class, or forward.
Input
Input Rate
Rate Limiting
Limiting If rate-limit policy match, do dual token bucket lookup, updating packet color.
Take color-specific action: mark, discard, or forward.
Route Do route lookup If source addresm validation enabled and check fails, discard.
Route Lookup
Lookup
If no route, forward to SRP.
Local
Local Classification
Classification For locally destined packets, if secondary input policy attached, do classifier
lookup.
Local
Local Policy
Policy If classification match, take policy action.
Encapsulation
Encapsulation Add route tag containing outgoing interface.
Fowarding
Fowarding Transmit packet acrcss switch fabric.
Statistics
Statistics Update statistics.
Multicast
Multicast If multicast elaborate frame onto multiple interfaces
Output If classification match, take policy action: rate limit, mark, filter, log, or traffic
Output Policy
Policy
class
Output
Output Rate
Rate Limiting
Limiting If rate-limit policy match, do dual token bucket lookup, updating packet color.
Take color-specific action mark, discard, or forward
Fragmentation If packet exceeds MTU and do not fragment bit set discard. otherwise.
Fragmentation
fragment packet
Encapsulation
Encapsulation Add datalink headers.
Fowarding
Fowarding Transmit packet acrcss physical interface.
Statistics
Statistics Update statistics.
Source IP Address
Destination IP Address
Options Padding
Data
FTP server
10.10.10.10 telnet 10.1.1.2
10.1.1.2
www.disney.com
172.16.199.250
Outbound policy:
– Drop Telnet traffic going to the user
Quiz:
– What happens to FTP traffic?
– What happens to traffic coming from www.disney.com?
Outbound Policy
In the next few slides we discuss how to build a very simple policy that filters Telnet traffic going to the
user. From the router's perspective, this is an outbound policy as we are trying to prevent traffic from
going out an interface to a specific user.
Quiz
If this were the only policy rule configured on the router's outbound interface, what would the router do
with FTP traffic going to the user? What would the router do with HTTP traffic going to the user? Would
it be dropped? Would it be forwarded? On the E-series router, there is no implicit deny any any (any
source IP address or port, any destination IP address or port) policy rule, so both types of traffic would
be forwarded to the user at line rate.
Referenced by interface(s):
FastEthernet3/2.71 output policy, statistics enabled, virtual-router
default
Referenced by profile(s):
No profile references
FTP server
10.10.10.10 telnet 10.1.1.1
www.disney.com
172.16.199.250
Inbound policy:
– Drop NetBIOS traffic coming from the user
– Example only shows NetBIOS name and datagram service
Quiz:
– What happens to FTP traffic?
– What happens to traffic going to www.disney.com?
Copyright © 2007, Juniper Networks, Inc.
Inbound Policy
Now we discuss how to build a very simple policy that filters NetBIOS traffic coming from the user.
From the router's perspective, this is an inbound policy because we are trying to prevent traffic from
entering the router.
Quiz
If this were the only policy rule configured on the router's inbound interface, what would the router do
with FTP traffic coming from the user? What would the router do with HTTP traffic coming from the
user? Would it be dropped? Would it be forwarded? On the E-series router, there is no implicit deny
any any policy rule so both types of traffic would enter the router.
erx7(config)#policy-list from-user
erx7(config-policy-list)#classifier-group drop-traffic-from-user
erx7(config-policy-list-classifier-group)#filter
erx7(config-policy-list-classifier-group)#exit
erx7(config-policy-list)#exit
erx7(config)#interface fastEthernet 3/2.71
erx7(config-if)#ip policy input from-user
Rate-Limiting Overview
The slide shows the topic we discuss next.
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
Policy examples:
– Filter specific types of traffic
Drop any Telnet traffic going to the user
Drop any NetBIOS traffic coming from the user
– Rate-limit traffic
Rate-limit inbound and outbound IP traffic to 512 Kbps
– Provide higher bandwidth to specific types of IP traffic
FTP traffic rate-limited to 1 Mbps, all other IP traffic 512 Kbps
– Steer certain IP traffic to a specific interface or IP address
Forward IP traffic destined for a content network to a captive portal
Policy Examples
In the previous section, we discussed how to filter specific types of traffic. The next few examples show
how to rate-limit traffic going to and coming from a user to a rate lower than the physical link speed.
Rate limiting enforces data rates below the physical line rate of a port for either an IP interface, a
classified packet flow, or a Layer 2 interface. You implement rate limiting by configuring a rate-limit
profile that specifies bandwidth attributes and actions.
