Junos Security Swconfig Interfaces

JunosOSInterfaces Configuration Guidefor Security DevicesRelease11.4Published: 2011-10-31Copyright 2011, Juniper Networks, Inc.Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.netThis product includes the Envoy SNMPEngine, developedby Epilogue Technology, an IntegratedSystems Company. Copyright 1986-1997,Epilogue Technology Corporation. All rights reserved. This programand its documentation were developed at private expense, and no partof themis in the public domain.This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLOrouting protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.L. S. Associates.This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Junos OS Interfaces Configuration Guide for Security DevicesRelease 11.4Copyright 2011, Juniper Networks, Inc.All rights reserved.Revision HistoryNovember 2011R1 Junos OS 11.4The information in this document is current as of the date listed in the revision history.YEAR 2000 NOTICEJuniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.SOFTWARE LICENSEThe terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, thesoftware license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.The software license may state conditions under which the license is automatically terminated. You should consult the license for furtherdetails. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.Copyright 2011, Juniper Networks, Inc. iiENDUSER LICENSE AGREEMENTThe Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.iii Copyright 2011, Juniper Networks, Inc.Copyright 2011, Juniper Networks, Inc. ivAbbreviated Table of ContentsAboutThisGuide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixPart 1 Interfaces OverviewChapter 1 InterfacesOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Part 2 Ethernet InterfacesChapter 2 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Chapter 3 Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Chapter 4 1-Port Gigabit Ethernet SFP Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Chapter 5 2-Port 10-Gigabit Ethernet XPIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Chapter 6 Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Part 3 DS1 and DS3 InterfacesChapter 7 DS1andDS3Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Chapter 8 1-Port Clear Channel DS3/E3 GPIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Chapter 9 Channelized Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Part 4 ISDNand VoIP InterfacesChapter 10 ISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Chapter 11 VoiceoverInternetProtocolwithAvaya. . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Part 5 DSL and ModemInterfacesChapter 12 DSLInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Chapter 13 G.SHDSLInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Chapter 14 VDSL2Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Chapter 15 3GWirelessModemsforWANConnections. . . . . . . . . . . . . . . . . . . . . . . . . 391Chapter 16 USB Modems for Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Chapter 17 DOCSISMini-PIMInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Chapter 18 Serial Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Part 6 Link Services and Special InterfacesChapter 19 LinkServicesInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Chapter 20 Special Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503v Copyright 2011, Juniper Networks, Inc.Part 7 EncapsulationChapter 21 InterfaceEncapsulationOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509Chapter 22 Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Part 8 IndexIndex. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549Copyright 2011, Juniper Networks, Inc. viJunos OS Interfaces Configuration Guide for Security DevicesTable of ContentsAboutThisGuide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixJ Series and SRX Series Documentation and Release Notes . . . . . . . . . . . . . . . . . xixObjectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxAudience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxSupportedRoutingPlatforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxDocumentConventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxDocumentationFeedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiSelf-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiiPart 1 Interfaces OverviewChapter 1 InterfacesOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3InterfacesOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Understanding Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3NetworkInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4ServicesInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Special Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8InterfaceNamingConventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Interface Logical Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Understanding Interface Logical Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Understanding Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Common Protocol Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Other Protocol Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Understanding IPv4 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13IPv4 Classful Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14IPv4 Dotted Decimal Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14IPv4Subnetting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14IPv4 Variable-Length Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16UnderstandingIPv6Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuring the inet6 IPv6 Protocol Family . . . . . . . . . . . . . . . . . . . . . . . . 18Enabling Flow-Based Processing for IPv6 Traffic . . . . . . . . . . . . . . . . . . . 19Configuring Flow Aggregation to Use Version 9 Flow Templates . . . . . . 20Understanding Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Interface Physical Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Understanding Interface Physical Properties . . . . . . . . . . . . . . . . . . . . . . . . . 30Understanding Bit Error Rate Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31vii Copyright 2011, Juniper Networks, Inc.UnderstandingInterfaceClocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Data Stream Clocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Explicit Clocking Signal Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Understanding Frame Check Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Cyclic Redundancy Checks and Checksums . . . . . . . . . . . . . . . . . . . . . . . 33Two-Dimensional Parity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34MTU Default and Maximum Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34VLAN IDs and Ethernet Interface Types Supported on the SRX SeriesDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Understanding the Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Physical Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Error Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37FrameSequencing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37FlowControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38DataLinkSublayers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38MACAddressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Configuring IOC to NPC Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Part 2 Ethernet InterfacesChapter 2 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Understanding Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Ethernet Access Control and Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Collisions and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44CollisionDetection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44BackoffAlgorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Collision Domains and LAN Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45BridgesandSwitches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45BroadcastDomains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Ethernet Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Example: Creating an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Example: Deleting an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Static ARP Entries on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Understanding Static ARP Entries on Ethernet Interfaces . . . . . . . . . . . . . . . 49Example: Configuring Static ARP Entries on Ethernet Interfaces . . . . . . . . . . 49Promiscuous Mode on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Understanding Promiscuous Mode on Ethernet Interfaces . . . . . . . . . . . . . . 52Enabling and Disabling Promiscuous Mode on Ethernet Interfaces (CLIProcedure). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Copyright 2011, Juniper Networks, Inc. viiiJunos OS Interfaces Configuration Guide for Security DevicesChapter 3 Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Understanding Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . 55LAGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Aggregated Ethernet Interfaces Configuration Overview . . . . . . . . . . . . . . . . 57Device Count for Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . 58Understanding the Aggregated Ethernet Interfaces Device Count . . . . . 58Example: Configuring the Number of Aggregated Ethernet Interfaceson a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Example: Deleting Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . 60Physical Interfaces for Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . 60Understanding Physical Interfaces for Aggregated EthernetInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Example: Associating Physical Interfaces with Aggregated EthernetInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Link Speed for Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 62Understanding Aggregated Ethernet Interface Link Speed . . . . . . . . . . . 62Example: Configuring Aggregated Ethernet Link Speed . . . . . . . . . . . . . 63Minimum Links for Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . 64Understanding Minimum Links for Aggregated Ethernet Interfaces . . . . 64Example: Configuring Aggregated Ethernet Minimum Links . . . . . . . . . . 64Removal of Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 65Understanding Aggregated Ethernet Interface Removal . . . . . . . . . . . . . 65Example: Deleting Aggregated Ethernet Interface Contents . . . . . . . . . . 66Understanding VLAN Tagging for Aggregated Ethernet Interfaces . . . . . . . . . 67Understanding Promiscuous Mode for Aggregated Ethernet Interfaces . . . . 67VerifyingAggregatedEthernetInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Verifying Aggregated Ethernet Interfaces (terse) . . . . . . . . . . . . . . . . . . . 67Verifying Aggregated Ethernet Interfaces (extensive) . . . . . . . . . . . . . . . 68LACP for Standalone Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Understanding LACP on Standalone Devices . . . . . . . . . . . . . . . . . . . . . . . . . 69Example: Configuring LACP on Standalone Devices . . . . . . . . . . . . . . . . . . . . 70Verifying LACP on Standalone Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Verifying LACP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Verifying LACP Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . 73LACP on Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Understanding LACP on Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Minimum Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Sub-LAGs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Hitless Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Example: Configuring LACP on Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . 76Verifying LACP on Redundant Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . 78Chapter 4 1-Port Gigabit Ethernet SFP Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Understanding the 1-Port Gigabit Ethernet SFP Mini-PIM . . . . . . . . . . . . . . . . . . . 81Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Interface Names and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82ix Copyright 2011, Juniper Networks, Inc.Table of ContentsAvailable Link Speeds and Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82LinkSettings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Example: Configuring the 1-Port Gigabit Ethernet SFP Mini-PIM Interface . . . . . . 83Chapter 5 2-Port 10-Gigabit Ethernet XPIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Understanding the 2-Port 10-Gigabit Ethernet XPIM. . . . . . . . . . . . . . . . . . . . . . . 89SupportedFeatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Interface Names and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Copper and Fiber Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90LinkSpeeds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91LinkSettings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Example: Configuring the 2-Port 10-Gigabit Ethernet XPIM Interface . . . . . . . . . . 92Chapter 6 Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Understanding Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97SRX Series Services Gateway PoE Specifications . . . . . . . . . . . . . . . . . . . . . . 97PoE Classes and Power Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99PoEOptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Example: Configuring PoE on All Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Example: Configuring PoE on an Individual Interface . . . . . . . . . . . . . . . . . . . . . . 102Example: Disabling a PoE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Part 3 DS1 and DS3 InterfacesChapter 7 DS1andDS3Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109DS1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Understanding T1 and E1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109T1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109E1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110T1 and E1 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110T1 and E1 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111T1 and E1 Loopback Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Example: Configuring a T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Example: Deleting a T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115DS3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Understanding T3 and E3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Multiplexing DS1 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117DS2 Bit Stuffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117DS3Framing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Example: Configuring a T3 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Example: Deleting a T3 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Chapter 8 1-Port Clear Channel DS3/E3 GPIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Understanding the 1-Port Clear Channel DS3/E3 GPIMConfiguration . . . . . . . . . 125Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Interface Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Physical Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Copyright 2011, Juniper Networks, Inc. xJunos OS Interfaces Configuration Guide for Security DevicesLogical Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Example: Configuring the 1-Port Clear-Channel DS3/E3 GPIMfor DS3 PortMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Example: Configuring the 1-Port Clear-Channel DS3/E3 GPIMfor M23 MappingMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Example: Configuring the 1-Port Clear Channel DS3/E3 GPIMfor E3 PortMode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Chapter 9 Channelized Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Understanding Channelized Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133ClearChannels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Understanding Channelized Interface Clear Channels . . . . . . . . . . . . . . . . . 135Example: Configuring a Channelized T1 Interface as a Clear Channel . . . . . . 135Example: Configuring a Channelized E1 Interface as a Clear Channel . . . . . . 138VerifyingClear-ChannelInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Drop-and-Insert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Understanding Channelized Interface Drop-and-Insert . . . . . . . . . . . . . . . . . 142Example: Configuring a Channelized Interface to Drop and Insert TimeSlots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Example: Configuring Complementary Clock Sources on ChannelizedInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Verifying Channelized Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152ISDNPRI Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Understanding ISDN PRI Operation for Channelized Interfaces . . . . . . . . . . 153Example: Configuring a Channelized Interface for an ISDN PRI NetworkService . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Verifying ISDN PRI Configuration on Channelized Interfaces . . . . . . . . . . . . 