Professional Documents
Culture Documents
Acx 2100
Acx 2100
Acx 2100
Modified: 2017-08-31
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos OS ACX Series Universal Access Router Configuration Guide
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
Part 1 Overview
Chapter 1 ACX Series Universal Access Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3
ACX Series Universal Access Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ACX Series Router Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Mobile Backhaul . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Protocols and Applications Supported by ACX Series Routers . . . . . . . . . . . . . . . . 5
Hardware Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Hardware Overview (ACX Series, M Series, MX Series, T Series, and TX Matrix
Routers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
System Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Storage Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ACX500 Routers Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . . . . 25
ACX500 Indoor Routers Hardware and CLI Terminology Mapping . . . . . . . . . 25
ACX500 Outdoor Routers Hardware and CLI Terminology Mapping . . . . . . . 27
ACX500 Outdoor Routers with PoE Hardware and CLI Terminology
Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
ACX1000 and ACX1100 Routers Hardware and CLI Terminology Mapping . . . . . . 30
ACX1000 and ACX1100 Routers Hardware and CLI Terminology
Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
ACX1100 Routers Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . 31
ACX2000 and ACX2100 Routers Hardware and CLI Terminology Mapping . . . . . 33
ACX2000 Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . . . . . . 33
ACX2100 Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . . . . . . . 35
ACX2200 Routers Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . . . 36
ACX4000 Routers Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . . . 37
Enabling the Layer 2 Circuit When the Encapsulation Does Not Match . . . . . . . 780
Configuring Local Interface Switching in Layer 2 Circuits . . . . . . . . . . . . . . . . . . . 781
Configuring the Interfaces for the Local Interface Switch . . . . . . . . . . . . . . . 781
Enabling Local Interface Switching When the MTU Does Not Match . . . . . . 782
Example: Configuring Layer 2 Circuit Switching Protection . . . . . . . . . . . . . . . . . 783
Accepting Route Updates with Unique Inner VPN Labels in Layer 3 VPNs . . . . . 785
Accepting Up to One Million Layer 3 VPN Route Updates . . . . . . . . . . . . . . 786
Accepting More Than One Million Layer 3 VPN Route Updates . . . . . . . . . . 787
Enabling Chained Composite Next Hops for IPv6 Labeled Unicast
Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Understanding Per-Packet Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Configuring Per-Packet Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Per-Packet Load Balancing Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configuring Load Balancing Based on MPLS Labels on ACX Series Routers . . . . 793
Configuring Load Balancing for Ethernet Pseudowires . . . . . . . . . . . . . . . . . . . . . 797
Configuring Load Balancing Based on MAC Addresses . . . . . . . . . . . . . . . . . . . . 798
ECMP Flow-Based Forwarding on ACX Series Routers . . . . . . . . . . . . . . . . . . . . 799
Sample Scenario of H-VPLS on ACX Series Routers for IPTV Services . . . . . . . 800
Sample Configuration Scenario of H-VPLS for IPTV Services . . . . . . . . . . . 800
Guidelines for H-VPLS on ACX Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Guidelines for Configuring Unicast RPF on ACX Series Routers . . . . . . . . . . . . . 803
Configuring Unicast RPF on ACX Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . 804
Interworking of Unicast RFF With Different System Conditions . . . . . . . . . . 805
Configuring Unicast RPF Strict Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Configuring Unicast RPF Loose Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Unicast RPF and Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Unicast RPF Behavior with a Default Route . . . . . . . . . . . . . . . . . . . . . . 807
Unicast RPF Behavior Without a Default Route . . . . . . . . . . . . . . . . . . . 807
Configuring Unicast RPF on a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Example: Configuring Unicast RPF on a VPN . . . . . . . . . . . . . . . . . . . . 808
Configuring Unicast RPF Fail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Verifying Unicast RPF Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Chapter 26 Configuring Layer 3 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Layer 3 VPN Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Understanding Layer 3 VPN Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Understanding VPN-IPv4 Addresses and Route Distinguishers . . . . . . . . . . . . . . 815
Understanding Virtual Routing and Forwarding Tables . . . . . . . . . . . . . . . . . . . . 818
Understanding IPv4 Route Distribution in a Layer 3 VPN . . . . . . . . . . . . . . . . . . . 822
Distribution of Routes from CE to PE Routers . . . . . . . . . . . . . . . . . . . . . . . . 822
Distribution of Routes Between PE Routers . . . . . . . . . . . . . . . . . . . . . . . . . 823
Distribution of Routes from PE to CE Routers . . . . . . . . . . . . . . . . . . . . . . . . 825
Understanding Layer 3 VPN Forwarding Through the Core . . . . . . . . . . . . . . . . . 826
Understanding Routing Instances for Layer 3 VPNs . . . . . . . . . . . . . . . . . . . . . . . 827
Classifiers and Rewrite Rules at the Global, Physical and Logical Interface Levels
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Configuring Classifiers and Rewrite Rules at the Global and Physical Interface
Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
Understanding Schedulers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
Configuring Shared and Dedicated Buffer Memory Pools . . . . . . . . . . . . . . . . . . 876
CoS for PPP and MLPPP Interfaces on ACX Series Routers . . . . . . . . . . . . . . . . . 877
Limitations That are Common for CoS on PPP and MLPPP Interfaces . . . . 878
Limitations for CoS on PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Guidelines for Configuring CoS on PPP and MLPPP Interfaces . . . . . . . . . . 879
Limitations for CoS on MLPPP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
CoS Functionalities for IPv4 Over PPP Interfaces . . . . . . . . . . . . . . . . . . . . . 881
CoS Functionalities for IPv4 Over MLPPP Interfaces . . . . . . . . . . . . . . . . . . 883
CoS for NAT Services on ACX Series Universal Access Routers . . . . . . . . . . . . . . 887
Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX
Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in
ACX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host
Outbound Traffic on the Interface in ACX Series . . . . . . . . . . . . . . . . . . . . . 890
Overview of Assigning Service Levels to Packets Based on Multiple Packet
Header Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
Configuring Multifield Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Understanding CoS on ATM IMA Pseudowire Interfaces Overview . . . . . . . . . . . 895
Cell-Based ATM Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
Cell-Based ATM Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Fixed Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Configuring Fixed Classification on an ATM IMA Pseudowire . . . . . . . . . . . . . . . 897
Example: Configuring Fixed Classification on an ATM IMA Pseudowire . . . . . . . 898
Configuring Shaping on an ATM IMA Pseudowire . . . . . . . . . . . . . . . . . . . . . . . . . 901
Example: Configuring Shaping on an ATM IMA Pseudowire . . . . . . . . . . . . . . . . 902
Understanding RED Drop Profiles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Configuring RED Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Controlling Network Access Using Traffic Policing Overview . . . . . . . . . . . . . . . 908
Congestion Management for IP Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . 908
Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Traffic Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Policer Application to Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
Configuring Policing on an ATM IMA Pseudowire . . . . . . . . . . . . . . . . . . . . . . . . . 912
Configuring an Input Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Configuring the ATM IMA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