You can configure rate-limit profiles to provide a variety of services, including tiered bandwidth service
where traffic conforming to configured bandwidth levels is treated differently than traffic that exceeds
the configured values, and a hard-limit service where a fixed bandwidth limit is applied to a traffic flow.
Finally, you can configure rate-limit profiles to provide a TCP-friendly rate-limiting service that works in
conjunction with TCP's native flow-control functionality.
On the E-series router, you configure rate-limit profiles using one of two mechanisms —a Two
Rate/Three Color Marker (trTCM), as described in RFC 2698, or a Single Rate/ Three Color Marker
(srTCM ), described in RFC 2697.
The LM-10 uplink line module does not support rate limiting. See the Policy Management Configuration
Guide for more information.
Rate limiting :
– Count number of bytes in each packet over time
– Categorize packets
– Assign action
– Internal color coding
Bucket 1 Bucket 2
Copyright © 2007, Juniper Networks, Inc.
1
2
Peak Burst
Committed Burst
T T T
T TT
T
T T T
T TT T
TT TTT T
T
TT T T
TT T T
T TT T
TT T T T T
TT
TTT
TT
T T TT
TT T TT
TT
TTT
TTTT
TTTT T
T
TT T
TTT T
T T T TT
TT
T
T T TT TT
T TT TT
T
T
TT T
T
T
T T T
T T T
TT
TT
T T
TTTT T
T T TT
TT
T T TT
T TTT
TT T
T T
T
T TTT
T
T
TT
TT T
T
TT
T
T
Packet
No No
• Do not decrement token count • Decrement token count from peak burst bucket
from either bucket • Color packet yellow
• Color packet red • Take conformed action
• Take exceeded action
Copyright © 2007, Juniper Networks, Inc.
T
T
T
T
Peak T
Committed
T TT
TT T
TT TT
TTT
TT T
TT
TT TT
TT
Burst
TT T
TTTTT T T
T
TTTT
T
T TTT
T
Burst
T TTTT
TTT
TTTT T
T
T T TT
T
T
T T TT
T TT
T TT
T
T
TT T
T TT
TTT T
TTT
TT
TT
T
T TT
T T TTT
T T T TTTT
TT TTT
TT
T
TT
TTT
T T
TT
T
T
T
TTT
TT
TT
T
TT
TT
TT
TT
TT T
TT
TT
TT
T
T
.
Tokens (bytes)
Committed Burst
Color as yellow
(conformed) .
Token buckets
replenished in between
packets
Congestion Management
QUEUE
Yellow Red
Queue Drop
Drop
Limit Threshold
Threshold
50% 25%
Configuration: Color: Data Rate:
Congestion Management
When you configure the rate-limit profile, a side effect is the internal tagging of packets with a drop
preference. The color-coded tag is added automatically when the committed and peak burst values for
an interface's rate-limit profile are exceeded. The egress forwarding controller uses this drop
preference when there is contention for outbound queuing resources within the E-series router, and it
uses it to decide which packets are dropped.
The queuing system uses drop eligibility to select packets for dropping when congestion exists on an
egress interface. This method is called dynamic color-based threshold dropping. Each packet
classified by a rate-limit profile has a 2-bit tag associated with it internally in the E-series router. The 2-
bit code assigns a color code to the packet—red, yellow, or green. Each packet queue in the system
has two color-based thresholds as well as a queue limit. When an egress queue exceeds the red drop
threshold due to congestion, packets that were marked red by the rate-limit profile are not queued.
When the yellow drop threshold is reached, packets marked yellow are not allowed into the egress
queue. Green packets are not dropped until the queue limit is reached.
Remember that this internal tagging is done automatically when a rate-limit profile is applied to an
interface and does not necessarily reflect the operation of the policy on an interface.
1 Mb Hard Limit
D SL
bytes
rate x (drop)
125000 bytes sample
period
transmit
Fill rate: (transmit)
125000 bytes peak rate x
sample
period sample period
drop
bytes
rate x (drop)
12800 bytes
sample
period
8192 bytes Empty - no action
Fill rate:
(default) (transmit)
0 x sample
period
drop
sample period
erx7(config)#rate -limit-profile 1Mbps-hard-2
erx7(config-rate-limit-profile)#committed -rate 1000000
erx7(config-rate-limit-profile)#committed -burst 125000
erx7(config-rate-limit-profile)#run show rate 1Mbps-hard -2
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
TCP Windows
(number of packets) 2
16
4 Due to a loss of so many packets, TCP cuts back to original window size.
Conformed
Excess Burst Action
1
Conformed
Peak Action Committed
Committed Action
Burst
1 Burst 2
Committed
Committed Action Exceeded Action
Burst 2
Exceeded Action
Copyright © 2007, Juniper Networks, Inc.