156Part 4 ISDNand VoIP InterfacesChapter 10 ISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161UnderstandingISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161ISDN Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Typical ISDN Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162NT Devices and S and T Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162UInterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163ISDN Call Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Layer 2 ISDN Connection Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Layer 3 ISDN Session Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 164ISDN Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164ISDN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165UnderstandingISDNInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ISDN BRI Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ISDN PRI Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166xi Copyright 2011, Juniper Networks, Inc.Table of ContentsISDN Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Example: Adding an ISDN BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Dialer Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Understanding Dialer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Example: Configuring Dialer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Dial Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Understanding Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Example: Configuring Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Dial-on-Demand Routing Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Understanding Dial-on-Demand Routing Backup . . . . . . . . . . . . . . . . . 176Example: Configuring Dialer Filters for Dial-on-Demand RoutingBackup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Example: Configuring Dial-on-Demand Routing Backup with OSPFSupport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Dialer Watch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179UnderstandingDialerWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Example: Configuring Dialer Watch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Dial-InandCallback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Understanding Dial-In and Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Example: Configuring Dial-In and Callback . . . . . . . . . . . . . . . . . . . . . . . 184BandwidthonDemand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Understanding Bandwidth on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Example: Configuring Bandwidth on Demand . . . . . . . . . . . . . . . . . . . . . . . . 188Disabling ISDN Processes (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Verifying the ISDN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Displaying the ISDN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Verifying an ISDN BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Verifying an ISDN PRI Interface and Checking B-Channel InterfaceStatistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Checking D-Channel Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Displaying the Status of ISDN Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Verifying Dialer Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Chapter 11 VoiceoverInternetProtocolwithAvaya. . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Avaya VoIP Modules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Avaya VoIP Modules Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Supported Avaya VoIP Modules and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 206Avaya VoIP Modules Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206J2320 and J2350 Avaya VoIP Module Summary . . . . . . . . . . . . . . . . . . 206J4350 and J6350 Avaya VoIP Module Summary . . . . . . . . . . . . . . . . . . 207TGM550 Telephony Gateway Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . 209Understanding the TGM550 Telephony Gateway Module . . . . . . . . . . . . . . 209TGM550 Guidelines and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210TGM550 Access Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212TGM550 Console Port Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213TGM550 RJ-11 Connector Pinout for Analog Ports . . . . . . . . . . . . . . . . . . . . . 214TGM550 Maximum Media Gateway Capacities . . . . . . . . . . . . . . . . . . . . . . . 215Copyright 2011, Juniper Networks, Inc. xiiJunos OS Interfaces Configuration Guide for Security DevicesTGM550LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217TIM508 Analog Telephony Interface Module Overview. . . . . . . . . . . . . . . . . . . . . 217Understanding the TIM508 Analog Telephony Interface Module . . . . . . . . . 218TIM508 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219TIM508 Possible Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220TIM508LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220TIM510 E1/T1 Telephony Interface Module Overview . . . . . . . . . . . . . . . . . . . . . . 221Understanding the TIM510 E1/T1 Telephony Interface Module . . . . . . . . . . . 221TIM510 RJ-45 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222TIM510LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223TIM514 Analog Telephony Interface Module Overview. . . . . . . . . . . . . . . . . . . . . 224Understanding the TIM514 Analog Telephony Interface Module . . . . . . . . . 224TIM514 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225TIM514 Possible Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225TIM514LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226TIM516 Analog Telephony Interface Module Overview . . . . . . . . . . . . . . . . . . . . . 227Understanding the TIM516 Analog Telephony Interface Module . . . . . . . . . 227TIM516 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228TIM516 Possible Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230TIM516 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230TIM518 Analog Telephony Interface Module Overview . . . . . . . . . . . . . . . . . . . . . 231Understanding the TIM518 Analog Telephony Interface Module . . . . . . . . . . 231TIM518 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232TIM518 Possible Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234TIM518LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235TIM521 BRI Telephony Interface Module Overview . . . . . . . . . . . . . . . . . . . . . . . . 235Understanding the TIM521 BRI Telephony Interface Module . . . . . . . . . . . . 235TIM521LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Avaya IG550 Integrated Gateway Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Media Gateway Controller Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Avaya Communication Manager Software Overview. . . . . . . . . . . . . . . . . . . . . . 240Dynamic Call Admission Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Dynamic CAC Interface Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241SupportedInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Bearer Bandwidth Limit and Activation Priority . . . . . . . . . . . . . . . . . . . 241Rules for Determining Reported BBL . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Configuring VoIP Interfaces with EPW and Disk-on-Key . . . . . . . . . . . . . . . . . . . 242Example: Configuring VoIP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245TGM550 Module Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Connecting Through the TGM550 Module Console Port . . . . . . . . . . . . . . . 253Connecting to the TGM550 with SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254TGM550 Module with Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Enabling Telnet Service on the TGM550 Module . . . . . . . . . . . . . . . . . . 254Connecting to the TGM550 Module with Telnet . . . . . . . . . . . . . . . . . . 255Disabling Telnet Service on the TGM550 Module . . . . . . . . . . . . . . . . . 255Accessing the Services Router from the TGM550 Module . . . . . . . . . . . . . . 255Resetting the TGM550 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Saving the TGM550 Module Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 256TGM550 Module and VoIP Interface Troubleshooting . . . . . . . . . . . . . . . . . . . . . 257xiii Copyright 2011, Juniper Networks, Inc.Table of ContentsPart 5 DSL and ModemInterfacesChapter 12 DSLInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261ADSL Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261ADSL Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262ADSL2 and ADSL2+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263ATM CoS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263ADSL and SHDSL Interfaces Configuration Overview . . . . . . . . . . . . . . . . . . . . . 264Example: Configuring ATM-over-ADSL Network Interfaces . . . . . . . . . . . . . . . . . 270Example: Configuring ATM-over-SHDSL Network Interfaces . . . . . . . . . . . . . . . . 276Example: Configuring CHAP on DSL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 282Example: Configuring MLPPP-over-ADSL Interfaces . . . . . . . . . . . . . . . . . . . . . . 290Example: Configuring the DHCP Client on ADSL Interface . . . . . . . . . . . . . . . . . 292Chapter 13 G.SHDSLInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297SHDSL Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297G.SHDSL Mini-PIM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Operating Modes and Line Rates of the G.SHDSL Mini-PIM. . . . . . . . . . . . . 