Example: Configuring Policing on an ATM IMA Pseudowire . . . . . . . . . . . . . . . . . 915
Hierarchical Policers on ACX Series Routers Overview . . . . . . . . . . . . . . . . . . . . 920
Guidelines for Configuring Hierarchical Policers on ACX Routers . . . . . . . . . . . . . 921
Hierarchical Policer Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Guarantee Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Peak Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
Hybrid Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088
Enabling Inline Services Interface on ACX Series . . . . . . . . . . . . . . . . . . . . . . . . 1089
Understanding Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090
Configuring Service Sets to Be Applied to Services Interfaces . . . . . . . . . . . . . . 1092
Configuring Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Configuring Next-Hop Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
Determining Traffic Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
Interface-Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
Next-Hop-Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
Configuring IPsec Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
Configuring the Local Gateway Address for IPsec Service Sets . . . . . . . . . 1095
IKE Addresses in VRF Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
Configuring IKE Access Profiles for IPsec Service Sets . . . . . . . . . . . . . . . . 1096
Configuring or Disabling Antireplay Service . . . . . . . . . . . . . . . . . . . . . . . . . 1097
Configuring IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Configuring the Authentication Algorithm for an IPsec Proposal . . . . . . . . 1098
Configuring the Description for an IPsec Proposal . . . . . . . . . . . . . . . . . . . 1099
Configuring the Encryption Algorithm for an IPsec Proposal . . . . . . . . . . . 1099
Configuring the Lifetime for an IPsec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
Configuring the Protocol for a Dynamic SA . . . . . . . . . . . . . . . . . . . . . . . . . 1099
Configuring IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1100
Configuring the Authentication Algorithm for an IKE Proposal . . . . . . . . . . 1100
Configuring the Authentication Method for an IKE Proposal . . . . . . . . . . . . 1100
Configuring the Encryption Algorithm for an IKE Proposal . . . . . . . . . . . . . . 1101
Configuring the Lifetime for an IKE SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Example: Configuring an IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
Configuring IPsec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
Configuring the Description for an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . 1103
Configuring Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
Configuring the Proposals in an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . 1103
Configuring IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
Configuring the Proposals in an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
Configuring the Preshared Key for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . 1104
Configuring IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Configuring Match Direction for IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . 1106
Configuring Match Conditions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . 1107
Configuring Actions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107
Configuring Destination Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107
Configuring IPsec Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Tracing IPsec Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Chapter 34 Configuring Operations, Administration, and Management (OAM) . . . . . . 1111
Understanding Ethernet OAM Link Fault Management for ACX Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112
Configuring Ethernet Local Management Interface on ACX Series . . . . . . . . . . . 1113
Ethernet Local Management Interface Overview . . . . . . . . . . . . . . . . . . . . . 1113
Configuring the Ethernet Local Management Interface . . . . . . . . . . . . . . . . . 1115
Configuring an OAM Protocol (CFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
Assigning the OAM Protocol to an EVC . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
Configuring FEC 129 VPLS Mesh Groups for LDP BGP Interworking . . . . . . 1275
Configuring Switching Between Pseudowires Using VPLS Mesh Groups . . 1276
Configuring Integrated Routing and Bridging Support for LDP BGP
Interworking with VPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277
Configuring Inter-AS VPLS with MAC Processing at the ASBR . . . . . . . . . . 1277
Inter-AS VPLS with MAC Operations Configuration Summary . . . . . . . 1277
Configuring the ASBRs for Inter-AS VPLS . . . . . . . . . . . . . . . . . . . . . . . 1278
Interoperability Between BGP Signaling and LDP Signaling in VPLS . . . . . . . . . 1279
LDP-Signaled and BGP-Signaled PE Router Topology . . . . . . . . . . . . . . . . 1279
Flooding Unknown Packets Across Mesh Groups . . . . . . . . . . . . . . . . . . . . . 1281
Unicast Packet Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281
PE Router Mesh Groups for VPLS Routing Instances . . . . . . . . . . . . . . . . . . . . . . 1281
Example: Configuring BGP-Based H-VPLS Using Different Mesh Groups for Each
Spoke Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282
Example: Configuring LDP-Based H-VPLS Using a Single Mesh Group to
Terminate the Layer 2 Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304
Example: Configuring H-VPLS With VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310
grant-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1544
gre (Routing Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545
group (Origin Validation for BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
halt-on-prefix-down (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . 1547
hash-key (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1548
hold-interval (Chassis Synchronization) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551
host-fast-reroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1552
hybrid (ACX Series) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1553
ieee-802.1 (Classifier on Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1554
ieee-802.1 (Rewrite Rules on Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . 1554
igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1555
ima-group-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1557
ima-link-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1559
independent-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1560
inline-services (PIC level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1561
inet-precedence (CoS Classifiers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1562
inet-precedence (Classifier on Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . 1563
inet-precedence (Rewrite Rules on Physical Interface) . . . . . . . . . . . . . . . . . . . 1563
inet6-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1564
ingress (Chained Composite Next Hop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
input (Chassis Alarm Relay) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1566
input-relay (Alarm Relay Output Port) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1567
in-service (RFC2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1568
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1569
interface-mac-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1570
interface (Master Clock) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1572
interface (PTP Slave) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1573
interface-routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1574
interface-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1576
interfaces (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577
interfaces bits (Chassis Synchronization) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1579
interfaces (Chassis Synchronization Source) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1580
ipv4-dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1581
ip-swap (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1581
ivlan-cfi (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1582
ivlan-id (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1582
ivlan-priority (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1583