8
TCP Windows
(number of packets)
16
17
Due to a loss of one packet, TCP cuts back to
previous window size.
19
23
Transfer will alternate between two optimized window sizes…
achieving something closer to the committed rate.
bytes
Fill rate:
transmit committed
Committed Burst rate x
1500000 bytes sample
period
transmit (transmit)
Fill rate:
peak rate x
Excess Burst sample sample period
3000000 bytes period
drop
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
FTP server
10.10.10.10 telnet 10.1.1.1
www.disney.com
172.16.199.250
FTP server
10.10.10.10 telnet 10.1.1.1
www.disney.com
172.16.199.250
FTP server
10.10.10.10 telnet 10.1.1.1
www.disney.com
172.16.199.250
FTP server
10.10.10.10 telnet 10.1.1.1
www.disney.com
172.16.199.250
Policy Table
------ -----
IP Policy to-user
Administrative state: enable
Reference count: 1
Classifier control list: drop -traffic-to-user, precedence 100
filter
Classifier control list: ftp, precedence 110
rate-limit-profile 1Mbps-hard
Classifier control list: *, precedence 120
rate-limit-profile 512Kbps
Referenced by interface(s):
FastEthernet3/2.71 output policy, statistics enabled, virtual-router
default
Referenced by profile(s):
No profile references
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
www.disney.com
172.16.199.250
video.server.com
192.168.200.16
Policy examples:
– Filter specific types of traffic
Drop any Telnet traffic going to the user
Drop any NetBIOS traffic coming from the user
– Rate-limit traffic
Rate-limit inbound and outbound traffic to 512 Kbps
– Provide higher bandwidth to specific types of traffic
FTP traffic rate-limited to 1 Mbps, all other traffic 512 Kbps
– Steer traffic to a specific interface or IP address
Forward traffic destined for a content network to a captive portal
Policy Examples
This final policy example shows the concept of policy routing. We want to steer traffic destined for a
restricted content network to a captive portal for additional processing. This is a common configuration
in an SDX-300 environment. In this environment, content networks are restricted unless you have
agreed to activate a service and pay for the use of the service. The captive portal allows you to
activate this service, and the SDX-300 then sends down a dynamic policy to the router that allows you
access to the service.
erx7(config)#policy-list from-user
erx7(config-policy-list)#classifier-gro content precedence 90
erx7(config-policy-list-classifier-group)#forward next-hop
192.168.254.1
erx7(config-policy-list-classifier-group)#forward next-hop
2.2.2.2 order 110
erx7(config-policy-list-classifier-group)#forward interface
atm 6/0.34 order 120
Module Review
1. How would you define the policy management function in
the E-series router?
2. What is the flow of packets through the E-series router?
3. What type of information is configured in a classifier list?
4. A policy is a condition and an action. Where are the
actions configured?
5. How can you obtain policy statistics?
6. What is the difference between a one-rate and a two-rate
rate-limit profile?
7. How do you control the order of classifier groups in a
policy list?
8. How do you attach a policy list to a dynamic interface?
Lab Objectives:
Configure and test classifier lists, rate-limit profiles,
and policy lists to control Telnet, FTP, and ICMP traffic.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 64
Module Objectives
After successfully completing this module, you will
be able to:
– List and describe the different reload options for the router
– Perform the process to upgrade software on the router
– List the different options to downgrade software on the
router
– Perform the process to recover from a corrupted flash
– Explain the password removal process
– List and explain the methods for accessing the CLI
Rebooting Review
The router needs two things to boot or reload:
– Configuration file and operating system
Stored on the flash
To view current boot configuration:
erx7#show boot
erx7#
Options
You can reboot the router several different ways:
• Until now, we have used the simple reload command, which immediately reboots the router.
You can also include a text line indicating why the router is being reloaded. This text is
included in the router's reboot history file. In this example on the slide, the router will reboot
immediately with the reason, "Upgrade software to newer version."
• You can perform a scheduled reboot, specifying a specific time and date. This feature might
be useful during a software upgrade. With the first example on the slide, the router will
reboot on November 29 at 13:00 (or 1:00 in the afternoon). You can also include a reason in
the command. If the router reloads before the scheduled reload time, the scheduled reload
configuration is not affected. You can also perform a reload in a specified amount of time. In
the second example on the slide, the router will reboot in 30 minutes with the reason,
"Reloading ERX in 30 minutes". The reason is then stored in the reboot . ht y file; you can
view it using the show last command.
• To verify any type of scheduled reload configuration, use the show reload command. You
can cancel scheduled reloads using the reload cancel command.