298ATM CoS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298G.SHDSL Mini-PIM Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Example: Configuring the G.SHDSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301Example: Configuring the G.SHDSL Interface on SRX Series Devices . . . . . . . . . 309Chapter 14 VDSL2Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321VDSL2 Interface Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321VDSL2 Network Deployment Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322VDSL2 Interface Support on SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . 323VDSL2 Interface Compatibility with ADSL Interfaces . . . . . . . . . . . . . . . . . . 324VDSL2 Interfaces Supported Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325VDSL2 Interfaces Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Example: Configuring VDSL2 Interfaces (Basic) . . . . . . . . . . . . . . . . . . . . . . . . . . 327Example: Configuring VDSL2 Interfaces (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . 332Example: Configuring VDSL2 Interfaces in ADSL Mode (Basic) . . . . . . . . . . . . . . 357Example: Configuring VDSL2 Interfaces in ADSL Mode (Detail) . . . . . . . . . . . . . 363Chapter 15 3GWirelessModemsforWANConnections. . . . . . . . . . . . . . . . . . . . . . . . . 3913G Wireless Modem Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3913G Wireless Modem Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Dialer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Understanding the Dialer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Dialer Interface Configuration Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Dialer Interface Authentication Support for GSMHSDPA 3G WirelessModems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Dialer Interface Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Dialer Interface Operating Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 395Example: Configuring the Dialer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 3963G Wireless Modem Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Understanding the 3G Wireless Modem Physical Interface . . . . . . . . . . . . . 402Example: Configuring the 3G Wireless Modem Interface . . . . . . . . . . . . . . . 402Copyright 2011, Juniper Networks, Inc. xivJunos OS Interfaces Configuration Guide for Security DevicesGSMProfile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403Understanding the GSM Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403Example: Configuring the GSM Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404Account Activation for CDMA EV-DO Modem Cards . . . . . . . . . . . . . . . . . . . . . . 405Understanding Account Activation for CDMA EV-DO Modem Cards . . . . . 405Obtaining Electronic Serial Number (ESN) . . . . . . . . . . . . . . . . . . . . . . 406AccountActivationModes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Activating the CDMA EV-DO Modem Card with OTASP Provisioning . . . . . 407Activating the CDMA EV-DO Modem Card Manually . . . . . . . . . . . . . . . . . . 408Activating the CDMA EV-DOModemCard with IOTA Provisioning . . . . . . . . 410Unlocking the GSM 3G Wireless Modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Chapter 16 USB Modems for Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413USB Modem Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413USB Modem Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414DialerInterfaceRules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414How the Device Initializes USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415USB Modem Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Example: Configuring a USB Modem Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Example: Configuring Dialer Interfaces and Backup Methods for USB ModemDial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420Example: Configuring a Dialer Interface for USB ModemDial-In . . . . . . . . . . . . . 426Example: Configuring PAP on Dialer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 428Example: Configuring CHAP on Dialer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 429Chapter 17 DOCSISMini-PIMInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431DOCSIS Mini-PIM Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Software Features Supported on DOCSIS Mini-PIMs . . . . . . . . . . . . . . . . . . . . . 433Example: Configuring the DOCSIS Mini-PIM Interfaces . . . . . . . . . . . . . . . . . . . . 434Chapter 18 Serial Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Serial Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Serial Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439SignalPolarity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Serial Clocking Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Serial Interface Transmit Clock Inversion . . . . . . . . . . . . . . . . . . . . . . . . 441DTE Clock Rate Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Serial Line Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442EIA-530. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442RS-232. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443RS-422/449 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443V.35 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444X.21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Example: Configuring a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445Example: Deleting a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447xv Copyright 2011, Juniper Networks, Inc.Table of ContentsPart 6 Link Services and Special InterfacesChapter 19 LinkServicesInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Link Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Services Available on a J Series Link Services Interface . . . . . . . . . . . . . . . . 452Link Services Exceptions on J Series Services Routers . . . . . . . . . . . . . . . . . 453Configuring Multiclass MLPPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453Queuing with LFI on J Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Queuing on Q2s of Constituent Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Compressed Real-Time Transport Protocol Overview . . . . . . . . . . . . . . . . . 455Configuring Fragmentation by Forwarding Class . . . . . . . . . . . . . . . . . . . . . 455Configuring Link-Layer Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457Link Services Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458Configuring Link Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Understanding MLPPP Bundles and Link Fragmentation and Interleaving(LFI) on Serial Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Example: Configuring an MLPPP Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Understanding Link Fragmentation and Interleaving Configuration . . . . . . . 463Example: Configuring Link Fragmentation and Interleaving . . . . . . . . . . . . . 464Understanding How to Define Classifiers and Forwarding Classes . . . . . . . 465Example: Defining Classifiers and Forwarding Classes . . . . . . . . . . . . . . . . . 466Understanding How to Define and Apply Scheduler Maps . . . . . . . . . . . . . 469Example: Configuring Scheduler Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Understanding Interface Shaping Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Example: Configuring Interface Shaping Rates . . . . . . . . . . . . . . . . . . . . . . . 474Verifying the Link Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475Verifying Link Services Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Verifying Link Services CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 478MultilinkFrameRelay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Understanding Multilink Frame Relay FRF.15 . . . . . . . . . . . . . . . . . . . . . . . . 480Example: Configuring Multilink Frame Relay FRF.15 . . . . . . . . . . . . . . . . . . . 480Understanding Multilink Frame Relay FRF.16 . . . . . . . . . . . . . . . . . . . . . . . . 483Example: Configuring Multilink Frame Relay FRF.16 . . . . . . . . . . . . . . . . . . . 484Compressed Real-Time Transport Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487Understanding Compressed Real-Time Transport Protocol . . . . . . . . . . . . 487Example: Configuring the Compressed Real-Time Transport Protocol . . . . 488Internal Interface ls-0/0/0 Upgrade and Configuration Rollback . . . . . . . . . . . . 490Understanding the Internal Interface LSQ-0/0/0 Configuration . . . . . . . . . 490Example: Upgrading from ls-0/0/0 to lsq-0/0/0 for Multilink Services . . . 490Troubleshooting the Link Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493Determine Which CoS Components Are Applied to the ConstituentLinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494Determine What Causes Jitter and Latency on the Multilink Bundle . . . . . . 