l3vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1584
label-switched-path-template (Multicast) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1586
link-protection (Host Fast Reroute) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1587
local-gateway (IPSec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1587
local-ip-address (PTP Slave Clock Source) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1588
logical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1589
lsp-external-controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1590
mac-table-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1591
mac-validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1593
management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
manual (Master Clock) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
manual switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596
martians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597
master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1599
match-direction (Services NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1600
max-announce-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1601
max-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1602
max-delay-response-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1603
max-sync-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1604
max-unknown-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605
maximum-paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1606
maximum-prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1608
med-igp-update-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1610
media-type (Dual-Purpose Uplink Ports) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611
metric (Aggregate, Generated, or Static Route) . . . . . . . . . . . . . . . . . . . . . . . . . . 1612
message-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1613
min-announce-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1614
min-delay-response-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615
min-sync-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1616
minimum-links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1617
mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618
mode (Chassis Alarm Relay Input and Output) . . . . . . . . . . . . . . . . . . . . . . . . . . 1619
mode (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1620
mode (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1621
mrru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1622
mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1623
multicast (Virtual Tunnel in Routing Instances) . . . . . . . . . . . . . . . . . . . . . . . . . 1627
multicast-mode (PTP Master and Slave Interfaces) . . . . . . . . . . . . . . . . . . . . . 1628
multilink-max-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1629
multilink-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1630
multipath (Routing Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1631
native-vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1632
network-option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
no-bfd-triggered-local-repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1635
no-mac-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1636
no-local-switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637
no-local-switching (VPLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1638
no-partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1639
no-root-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
no-vrf-advertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1641
no-vrf-propagate-ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1642
oam-liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
oam-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
options (Routing Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645
output (Chassis Alarm Relay) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1646
outer-tag-protocol-id (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . 1646
overrides (DHCP Relay Agent) for ACX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1647
ovlan-cfi (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648
ovlan-id (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648
packet-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1649
ovlan-priority (RFC 2544 Benchmarking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Part 1 Overview
Chapter 1 ACX Series Universal Access Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Protocols and Applications Supported by ACX Series Routers . . . . . . . . . 6
Table 4: CLI Equivalents of Terms Used in Documentation for ACX500 Indoor
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 5: CLI Equivalents of Terms Used in Documentation for ACX500 Outdoor
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 6: CLI Equivalents of Terms Used in Documentation for ACX500 Outdoor
Routers with PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 7: CLI Equivalents of Terms Used in Documentation for ACX1000
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 8: CLI Equivalents of Terms Used in Documentation for ACX1100
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 9: CLI Equivalents of Terms Used in Documentation for ACX2000
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 10: CLI Equivalents of Terms Used in Documentation for ACX2100
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 11: CLI Equivalents of Terms Used in Documentation for ACX2200
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 12: CLI Equivalents of Terms Used in Documentation for ACX4000
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 13: CLI Equivalents of Terms Used in Documentation for an ACX5048
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 14: CLI Equivalents of Terms Used in Documentation for an ACX5096
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 17: Media MTU Sizes by Interface Type for ACX Series Routers . . . . . . . . . . 99
Table 18: Platform Support for Channelized OC3/STM1 (Multi-Rate) Circuit
Emulation MIC with SFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 19: PoE Specifications for the ACX2000 Routers . . . . . . . . . . . . . . . . . . . . 142
Table 20: ACX2000 Universal Access Router PoE Specifications . . . . . . . . . . . . 143
Table 21: PoE Configuration Options and Default Settings . . . . . . . . . . . . . . . . . . 143
Table 22: Components of the PoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 145
Table 23: Checklist for Monitoring Fast Ethernet and Gigabit Ethernet
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 24: Checklist for Monitoring T1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 25: Hashing Behavior for Pseudowire (Layer 2 Circuit) and Bridging
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Table 26: Hashing Behavior for IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table 27: Router Models and Their sysObjectIds for ACX Series Routers . . . . . . . 162
Chapter 6 Configuring ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Table 28: IMA Frame Synchronization Link State Transition Variables . . . . . . . . . 176
Table 29: IMA Group Alarms with IMA Standard Requirement Numbers . . . . . . . 177
Table 30: IMA Group Defects with IMA Standard Requirement Numbers . . . . . . 178
Table 31: IMA Link Alarms with IMA Standard Requirement Numbers . . . . . . . . . 178
Table 32: IMA Link Defects with IMA Standard Requirement Numbers . . . . . . . . 179
Table 33: IMA Link Statistics with IMA Standard Requirement Numbers . . . . . . 180
Chapter 9 Configuring Timing and Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Table 34: SNMP trap notifications for timing defects and events . . . . . . . . . . . . 301
Table 35: SNMP MIB Objects for get, get-next, and walk management . . . . . . . 304
Table 45: Pseudowire Status Code for the Pseudowire Status TLV . . . . . . . . . . 624
Chapter 21 Configuring Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . 651
Table 46: Interface State and Priority Cost Usage . . . . . . . . . . . . . . . . . . . . . . . . 661
Chapter 23 Configuring Path Computation Element Protocol (PCEP) . . . . . . . . . . . . . 691
Table 47: Applicability of MPLS and Existing LSP Configurations to a
PCE-Controlled LSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• ACX Series
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
For more information about the load command, see CLI Explorer.