• Finally, you can also reboot a single slot in the router.
Internet
Juniper Networks
FTP Server FTP Server
10.13.7.101
Initial setup:
– Copy new release software to local FTP server
– Configure host entry on router for local FTP server and verify
connectivity
erx7(config)#host ftpServer 10.13.7.101 ftp erx7 mypassword
erx7(config)#run ping ftpServer
Resolving "ftpServer" ...
Sending 5 ICMP echos to 10.13.7.101, timeout = 2 sec.
!!!!!
Success rate = 100% (5/5), round-trip min/avg/max = 0/0/1 ms
erx7(config)#
Initial Setup
The next few slides describe the general upgrade process on the E-series router. This example
describes the process to upgrade an ERX-7xx router or an ERX-1410 router from software release
erx7-0-0.rel to erx7 .3. 0 . rel.
If you upgrade an ERX-1440 router, the name of the software release is
erx4 0_x. y. z . rel, where x. y. z is the release number. If you upgrade an ERX-310 router, the name of
the software release is erx310 x. y. z. rel and if you upgrade an ERX-320 router, the name of the
software release is
erx320 x. y. z. rel. Before upgrading any router, review the release notes carefully. Some software
releases require different hardware or memory requirements to run.
To upgrade the router, first copy the new software release to your local FTP server. Next, on the
router, configure your FTP server as an FTP host. Verify that you can ping your FTP server from the
router. If you cannot, verify that you have a route to the FTP server.
FTP Server
10.13.7.101
WARNING 09/09/2006 13:36:39 ha: High Availability is disabled. View the srp redundancy status to determine the
cause.
WARNING 09/09/2006 13:36:39 ha: High Availability is disabled due to the standby SRP being unavailable
At this point in time, the system is still operational and routing packets using the primary SRP. High-availability
mode is automatically disabled because the standby SRP is in the process of rebooting.
Wait for the redundant SRP to boot, initialize, and return to the standby state before continuing. You can use the
show version command to monitor the state of the standby SRP. You will notice that the standby SRP now boots
with the new version of software. The state field for the redundant SRP should be standby when the redundant
SRP comes back online. You will also receive the following message:
High Availability is disabled due to an incompatible release running on the standby SRP.
At this point, the standby SRP is running the new erx 7-3-0 . rel software.
After any reboot, the file systems on the primary and redundant SRPs are no longer synchronized, so it is
necessary to synchronize the files systems again.
WARNING: This command will reboot the system and boot from the other SRP. Proceed with SRP
switch? [confirm]
WARNING: High-availability state is not active. Switching at this time will cause the system to cold
restart.
Proceed with SRP switch? [confirm]
The former standby SRP now assumes the primary role and the line modules reboot. Because the line
modules are currently booting, the system is no longer able to route traffic. Once the line modules
come online, the system is operational and can route traffic using the new primary SRP. High-
availability mode is still disabled because the new standby SRP is still booting with the new version of
software.
When the standby SRP comes back online, the system reinitializes high-availability mode. This
process takes several minutes to complete. You can monitor high-availability mode status using the
show redundancy command. This command identifies the criteria preventing high-availability mode
from being active. Once both SRPs are initialized, you can turn on the automatic file synchronization
process.
At this point, the system is fully operational. Both SRPs are running the new version of software. Notice
that the reload command was never used during this process.
10.1.7.100
Downgrading Software
Option 1:
– Configure the router to use the old configuration file only once:
erx7(config)#boot config erx_7-0-0.cnf once
– Configure the router to use the old software release:
erx7(config)#boot system erx_7-0-0.rel
– Verify the boot settings:
erx7#show boot
System Release: erx_7-0-0.rel
System Configuration: erx_7-0-0.cnf once
Note: This system is not configured with backup settings.
erx7#
– Reload the router:
erx7#reload
JUNOSe Hotfix
A JUNOSe hotfix is a subset of a full release used to provide time-critical updates to an operational
router. A hotfix is used to address specific, critical issues without having to load an entire software
release. You can also use a hotfix to add debugging code to collect data used for troubleshooting
software issues. Depending on the extent of the change, a hotfix might be dynamically activated or
deactivated, or it might require a reload of the router.
Obtaining a JUNOSe Hotfix
A hotfix is a special version of software that can only be created to address specific scenarios. Only
Juniper Networks determines when a hotfix is possible or necessary. Hotfixes are only created to
resolve truly critical, time -sensitive issues as determined by Juniper Networks.
Solution 3
If the router still does not boot properly, configure the management Fast Ethernet port's IP address and
the FTP host address. If the FTP server is not on the local segment, you also must configure the IP
gateway. Because these commands are being written into the boot prom on the SRP, you must run the
reload CLI command to actually program the interface.