495Determine If LFI and Load Balancing Are Working Correctly . . . . . . . . . . . . 495Determine Why Packets Are Dropped on a PVC Between a J Series DeviceandAnotherVendor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Chapter 20 Special Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503Understanding Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503Understanding the Discard Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504Copyright 2011, Juniper Networks, Inc. xviJunos OS Interfaces Configuration Guide for Security DevicesUnderstanding the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504Part 7 EncapsulationChapter 21 InterfaceEncapsulationOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509Understanding Physical Encapsulation on an Interface . . . . . . . . . . . . . . . . . . . 509Understanding Frame Relay Encapsulation on an Interface . . . . . . . . . . . . . . . . 509Virtual Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Switched and Permanent Virtual Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Data-Link Connection Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Congestion Control and Discard Eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Understanding Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Link Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512NetworkControlProtocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513MagicNumbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513CSU/DSUDevices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Understanding High-Level Data Link Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514HDLC Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514HDLC Operational Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515Chapter 22 Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Understanding Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . . 517PPPoE Discovery Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518PPPoE Session Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520Understanding PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520Example: Configuring PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521PPPoE Encapsulation on an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 525Understanding PPPoE Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 525Example: Configuring PPPoE Encapsulation on an Ethernet Interface . . . . 526PPPoE Encapsulation on an ATM-over-ADSL or ATM-over-SHDSL Interface . . 526Understanding PPPoE ATM-over-ADSL and ATM-over-SHDSLInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527Example: Configuring PPPoE Encapsulation on an ATM-over-ADSLInterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527CHAP Authentication on a PPPoE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Understanding CHAP Authentication on a PPPoE Interface . . . . . . . . . . . . 529Example: Configuring CHAP Authentication on a PPPoE Interface . . . . . . . 530PPPoE-BasedRadio-to-RouterProtocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532PPPoE-Based Radio-to-Router Protocols Overview . . . . . . . . . . . . . . . . . . . 532Understanding the PPPoE-Based Radio-to-Router Protocol . . . . . . . . . . . . 533Configuring PPPoE-Based Radio-to-Router Protocols . . . . . . . . . . . . . . . . . 535Example: Configuring the PPPoE-Based Radio-to-Router Protocol . . . . . . 535Verifying PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538Displaying Statistics for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538Credit Flow Control for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Example: PPPoE Credit-Based Flow Control Configuration . . . . . . . . . . . . . 539Verifying Credit-Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Setting Tracing Options for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540xvii Copyright 2011, Juniper Networks, Inc.Table of ContentsR2CP Radio-to-Router Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541R2CP Radio-to-Router Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Configuring the R2CP Radio-to-Router Protocol . . . . . . . . . . . . . . . . . . . . . . 542Verifying R2CP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545Part 8 IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549Copyright 2011, Juniper Networks, Inc. xviiiJunos OS Interfaces Configuration Guide for Security DevicesAbout This GuideThis preface provides the following guidelines for using the Junos OS InterfacesConfiguration Guide for Security Devices: J Series and SRX Series Documentation and Release Notes on page xix Objectives on page xx Audience on page xx Supported Routing Platforms on page xx Document Conventions on page xx Documentation Feedback on page xxii Requesting Technical Support on page xxiiJ Series and SRX Series Documentation and Release NotesFor a list of related J Series documentation, seehttp://www.juniper.net/techpubs/software/junos-jseries/index-main.html .For a list of related SRX Series documentation, seehttp://www.juniper.net/techpubs/hardware/srx-series-main.html .If the information in the latest release notes differs fromthe information in thedocumentation, followthe Junos OS Release Notes.To obtain the most current version of all Juniper Networkstechnical documentation,see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/.Juniper Networks supports atechnical bookprogramtopublishbooks byJuniper Networksengineers and subject matter experts with book publishers around the world. Thesebooks go beyond the technical documentation to explore the nuances of networkarchitecture, deployment, and administration using the Junos operating system(JunosOS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,published in conjunction with O'Reilly Media, explores improving network security,reliability, and availability using Junos OS configuration techniques. All the books are forsale at technical bookstores and book outlets around the world. The current list can beviewed at http://www.juniper.net/books .xix Copyright 2011, Juniper Networks, Inc.ObjectivesThis guide describes howto use and configure key security features on J Series ServicesRouters and SRX Series Services Gateways running Junos OS. It provides conceptualinformation, suggested workflows, and examples where applicable.AudienceThis manual is designed for anyone who installs, sets up, configures, monitors, oradministers a J Series Services Router or an SRX Series Services Gateway running JunosOS. The manual is intended for the following audiences: Customers with technical knowledge of and experience with networks and networksecurity, the Internet, and Internet routing protocols Network administrators who install, configure, and manage Internet routersSupported Routing PlatformsThis manual describes features supported on J Series Services Routers and SRX SeriesServices Gateways running Junos OS.Document ConventionsTable 1 on page xx defines the notice icons used in this guide.Table 1: Notice IconsDescription Meaning IconIndicates important features or instructions. Informational noteIndicates a situation that might result in loss of data or hardware damage. CautionAlerts you to the risk of personal injury or death. WarningAlerts you to the risk of personal injury froma laser. Laser warningTable 2 on page xxi defines the text and syntax conventions used in this guide.Copyright 2011, Juniper Networks, Inc. xxJunos OS Interfaces Configuration Guide for Security DevicesTable 2: Text and Syntax ConventionsExamples Description ConventionTo enter configuration mode, type theconfigure command:user@host> configureRepresents text that you type. Bold text like thisuser@host> showchassis alarmsNo alarms currently activeRepresents output that appears on theterminal screen.Fixed-width text like this A policy termis a named structurethat defines match conditions andactions. Junos OSSystemBasics ConfigurationGuide RFC1997, BGPCommunities Attribute Introduces important newterms. Identifies book names. Identifies RFCand Internet draft titles.Italic text like thisConfigure the machines domain name:[edit]root@# set systemdomain-namedomain-nameRepresents variables (options for whichyou substitute a value) in commands orconfiguration statements.Italic text like this To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level. Theconsoleport is labeledCONSOLE.Represents names of configurationstatements, commands, files, anddirectories; interface names;configuration hierarchy levels; or labelson routing platformcomponents.Text like thisstub ; Enclose optional keywords or variables. < > (angle brackets)broadcast | multicast(string1 | string2 | string3)Indicates a choice between the mutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.