Documentation Conventions
Caution Indicates a situation that might result in loss of data or hardware damage.
Laser warning Alerts you to the risk of personal injury from a laser.
Table 2 on page lvi defines the text and syntax conventions used in this guide.
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
GUI Conventions
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Overview
• ACX Series Universal Access Router Overview on page 3
The ACX Series Universal Access Router is principally designed to provide superior
management for rapid provisioning to the access network. The ACX Series routers support
rich Gigabit Ethernet and 10-Gigabit Ethernet capabilities for uplink, along with support
for legacy interfaces and Gigabit Ethernet interfaces for radio and NodeB connectivity in
a compact form factor that is environmentally hardened and passively cooled. Seamless,
end-to-end MPLS can be used to address legacy and emerging requirements to provide
the foundation for a converged network that utilizes the same mobile backhaul
infrastructure for business or residential services.
The general architecture for ACX Series routers is shown in Figure 1 on page 4.
g006408
BA classification
Junos OS
The ACX Series router is powered by Junos OS, supporting extensive L2 and L3 features,
IP/MPLS with traffic engineering, rich network management, fault management, service
monitoring and Operation, Administration, and Maintenance (OAM) capabilities, and an
open software development kit (SDK) system that allows providers to customize and
integrate operations with their own management systems. For a list of related Junos OS
documentation, see http://www.juniper.net/techpubs/software/junos/
As part of the mobile backhaul, the ACX Series router at the cell site and the MX Series
router at the aggregation layer provide comprehensive end-to-end Ethernet, MPLS, and
OAM features with the one Junos OS running on both platforms.
Interfaces
The ACX Series routers support time-division multiplexing (TDM) T1 and E1 interfaces
and Gigabit Ethernet (10GbE, 100GbE, 1000GbE copper, and 1GbE and 10GbE fiber)
interfaces to support both the legacy and evolution needs of the mobile network. Support
for Power over Ethernet Plus (PoE+) at 65 watts per port mitigates the need for additional
electrical cabling for microwaves or other access interfaces.
Mobile Backhaul
In the mobile backhaul scenario, the ACX Series router is primarily used in the access
layer as the cell site router and the MX Series router is used as the edge and aggregation
router. As the cell site router, the ACX Series router connects the base station (BS) to
the packet network. Several cell site routers can be connected in a ring or hub-and-spoke
fashion to the upstream preaggregation and aggregation routers (MX Series routers).
The ACX Series router meets and often exceeds the key requirements for a cell site router.
A one-rack unit (U) tall router, the ACX Series router is compliant with the European
Telecommunications Standardization Institute (ETSI) 300, as well as environmentally
hardened and passively cooled for easy deployment where space and cooling are limited
as at the cell site.
Timing and synchronization are key elements in cell site router deployment. To deliver
the highest quality of experience, the ACX Series router supports multiple high-precision
timing options—for example, Synchronous Ethernet, 1588v2, and Precision Time Protocol
(PTP).
Junos Space
Junos Space is a suite of comprehensive Web-based tools for operational management
and administration of Juniper Networks routers, including the ACX Series and MX Series
platforms. With the unified Junos Space network management system, network
provisioning and operations can be streamlined. Juniper Networks has extended Junos
Space with powerful new features designed to address the demanding requirements of
mobile backhaul.
Related • ACX2000 and ACX2100 Routers Hardware and CLI Terminology Mapping on page 33
Documentation
• Understanding Interfaces on ACX Series Universal Access Routers on page 94
Table 3 on page 6 contains the first Junos OS Release support for protocols and
applications on ACX Series routers. A dash indicates that the protocol or application is
not supported.
NOTE:
• The [edit logical-systems logical-system-name] hierarchy level is not
supported on ACX Series routers.