Verify that the management Fast Ethernet port is operational by pinging it from the FTP server. Copy a
valid software release from your FTP server and a backup configuration file, if available, to the flash
card. Next, configure the software release and configuration file boot settings and reload.
Solution 4
If the boot process still halts at the boot ## prompt, you should replace the current flash card with a
backup flash card and reboot the router.
Solution 5
If you do not have a backup flash, you should contact the Juniper Networks Technical Assistance
Center (JTAC) as the flash might be corrupted. If it is corrupted, JTAC might walk you through
formatting the flash and rebuilding the environment. To do this, you perform the following steps from
the boot CLI:
:boot##flash-disk initialize Please wait
Now use the steps from Option 3 to load the software onto the flash card and reload the router.
Synchronize:
– Manually forces the redundant SRP to synchronize its flash
card with the primary SRP’s flash card
flash-disk compare:
– Detects differences between the redundant and primary flash
cards
erx7#flash-disk compare all
erx7#flash-disk compare configuration
synch low-level-check:
– Validates files that failed the flash-disk compare
erx7#synchronize low-level-check all
erx7#synchronize low-level-check configuration
Username
Username Password
Password gary miata
diane piano
RADIUS/TACACS+
Configuring RADIUS/TACACS+
Authentication for CLI Access
Steps:
– Add the users into the RADIUS or TACACS+ database
– Configure the router for RADIUS or TACACS+
authentication:
erx7(config)# aaa new-model
– Configure the RADIUS or TACACS+ authentication server on
the router:
erx7(config)# radius authentication server 10.1.7.55
erx7(config-radius)# udp-port 1645
erx7(config-radius)# key training
or
erx7(config)#tacacs-server host 10.1.7.55 port 10 key
training
– Configure the source IP address of RADIUS or TACACS+
packets originated on the router:
erx7(config)# radius update-source-addr 10.1.7.6
or
erx7(config)#tacacs-server source-address 10.1.7.6
Copyright © 2007, Juniper Networks, Inc.
Username: user0
Password: *****
Logged in on console.
Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
erx7>
Continuing on with this example, if the RADIUS server is unavailable, the authentication request is sent to the TACACS+
server. If this server is also unavailable, the user is prompted for a console password, which is stored locally on the router. If
the user knows the console password, the user gains access to Us er Exec mode. The following capture illustrates this
scenario:
Username: user° Password: *****
Console password: ***********
Logged in on console.
Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
erx7>
If the user does not know the password, access is denied. However, if no console password is defined, the user simply gains
access to User Exec mode due to the last authentication method of none. If the RADIUS server is available but the username
or password is incorrect, the user is denied access, and no furt her processing will occur.
Username: user0
Password: *****
Logged in via telnet.
Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
erx7>
Continuing on with this example, if the RADIUS server is unavail able, the user is prompted for a Telnet password. If the user
knows the Telnet password, the user gains access to User Exec mo de. No other options are permitted using this scheme:
Username: user0
Password: *****
Telnet password: **********
Logged in via telnet.
Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
erx7>
If no Telnet password is defined, the user is denied access. If the RADIUS server is available but the username or password
was incorrect, the user is denied access, and no further processing will occur.
RADIUS
Enable
Password User Password Privileged
Exec Exec
erx7>enable 10
RADIUS
Enable passwords:
– Can be configured per level
– Stored locally on the E-series router
erx7>enable 10
Password:***
erx7#
The E-series router assumes the default level of 10 if no level is specified in the enable command.
Remember that support mode is available only through Level 15.
erx5#
WARNING: This operation will force the system to reboot and should be performed ONLY as a last resort. If
possible, either wait for the current command to complete or telnet into the system and use the 'reload' command
instead. Force reboot (yes/no)?
If you choose the reboot option, the router reboots without runn ing hardware diagnostics.
Useful Commands
Several useful CLI commands exist that relate to FTP server functionality. One command is the dir
command, as seen in the example on the slide. You can see the subdirectories that are automatically
created (incoming and outgoing) with the ftp-server enable command.
To view files in either the incoming or outgoing directories, use the dir /outgoing or dir /incoming
commands.
To delete a file in one of these subdirectories, use the delete /incoming or del /outgoing commands, as
shown on the slide.
You can also manage files in the user space from an FTP client on the network using FTP protocol
commands. A few of these commands include PWD, LIST, and CWD.
Review Questions
Questions
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice them
now so that your instructor can best address your needs during class.
Copyright © 2006 Juniper Networks, Inc. Copyright © 2007, Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 48