| (pipe symbol)rsvp { #Required for dynamic MPLS only Indicates a comment specified on thesamelineas theconfigurationstatementto which it applies.# (pound sign)community name members [community-ids ]Enclose a variable for which you cansubstitute one or more values.[ ] (square brackets)[edit]routing-options {static {route default {nexthop address;retain;}}}Identify a level in the configurationhierarchy.Indention and braces ( { } )Identifies a leaf statement at aconfiguration hierarchy level.; (semicolon)J-Web GUI Conventionsxxi Copyright 2011, Juniper Networks, Inc.About This GuideTable 2: Text and Syntax Conventions (continued)Examples Description Convention In the Logical Interfaces box, selectAll Interfaces. To cancel the configuration, clickCancel.Represents J-Web graphical userinterface (GUI) items you click or select.Bold text like thisIn the configuration editor hierarchy,select Protocols>Ospf.Separates levels in a hierarchy of J-Webselections.> (bold right angle bracket)Documentation FeedbackWe encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected], or fill out the documentation feedback formathttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments: Document or topic name URL or page number Software release version (if applicable)Requesting Technical SupportTechnical product support is availablethroughtheJuniper Networks Technical AssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need postsales technical support, you can accessour tools and resources online or open a case with JTAC. JTAC policiesFor a complete understanding of our JTAC procedures and policies,reviewthe JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/ . JTAC Hours of Operation The JTAC centers have resources available 24 hours a day,7 days a week, 365 days a year.Self-Help Online Tools and ResourcesFor quick and easy problemresolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you with thefollowing features: Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/Copyright 2011, Juniper Networks, Inc. xxiiJunos OS Interfaces Configuration Guide for Security Devices Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and reviewrelease notes:http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/Toverify serviceentitlement by product serial number, useour Serial Number Entitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/Opening a Case with JTACYou can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).For international or direct-dial options in countries without toll-free numbers, visit us athttp://www.juniper.net/support/requesting-support.htmlxxiii Copyright 2011, Juniper Networks, Inc.About This GuideCopyright 2011, Juniper Networks, Inc. xxivJunos OS Interfaces Configuration Guide for Security DevicesPART 1Interfaces Overview Interfaces Overviewon page 31 Copyright 2011, Juniper Networks, Inc.Copyright 2011, Juniper Networks, Inc. 2Junos OS Interfaces Configuration Guide for Security DevicesCHAPTER 1Interfaces Overview Interfaces Overviewon page 3 Interface Naming Conventions on page 9 Interface Logical Properties on page 11 Interface Physical Properties on page 30 Understanding the Data Link Layer on page 37 Configuring IOC to NPC Mapping on page 39Interfaces Overview Understanding Interfaces on page 3 Network Interfaces on page 4 Services Interfaces on page 5 Special Interfaces on page 8Understanding InterfacesInterfaces act as a doorway through which traffic enters and exits a device. JuniperNetworks devices support a variety of interface types: Network interfacesNetworking interfaces primarily provide traffic connectivity. Services interfacesServices interfaces manipulate traffic before it is delivered to itsdestination. Special interfacesSpecial interfaces include management interfaces, the loopbackinterface, and the discard interface.Each type of interface uses a particular mediumto transmit data. The physical wires andData Link Layer protocols used by a mediumdetermine howtraffic is sent. To configureand monitor interfaces, you need to understand their media characteristics, as well asphysical and logical properties such as IP addressing, link-layer protocols, and linkencapsulation.NOTE: Most interfaces are configurable, but some internally generatedinterfaces are not configurable.3 Copyright 2011, Juniper Networks, Inc.RelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Junos OS Network Interfaces Configuration Guide Interface Naming Conventions on page 9 Understanding Interface Logical Properties on page 12 Understanding Interface Physical Properties on page 30 Understanding the Data Link Layer on page 37Network InterfacesAll Juniper Networks devices use network interfaces to make physical connections toother devices. A connection takes place along media-specific physical wires through anI/Ocard(IOC) intheSRXSeries Services Gateway or aport onaPhysical InterfaceModule(PIM) installed in the J Series Services Router. Networking interfaces primarily providetraffic connectivity.Youmust configureeachnetworkinterfacebeforeit canoperateonthedevice. Configuringan interface can define both the physical properties of the link and the logical propertiesof a logical interface on the link.Table 3 on page 4 describes network interfaces that are available on SRX Series and JSeries devices.Table 3: Network InterfacesDescription Interface NameAggregated Ethernet interface. See Understanding Aggregated Ethernet Interfaces on page 55. aeATM-over-ADSLor ATM-over-SHDSLWANinterface. SeeADSLandSHDSLInterfacesConfigurationOverview on page 264.atBearer channel on an ISDN interface. See Understanding ISDN on page 161. bcBasic Rate Interface for establishing ISDN connections. See Understanding ISDN Interfaces onpage 165.brChannelized E1 interface. See Understanding Channelized Interfaces on page 133. ce1Channelized T1 interface. See Understanding Channelized Interfaces on page 133. ct1Delta channel on an ISDN interface. See Understanding ISDN Interfaces on page 165. dcDialer interfacefor initiatingISDNandUSBmodemconnections. SeeUnderstandingISDNInterfaceson page 165 and USB ModemInterface Overview on page 413.dlE1 (also called DS1) WAN interface. See Understanding T1 and E1 Interfaces on page 109. e1E3 (also called DS3) WAN interface. See Understanding T3 and E3 Interfaces on page 116. e3Copyright 2011, Juniper Networks, Inc. 4Junos OS Interfaces Configuration Guide for Security DevicesTable 3: Network Interfaces (continued)Description Interface NameFast Ethernet interface. See Understanding Ethernet Interfaces on page 43. feGigabit Ethernet interface. See Understanding Ethernet Interfaces on page 43. geVDSL2 interface. See Example: Configuring VDSL2 Interfaces (Detail) on page 332. ptFor chassis cluster configurations only, redundant Ethernet interface. See Understanding EthernetInterfaces on page 43.rethSerial interface (either RS-232, RS-422/499, RS-530, V.35, or X.21). See Serial Interfaces Overviewon page 439.seT1 (also called DS1) WAN interface. See Understanding T1 and E1 Interfaces on page 109. t1T3 (also called DS3) WAN interface. See Understanding T3 and E3 Interfaces on page 116. t3WXCIntegratedServices Module (ISM200) interface for WANacceleration. See the WXCIntegratedServices Module Installation and Configuration Guide.wx10-Gigabit Ethernet interface. SeeUnderstandingthe2-Port 10-Gigabit Ethernet XPIM onpage89. xeRelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Understanding Interfaces on page 3 Services Interfaces on page 5 Special Interfaces on page 8Services InterfacesServices interfaces provide specific capabilities for manipulating traffic before it isdeliveredto its destination. On Juniper Networks MSeries andTSeries routing platforms,individual services such as IP-over-IP encapsulation, link services such as multilinkprotocols, adaptive services such as stateful firewall filters and NAT, and sampling andlogging capabilities are implemented by services Physical Interface Cards (PICs). On JSeries devices, these same features are implemented by the general-purpose CPU onthe main circuit board. On SRX Series devices, services processing is handled by theServices Processing Card (SPC).Although the same Junos OS image supports the services features across all routingplatforms, on SRXSeries andJ Series devices, services interfaces are not associatedwitha physical interface. To configure services on these devices, you configure one or moreinternal interfaces by specifying slot 0, interface carrier 0, and port 0for example,gr-0/0/0 for GRE.Table 4 on page 6 describes services interfaces that you can configure on SRX SeriesServices Gateways and J Series Services Routers.5 Copyright 2011, Juniper Networks, Inc.Chapter 1: Interfaces OverviewTable 4: Configurable Services InterfacesDescription Interface NameConfigurable generic routing encapsulation (GRE) interface. GRE allows the encapsulation of onerouting protocol inside another routing protocol.Packets are routed to this internal interface, where they