• The ACX Series routers does not support per-family maximum transmission
unit (MTU) configuration. The MTU applied to family inet gets applied to
other families as well, even though it can be configured though CLI and
visible in show interface extensive output. The only way to use higher MTU
for a family is to manipulate the MTU, apply at interface or family inet levels,
and let it calculate for each family automatically. For more information,
see the Knowledge Base (KB) article KB28179 at:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28179.
12.3X54
–D25
(Outdoor)
Layer 3
Static routes 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Internet Control Message 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
Protocol (ICMP) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Address Resolution 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
Protocol (ARP) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Bidirectional Forwarding 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
Detection (BFD) protocol -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Dynamic Host 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
Configuration Protocol -D10 –D20 –D20 –D20
(DHCP) (Indoor)
12.3X54
–D25
(Outdoor)
IP fast reroute (FRR) 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
(OSPF, IS-IS) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Maximum transmission unit 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
(MTU) 1518 -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Layer 3 VPNs 12.3R1 12.3R1 12.3R1 12.3R1 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
LDP (targeted and direct) 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Traffic engineering 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Static Ethernet PWs 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Layer 2 circuits 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
IEE802.1ag CC monitoring 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
on active and standby -D10 –D20 –D20 –D20
pseudowires (Indoor)
12.3X54
–D25
(Outdoor)
Ethernet Layer 2
Ethernet in the first mile 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
(EFM 802.3ah) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
802.1ag connectivity fault 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
management (CFM) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
IEE802.1ag interface-status 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
type, length, and value -D10 –D20 –D20 –D20
(TLV) (Indoor)
12.3X54
–D25
(Outdoor)
QoS
“Firewall filters (access 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
control -D10 –D20 –D20 –D20
lists—ACLs)—family inet” (Indoor)
on page 1054
12.3X54
–D25
(Outdoor)
“Standard firewall filter 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
match conditions for MPLS -D10 –D20 –D20 –D20
traffic” on page 1062 (Indoor)
12.3X54
–D25
(Outdoor)
Firewall filters—family 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
ccc/any -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Policing—per logical 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
interface -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Policing—per physical 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
interface -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Policing—per family 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
TrTCM (color aware, color 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
blind) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
SrTCM (color aware, color 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
blind) -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Host protection 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Eight queues per port 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Priority queuing 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Rate control 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Scheduling with two 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
different priorities -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Low-latency queue (LLQ) 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Weighted random early 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
detection (WRED) drop -D10 –D20 –D20 –D20
profile (DP) (Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Classification—MPLS EXP 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Classification—IEEE 802.1p 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Rewrite MPLS EXP 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Rewrite 802.1p 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Rewrite MPLS and DSCP to 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
different values -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Timing
Timing-1588-v2, 12.2 12.2R2 12.2 12.2R2 12.3x51 – – 12.3X54
1588-2008–backup clock -D10 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
802.1ag CFM 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
802.3ah LFM 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Y.1731 Fault and 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
Performance Management -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
MPLS OAM 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Layer 2 traceroute 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
TFTP for software 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
downloads -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Port mirroring (local port 12.2 12.2R2 12.2 12.2R2 12.3x51 – – 12.3X54
mirroring) -D10 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Interface loopback 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Interface byte and packet 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
stats -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Interface queue stats 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Drop packet stats 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Distinguish each 802.1ag 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
connection by VLAN-ID -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
Security
TACACS AAA 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
RADIUS authentication 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Control plane DOS 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
prevention -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
High Availability
MPLS FRR 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
ATM Transport
ATM over PWE3 12.2 – 12.2 12.2R2 12.3x51 – – –
-D10
12.3X54
–D25
(Outdoor)
ATM PWE3 control word 12.2 12.2R2 12.2 12.2R2 12.3x51 – – 12.3X54
-D10 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
ATM Encapsulation
AAL5 SDU (n-to-1 cell 12.2 12.2R2 12.2 12.2R2 12.3x51 – – 12.3X54
relay) -D10 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
ATM Queuing
ATM service categories 12.2 12.2R2 12.2 12.2R2 12.3x51 – – 12.3X54
(CBR, nrt-VBR, UBR) to the -D10 –D20
UNI (Indoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
12.3X54
–D25
(Outdoor)
MIBs
Standard SNMP MIBs 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
-D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Juniper Networks 12.2 12.2R2 12.2 12.2R2 12.3x51 15.1X54 15.1X54 12.3X54
enterprise-specific MIBs -D10 –D20 –D20 –D20
(Indoor)
12.3X54
–D25
(Outdoor)
Juniper Networks routing platforms are made up of two basic routing components:
• Routing Engine—The Routing Engine controls the routing updates and system
management.
From a system administration perspective, you install the software onto the Routing
Engine and during the installation, the appropriate software is forwarded to other
components as necessary. Most Routing Engines include a CompactFlash card that
stores Junos OS. On M Series Multiservice Edge Routers; MX240, MX480, and MX960
3D Universal Edge Routers; T Series Core Routers; and TX Matrix routers, the system also
includes a hard disk or solid-state drive (SSD) that acts as a backup boot drive. PTX
Series Packet Transport Routers and the TX Matrix Plus router include a solid-state drive
as a backup boot drive.
NOTE: The MX80 router is a single-board router with a built-in Routing Engine
and single Packet Forwarding Engine. On an MX80 router, Junos OS is stored
on dual, internal NAND flash devices. These devices provide the same
functionality as a CompactFlash card and hard disk or solid-state drive (SSD).
NOTE: The ACX Series router is a single board router with a built-in Routing
Engine and one Packet Forwarding Engine. The ACX router supports dual-root
partitioning, which means that the primary and backup Junos OS images are
kept in two independently bootable root partitions. If the primary partition
becomes corrupted, the system remains fully functional by booting from the
backup Junos OS image located in the other root partition.
On routing platforms with dual Routing Engines, each Routing Engine is independent
with regard to upgrading the software. To install new software on both Routing Engines,
you need to install the new software on each Routing Engine. On platforms with dual
Routing Engines configured for high availability, you can use the unified in-service software
upgrade procedure to upgrade the software. For more information about this procedure,
see the High Availability Feature Guide for Routing Devices.
Hardware Overview (ACX Series, M Series, MX Series, T Series, and TX Matrix Routers)
The ACX Series, M Series, MX Series, PTX Series, T Series, TX Matrix, and TX Matrix Plus
routers include the following:
System Memory
Starting with Junos OS Release 9.0, all routing platforms require a minimum of 512 MB
of system memory on each Routing Engine. All M7i and M10i routers delivered before
December 7, 2007, had 256 MB of memory. These routers require a system memory
upgrade before you install Junos OS Release 9.0 or a later release. To determine the
amount of memory currently installed on your system, use the show chassis routing-engine
command in the command-line interface (CLI).
For more information about upgrading your M7i or M10i router, see the Customer Support
Center JTAC Technical Bulletin PSN-2007-10-001:
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.
ACX2000 routers are shipped with 2 GB of memory and ACX1000 routers with 1 GB of
memory.
Storage Media
Except for the ACX Series, MX80 routers, and MX104 routers, the M Series, MX Series,
PTX Series, T Series, TX Matrix, and TX Matrix Plus routers use the following media
storage devices:
NOTE: M7i and M10i routers using RE-400 are not delivered from the factory
with the CompactFlash card installed. In this case, the hard disk is the
primary and only boot device. The M7i and M10i routers with RE-400 can
be upgraded to include the CompactFlash card.
• Hard disk or solid -state drive—For most routers, a hard disk or solid-state drive is the
secondary boot device. When the CompactFlash card is not installed on the router,
the hard disk or the solid-state drive becomes the primary boot device. The hard disk
or solid-state drive is also used to store system log files and diagnostic dump files.
• Emergency boot device—Depending on the router, the emergency boot device can be
a PC card, a USB storage device, or an LS-120 floppy disk.
On MX80 routers, the internal NAND flash devices (first da0, then da1) act as the primary
and secondary boot devices.
On ACX Series routers, the internal NAND flash devices (first da0s1, then da0s2) act as
the primary and secondary boot devices.
Emergency boot devices can be used to revive a routing platform that has a damaged
Junos OS. When an emergency boot device is attached to the router, the router attempts
to boot from that device before it boots from the CompactFlash card, solid-state drive
(SSD), or hard disk.
On an ACX Series router, the emergency boot device is a USB storage device.
On MX104 routers, the internal NAND flash device (da0) mounted on the internal eUSB
card acts as the primary boot and storage device. On MX104 routers, the emergency boot
device is a USB storage device that is plugged into one of the USB ports in the front plate.
When booting from an emergency boot device, the router requests a boot
acknowledgment on the console interface. If you enter yes, the emergency boot device
repartitions the primary boot device and reloads Junos OS onto the primary boot device.
After the loading is complete, the routing platform requests that you remove the
emergency boot device and reboot the system. After the reboot is complete, you must
perform an initial configuration of the router before it can be used on your network.
Table 4: CLI Equivalents of Terms Used in Documentation for ACX500 Indoor Routers
Hardware
Item (as
Displayed Description (as Value (as Displayed
in the CLI) Displayed in the CLI) in the CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of the Value of n is always 0. The router does not have Interface Naming
Flexible PIC Concentrator actual FPCs. In this case, Conventions Used in the
(FPC) FPC refers to the router Junos OS Operational
itself. Commands
PIC (n) Abbreviated name of the n is a value in the range The router does not have Interface Naming
Physical Interface Card of 0–1. actual PIC devices; see Conventions Used in the
(PIC) entries for PIC 0 through Junos OS Operational
PIC 1 for the equivalent Commands
item on the router.
One of the following PIC 1 Built-in uplink ports on ACX500 Universal Access
(COMBO PIC): the front panel of the Router Overview
router
• 4x 1GE (RJ-45 with PoE+
support)
• 4x 1GE (SFP)
Xcvr (n) Abbreviated name of the n is a value equivalent Optical transceivers Uplink Ports on ACX500
transceiver to the number of the Routers
port in which the
transceiver is installed.
Power Built-in power supply Value of n is always 0. DC power supply ACX500 Power Overview
supply (n)
Xcvr (n) Abbreviated name of the n is a value equivalent Optical transceivers Uplink Ports on ACX500
transceiver to the number of the Routers
port in which the
transceiver is installed.
Power Built-in power supply Value of n is always 0. DC power supply ACX500 Power Overview
supply (n)
1 2
POWER MGMT TOD CONSOLE GE
g000699
0/0/0 0/0/1 0/1/0 0/1/1 0/1/2 0/1/3
GPS ANTENNA
IN OUT ALARM GPS 1PPS 0/1/0 PoE++ 0/1/1 PoE+ 0/1/2 PoE+ 0/1/3
SYS
COMBO
1 2 3
1— FPC 0, PIC 0: 0/0/0–0/0/1 (2x1GE SFP) 3— FPC 0, PIC 1: 0/1/0 PoE++, 0/1/1 PoE+,
0/1/2 PoE+, and 0/1/3 (4x1GE RJ-45)
Table 5: CLI Equivalents of Terms Used in Documentation for ACX500 Outdoor Routers
Hardware
Item (as Value (as
Displayed Description (as Displayed in the
in the CLI) Displayed in the CLI) CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of Value of n is always The router does not have Interface Naming Conventions
the Flexible PIC 0. actual FPCs. In this case, Used in the Junos OS
Concentrator (FPC) FPC refers to the router Operational Commands
itself.