are first encapsulated with a GRE packetand then sent.You can create multiple instances of this interface for forwarding encapsulated data to multipledestination addresses by using the default interface as the parent and creating extensions, forexample, gr-0/0/0.1, gr-0/0/0.2, and so on.The GRE interface is an internal interface only and is not associated with a physical interface. It isused only for processing GRE traffic. See the Junos OS Services Interfaces Configuration Guidefor information about tunnel services.gr-0/0/0ConfigurableIP-over-IPencapsulation(IP-IPtunnel) interface. IPtunnelingallows theencapsulationof one IP packet inside another IP packet.With IP routing, you can route IP packets directly to a particular address or route the IP packets toan internal interface where they are encapsulated inside an IP-IP tunnel and forwarded to theencapsulating packets destination address.You can create multiple instances of this interface for forwarding IP-IP tunnel data to multipledestination addresses by using the default interface as the parent and creating extensions, forexample, ip-0/0/0.1, ip-0/0/0.2, and so on.The IP-IP interface is an internal interface only and is not associated with a physical interface. It isused only for processing IP-IP tunnel traffic. See the Junos OS Services Interfaces ConfigurationGuide for information about tunnel services.ip-0/0/0Configurable link services queuing interface. Link services include the multilink services MLPPP,MLFR, and Compressed Real-Time Transport Protocol (CRTP).Packets are routed to this internal interface for link bundling or compression. The link servicesinterface is an internal interface only and is not associated with a physical interface. You mustconfigure the interface for it to performmultilink services.NOTE: The ls-0/0/0 interface has been deprecated. All multiclass multilink features supported byls-0/0/0are nowsupportedby lsq-0/0/0. J Series devices andSRX100, SRX210, SRX220, SRX240,and SRX650 Series devices support this interface.See Link Services Interfaces Overview on page 451.lsq-0/0/0Configurable logical tunnel interface that interconnects logical systems on SRX Series devices. Seethe Junos OS Logical Systems Configuration Guide for Security Devices.On J Series devices, the lt- interface does not support logical systems. It is used to provideclass-of-service(CoS) support for real-timeperformancemonitoring(RPM) probepackets. Packetsare routed to this interface for services. It is an internal interface only and is not associated with aphysical interface. You must configure the interface for it to performCoS for RPMservices. See theJunos OS Class of Service Configuration Guide for Security Devices.lt-0/0/0Copyright 2011, Juniper Networks, Inc. 6Junos OS Interfaces Configuration Guide for Security DevicesTable 4: Configurable Services Interfaces(continued)Description Interface NameConfigurable PPPoE encapsulation interface. PPP packets being routed in an Ethernet network usePPPoE encapsulation.Packets are routed to this internal interface for PPPoE encapsulation. The PPPoE encapsulationinterface is an internal interface only and is not associated with a physical interface. You mustconfigure the interface for it to forward PPPoE traffic.See Understanding Point-to-Point Protocol over Ethernet on page 517.pp0Protocol Independent Multicast (PIM) de-encapsulationinterface. InPIMsparsemode, thefirst-hoprouting platformencapsulates packets destined for the rendezvous point device. The packets areencapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvouspoint. The rendezvous point then de-encapsulates the packets and transmits themthrough itsmulticast tree.Within a device, packets are routed to this internal interface for de-encapsulation. The PIMde-encapsulationinterfaceis aninternal interfaceonly andis not associatedwithaphysical interface.You must configure PIMwith the [edit protocol pim] hierarchy to performPIMde-encapsulation.NOTE: On J Series devices, this interface type is pd-0/0/0.ppd0Protocol Independent Multicast (PIM) encapsulation interface. In PIMsparse mode, the first-hoprouting platformencapsulates packets destined for the rendezvous point device. The packets areencapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvouspoint. The rendezvous point then de-encapsulates the packets and transmits themthrough itsmulticast tree.Withinadevice, packets areroutedtothis internal interfacefor encapsulation. ThePIMencapsulationinterface is an internal interface only and is not associated with a physical interface. You mustconfigure PIMwith the [edit protocol pim] hierarchy to performPIMencapsulation.NOTE: On J Series devices, this interface type is pe-0/0/0.ppe0Secure tunnel interface used for IPSec VPNs. See Implementing Policy Based IPsec VPN Using SRXSeries Services Gateways athttp://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf .st0Configurable USB modemphysical interface. This interface is detected when an USB modemisconnected to the USB port on the device.NOTE: The J4350and J6350devices have two USB ports. However, you can connect only one USBmodemto the USBports on these devices. If you connect USBmodems to both the USBports, onlythe first USB modemconnected to the device is recognized.See USB ModemConfiguration Overview on page 416.umd0Table 5 on page 8 describes non-configurable services interfaces for J Series ServicesRouters and SRX Series Services Gateways.7 Copyright 2011, Juniper Networks, Inc.Chapter 1: Interfaces OverviewTable 5: Non-Configurable Services InterfacesDescription Interface NameInternally generated Generic Routing Encapsulation (GRE) interface created by the Junos OS tohandle GRE traffic. It is not a configurable interface.greInternally generated IP-over-IP interface created by the Junos OS to handle IP tunnel traffic. It isnot a configurable interface.ipipInternally generated link services interface created by the Junos OS to handle multilink services likeMLPPP, MLFR, and CRTP. It is not a configurable interface.lsiInternally configured interface used by the systemas a control path between the WXC IntegratedServices Module and the Routing Engine. It is not a configurable interface. See the WXC IntegratedServices Module Installation and Configuration Guide.pc-pim/0/0Internally generated Protocol Independent Multicast (PIM) de-encapsulation interface created bythe Junos OS to handle PIMde-encapsulation. It is not a configurable interface.pimdInternally generated Protocol Independent Multicast (PIM) encapsulation interface created by theJunos OS to handle PIMencapsulation. It is not a configurable interface.pimeInternally generated interface created by the Junos OS to monitor and record traffic during passivemonitoring. Packets discarded by the Packet Forwarding Engine are placed on this interface. It isnot a configurable interface.tapRelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Junos OS Services Interfaces Configuration Guide Understanding Interfaces on page 3 Network Interfaces on page 4 Special Interfaces on page 8Special InterfacesSpecial interfaces include management interfaces, which are primarily intended foraccessing the device remotely, the loopback interface, which has several uses dependingon the particular Junos OS feature being configured, and the discard interface.Table 6 on page 8 describes special interfaces for SRX Series Services Gateways andJ Series Services Routers.Table 6: Special InterfacesDescription Interface NameOn J Series devices, the fxp0 interface is the management port, and fxp1 is used as the control linkinterface in a chassis cluster. On SRX Series devices, the fxp0management interface is a dedicatedport located on the Routing Engine.fxp0, fxp1Copyright 2011, Juniper Networks, Inc. 8Junos OS Interfaces Configuration Guide for Security DevicesTable 6: Special Interfaces (continued)Description Interface NameLoopbackaddress. Theloopbackaddress has several uses, dependingontheparticular Junos featurebeing configured.lo0Discard interface dscRelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Understanding Interfaces on page 3 Network Interfaces on page 4 Services Interfaces on page 5Interface Naming ConventionsEach device interface has a unique name that follows a naming convention. If you arefamiliar with Juniper Networks MSeries and T Series routing platforms, be aware thatdevice interface names are similar to but not identical with the interface names on thoserouting platforms.The unique name of each network interface identifies its type and location and indicateswhether it is aphysical interfaceor anoptional logical unit createdonaphysical interface: The name of each network interface has the following format to identify the physicaldevice that corresponds to a single physical network connector:type-slot/pim-or-ioc/port Network interfaces that are fractionalized into time slots include a channel number inthe name, preceded