PIC (n) Abbreviated name of n is a value in the The router does not have Interface Naming Conventions
the Physical Interface range of 0–1. actual PIC devices; see Used in the Junos OS
Card (PIC) entries for PIC 0 through PIC Operational Commands
1 for the equivalent item on
the router.
3x 1GE (SFP) PIC 0 Built-in uplink ports on the ACX500 Universal Access
front panel of the router Router Overview
3x 1GE (RJ-45) PIC 1 Built-in uplink ports on the ACX500 Universal Access
front panel of the router Router Overview
Xcvr (n) Abbreviated name of n is a value Optical transceivers Uplink Ports on ACX500
the transceiver equivalent to the Routers
number of the port
in which the
transceiver is
installed.
Power Built-in power supply Value of n is always DC power supply ACX500 Power Overview
supply (n) 0.
ACX500 Outdoor Routers with PoE Hardware and CLI Terminology Mapping
Table 6 on page 29 describes the hardware terms used in ACX500 outdoor router with
PoE documentation and the corresponding terms used in the Junos OS CLI.
Figure 5 on page 30 shows the port locations of the interfaces.
Table 6: CLI Equivalents of Terms Used in Documentation for ACX500 Outdoor Routers with
PoE
Hardware
Item (as Value (as
Displayed Description (as Displayed in the
in the CLI) Displayed in the CLI) CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of the Value of n is always The router does not have Interface Naming Conventions
Flexible PIC Concentrator 0. actual FPCs. In this case, Used in the Junos OS
(FPC) FPC refers to the router Operational Commands
itself.
PIC (n) Abbreviated name of the n is a value in the The router does not have Interface Naming Conventions
Physical Interface Card range of 0–1. actual PIC devices; see Used in the Junos OS
(PIC) entries for PIC 0 through PIC Operational Commands
1 for the equivalent item on
the router.
3x 1GE (SFP) PIC 0 Built-in uplink ports on the ACX500 Universal Access
front panel of the router Router Overview
3x 1GE (RJ-45 with PoE+ PIC 1 Built-in uplink ports on the ACX500 Universal Access
support) front panel of the router Router Overview
Xcvr (n) Abbreviated name of the n is a value Optical transceivers Uplink Ports on ACX500
transceiver equivalent to the Routers
number of the port
in which the
transceiver is
installed.
Power Built-in power supply Value of n is always DC power supply ACX500 Power Overview
supply (n) 0.
• ACX1000 and ACX1100 Routers Hardware and CLI Terminology Mapping on page 30
• ACX1100 Routers Hardware and CLI Terminology Mapping on page 31
FPC (n) Abbreviated name of Value of n is The router does not have Interface Naming Conventions
the Flexible PIC always 0. actual FPCs. In this case, Used in the Junos OS Operational
Concentrator (FPC) FPC refers to the router Commands
itself.
Table 7: CLI Equivalents of Terms Used in Documentation for ACX1000 Router (continued)
Hardware
Item (as Value (as
displayed Description (as displayed in the
in the CLI) displayed in the CLI) CLI) Item in Documentation Additional Information
PIC (n) Abbreviated name of n is a value in the The router does not have Interface Naming Conventions
the Physical Interface range of 0–2. actual PIC devices; see Used in the Junos OS Operational
Card (PIC) entries for PIC 0 through PIC Commands
2 for the equivalent item on
the router.
8x T1/E1 (RJ-48) PIC 0 Built-in network ports on the ACX1000 and ACX1100 Universal
front panel of the router Access Router Overview
8x 1GE (RJ-45) PIC 1 Built-in uplink ports on the ACX1000 and ACX1100 Universal
front panel of the router Access Router Overview
One of the following: PIC 2 Built-in uplink ports on the ACX1000 and ACX1100 Universal
front panel of the router Access Router Overview
• 4x 1GE (RJ-45)
• 4x 1GE (SFP)
Xcvr (n) Abbreviated name of n is a value Optical transceivers Uplink Ports on ACX1000 and
the transceiver equivalent to the ACX1100 Routers
number of the port
in which the
transceiver is
installed.
Power Built-in power supply Value of n is DC power supply ACX1000 and ACX1100 Power
supply (n) always 0. Overview
T1/E1 GE GE COMBO
ACX1000 0/0/4 0/0/5 0/0/6 0/0/7 0/1/4 0/1/5 0/1/6 0/1/7 0/2/2 (Cu) 0/2/3 (Cu)
MGMT
g006413
ALARM
CONSOLE/AUX
GE COMBO
1PPS 10MHz
IN OUT IN OUT
SYS 0 0/0/0 0/0/1 0/0/2 0/0/3 0/1/0 0/1/1 0/1/2 0/1/3 0/2/0 (Cu) 0/2/1 (Cu)
0/2/0 (SFP) 0/2/1 (SFP) 0/2/2 (SFP) 0/2/3 (SFP)
FPC (n) Abbreviated name of the Value of n is always The router does not have Interface Naming Conventions
Flexible PIC Concentrator 0. actual FPCs. In this case, Used in the Junos OS
(FPC) FPC refers to the router Operational Commands
itself.