by a colon (:):type-slot/pim-or-ioc/port:channel Each logical interface has an additional logical unit identifier, preceded by a period (.):type-slot/pim-or-ioc/port:.unitThe parts of an interface name are summarized in Table 7 on page 9.Table 7: Network Interface NamesPossible Values Meaning Name PartSee Network Interfaces on page 4, Special Interfaces on page 8, andServices Interfaces on page 5.Type of network mediumthat can connect to thisinterface.type9 Copyright 2011, Juniper Networks, Inc.Chapter 1: Interfaces OverviewTable 7: Network Interface Names (continued)Possible Values Meaning Name PartJ Series Services Router: The slot number begins at 1 and increases asfollows fromtop to bottom, left to right: J2320 routerSlots 1 to 3 J2350 routerSlots 1 to 5 J4350 or J6350 routerPIMslots 1 to 6The slot number 0 is reserved for the out-of-band management ports.SRX5600andSRX5800devices: Theslot number beginsat 0andincreasesas follows fromleft to right, bottomto top: SRX5600 deviceSlots 0 to 5 SRX5800 deviceSlots 0 to 5, 7 to 11SRX3400andSRX3600devices: TheSwitchFabric Board(SFB) is always0. Slot numbers increase as follows fromtop to bottom, left to right: SRX3400 devceSlots 0 to 4 SRX3600 deviceSlots 0 to 6Number of the chassis slot inwhich a PIMor IOC isinstalled.slotJ Series devices: This number is always 0. Only one PIMcan be installed ina slot.SRX5600 and SRX5800 devices: For 40-port Gigabit Ethernet IOCs or4-port 10-Gigabit Ethernet IOCs, this number can be 0, 1, 2, or 3.SRX3400 and SRX3600 devices: This number is always 0. Only one IOCcan be installed in a slot.Number of the PIMor IOConwhich the physical interfaceis located.pim-or-iocJ Series Services Routers: On a single-port PIM, the number is always 0. On a multiple-port PIM, this number begins at 0 and increases fromleftto right, bottomto top, to a maximumof 3.On SRX5600 and SRX5800 devices: For 40-port Gigabit Ethernet IOCs, this number begins at 0andincreasesfromleft to right to a maximumof 9. For 4-port 10-Gigabit Ethernet IOCs, this number is always 0.On SRX3400 and SRX3600 devices: For the SFB built-in copper Gigabit Ethernet ports, this number beginsat 0 and increases fromtop to bottom, left to right, to a maximumof 7.For the SFB built-in fiber Gigabit Ethernet ports, this number begins at8 and increases fromleft to right to a maximumof 11. For 16-port Gigabit Ethernet IOCs, this number begins at 0toamaximumof 15. For 2-port 10-Gigabit Ethernet IOCs, this number is 0 or 1.Port numbers appear on the PIMor IOC faceplate.Number of the port on a PIMor IOC on which the physicalinterface is located.portCopyright 2011, Juniper Networks, Inc. 10Junos OS Interfaces Configuration Guide for Security DevicesTable 7: Network Interface Names (continued)Possible Values Meaning Name Part On an E1 interface, a value from1 through 31. The 1 time slot is reserved. On a T1 interface, a value from1 through 24.Number of thechannel (timeslot) on a fractional orchannelizedT1 or E1 interface.channelA value from0 through 16384.If no logical interface number is specified, unit 0 is the default, but mustbe explicitly configured.NOTE: A VoIP interface must have the logical interface number 0.Number of the logicalinterface created on aphysical interface.unitFor example, the interface name e1-5/0/0:15.0 on a J Series Services Router representsthe following information: E1 WAN interface PIMslot 5 PIMnumber 0 (always 0) Port 0 Channel 15 Logical interface, or unit, 0RelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Junos OS Network Interfaces Configuration Guide Junos OS Services Interfaces Configuration Guide Understanding Interfaces on page 3Interface Logical Properties Understanding Interface Logical Properties on page 12 Understanding Protocol Families on page 12 Understanding IPv4 Addressing on page 13 IPv6 Addressing on page 16 Understanding Virtual LANs on page 2811 Copyright 2011, Juniper Networks, Inc.Chapter 1: Interfaces OverviewUnderstanding Interface Logical PropertiesThe logical properties of an interface are the characteristics that do not apply to thephysical interface or the wires connected to it. Logical properties include: Protocol families running on the interface (including any protocol-specific MTUs) IP address or addresses associated with the interface. A logical interface can beconfigured with an IPv6 address, IPv4 address, or both. The IP specification requires aunique address on every interface of each systemattached to an IP network, so thattraffic can be correctly routed. Individual hosts such as home computers must have asingle IP address assigned. Devices must have a unique IP address for every interface. Virtual LAN (VLAN) tagging Any firewall filters or routing policies that are operating on the interfaceRelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Junos OS Network Interfaces Configuration Guide Understanding Interfaces on page 3 Understanding Protocol Families on page 12 Understanding IPv4 Addressing on page 13 Understanding IPv6 Addressing on page 16 Understanding Virtual LANs on page 28Understanding Protocol FamiliesAprotocol family is agroupof logical properties withinaninterfaceconfiguration. Protocolfamilies include all the protocols that make up a protocol suite. To use a protocol withina particular suite, you must configure the entire protocol family as a logical property foraninterface. Theprotocol families includecommonandnot-so-commonprotocol suites.This topic contains the following sections: Common Protocol Suites on page 12 Other Protocol Suites on page 13Common Protocol SuitesJunos OS protocol families include the following common protocol suites: InetSupports IP protocol traffic, including OSPF, BGP, and Internet Control MessageProtocol (ICMP). Inet6Supports IPv6 protocol traffic, including RIP for IPv6 (RIPng), IS-IS, and BGP. ISOSupports IS-IS traffic. MPLSSupports MPLS.Copyright 2011, Juniper Networks, Inc. 12Junos OS Interfaces Configuration Guide for Security DevicesNOTE: Junos OS security features are flow-basedmeaning the device setsup a flowto examine the traffic. Flow-based processing is not supported forISOor MPLS protocol families.Other Protocol SuitesIn addition to the common protocol suites, Junos protocol families sometimes use thefollowing protocol suites: cccCircuit cross-connect (CCC). mlfr-uni-nniMultilinkFrameRelay(MLFR) FRF.16user-to-networknetwork-to-network(UNI NNI). mlfr-end-to-endMultilink Frame Relay end-to-end. mlpppMultilink Point-to-Point Protocol. tccTranslational cross-connect (TCC). tnpTrivial Network Protocol. This Juniper Networks proprietary protocol providescommunication between the Routing Engine and the device's packet forwardingcomponents. Junos OS automatically configures this protocol family on the device'sinternal interfaces only.RelatedDocumentationJunos OS Feature Support Reference for SRX Series and J Series Devices Junos OS Network Interfaces Configuration Guide Understanding Interface Logical Properties on page 12Understanding IPv4 AddressingIPv4addresses are32-bit numbers that aretypically displayedindotteddecimal notation.A 32-bit address contains two primary parts: the network prefix and the host number.All hosts within a single network share the same network address. Each host also has anaddress that uniquely identifies it. Depending on the scope of the network and the typeof device, the address is either globally or locally unique. Devices that are visible to usersoutside the network (webservers, for example) must have a globally unique IP address.Devices that are visible only within the network (J Series devices, for example) must havelocally unique IP addresses.IP addresses are assigned by a central numbering authority called the Internet AssignedNumbers Authority (IANA). IANA ensures that addresses are globally unique whereneeded and has a large address space reserved for use by devices not visible outsidetheir own networks.This topic contains the following sections: IPv4 Classful Addressing on page 14 IPv4 Dotted Decimal Notation on page 1413 Copyright 2011, Juniper Networks, Inc.Chapter 1: Interfaces Overview IPv4 Subnetting on page 14 IPv4 Variable-Length Subnet Masks on page 15IPv4 Classful AddressingToprovide flexibility inthe number of addresses distributedtonetworks of different sizes,4-octet (32-bit) IP addresses were originally divided into three different categories orclasses: class A, class B, and class C. Each address class specifies a different number ofbits for its network prefix and host number: Class A addresses use only the first byte (octet) to specify the network prefix, leaving3 bytes to define individual host numbers. Class B addresses use the first 2 bytes to specify the network prefix, leaving 2 bytes todefine host addresses. Class C addresses use the first 3 bytes to specify the network prefix,

Junos Security Swconfig Interfaces

Documents

Transcript of Junos Security Swconfig Interfaces