PIC (n) Abbreviated name of the n is a value in the The router does not have Interface Naming Conventions
Physical Interface Card range of 0–1. actual PIC devices; see Used in the Junos OS
(PIC) entries for PIC 0 through Operational Commands
PIC 2 for the equivalent
item on the router.
8x 1GE (RJ-45) PIC 0 Built-in uplink ports on the ACX1000 and ACX1100
front panel of the router Universal Access Router
Overview
One of the following: PIC 1 Built-in uplink ports on the ACX1000 and ACX1100
front panel of the router Universal Access Router
• 4x 1GE (RJ-45) Overview
• 4x 1GE (SFP)
Xcvr (n) Abbreviated name of the n is a value Optical transceivers Uplink Ports on ACX1000 and
transceiver equivalent to the ACX1100 Routers
number of the port
in which the
transceiver is
installed.
Power Built-in power supply Value of n is always AC or DC power supply ACX1000 and ACX1100 Power
supply (n) 0. Overview
GE
0/0/4 0/0/5 0/0/6 0/0/7 0/1/2 0/1/3
g017874
CONSOLE/AUX
FPC (n) Abbreviated name of the Value of n is The router does not have Interface Naming Conventions
Flexible PIC always 0. actual FPCs. In this case, FPC Used in the Junos OS Operational
Concentrator (FPC) refers to the router itself. Commands
Table 9: CLI Equivalents of Terms Used in Documentation for ACX2000 Routers (continued)
Hardware
Item (as Value (as
displayed Description (as displayed in the
in the CLI) displayed in the CLI) CLI) Item in Documentation Additional Information
PIC (n) Abbreviated name of the n is a value in the The router does not have Interface Naming Conventions
Physical Interface Card range of 0–3. actual PIC devices; see Used in the Junos OS Operational
(PIC) entries for PIC 0 through PIC Commands
3 for the equivalent item on
the router.
16x T1/E1 (RJ-48) PIC 0 Built-in network ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
One of the following: PIC 1 Built-in network ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
• 6x 1GE (RJ-45)
• 2x 1GE (POE RJ-45)
2x 1GE (SFP) PIC 2 Built-in uplink ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
2x 10GE (SFP+) PIC 3 Built-in uplink ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
Xcvr (n) Abbreviated name of the n is a value Optical transceivers Uplink Ports on ACX2000 and
transceiver equivalent to the ACX2100 Routers
number of the
port in which the
transceiver is
installed.
Power Built-in power supply Value of n is DC power supply ACX2000 and ACX2100 Power
supply (n) always 0. Overview
T1/E1 GE
ACX2000 0/0/8 0/0/9 0/0/10 0/0/11 0/0/12 0/0/13 0/0/14 0/0/15 0/1/4 0/1/5 0/1/6 0/1/7 POE
MGMT CONSOLE/AUX
g006414
ALARM
GE XE
1PPS 10MHz
IN OUT IN OUT
SYS 0 1 EXT REF CLK IN 0/0/0 0/0/1 0/0/2 0/0/3 0/0/4 0/0/5 0/0/6 0/0/7 0/1/0 0/1/1 0/1/2 0/1/3 POE
0/2/0 0/2/1 0/3/0 0/3/1
Table 10: CLI Equivalents of Terms Used in Documentation for ACX2100 Routers
Hardware
Item (as Value (as
displayed Description (as displayed in the
in the CLI) displayed in the CLI) CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of n is a value in the The router does not have Interface Naming Conventions
the Flexible PIC range of 0–1. actual FPCs. In this case, FPC Used in the Junos OS Operational
Concentrator (FPC) refers to the router itself. Commands
PIC (n) Abbreviated name of n is a value in the The router does not have Interface Naming Conventions
the Physical Interface range of 0–3. actual PIC devices; see Used in the Junos OS Operational
Card (PIC) entries for PIC 0 through PIC Commands
3 for the equivalent item on
the router.
16x T1/E1 (RJ-48) PIC 0 on FPC 0 Built-in network ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
4x 1GE (RJ-45) PIC 0 on FPC 1 Built-in network ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
One of the following: PIC 1 on FPC 1 Built-in uplink ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
• 4x 1GE (RJ-45)
• 4x 1GE (SFP)
2x 1GE (SFP) PIC 2 on FPC 1 Built-in uplink ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
2x 10GE (SFP+) PIC 3 on FPC 1 Built-in uplink ports on the ACX2000 and ACX2100 Universal
front panel of the router Access Router Overview
Xcvr (n) Abbreviated name of n is a value Optical transceivers Uplink Ports on ACX2000 and
the transceiver equivalent to the ACX2100 Routers
number of the port
in which the
transceiver is
installed.
Power Built-in power supply Value of n is always AC or DC power supply ACX2000 and ACX2100 Power
supply (n) 0. Overview
Table 10: CLI Equivalents of Terms Used in Documentation for ACX2100 Routers (continued)
Hardware
Item (as Value (as
displayed Description (as displayed in the
in the CLI) displayed in the CLI) CLI) Item in Documentation Additional Information
T1/E1 GE
0/0/8 0/0/9 0/0/10 0/0/11 0/0/12 0/0/13 0/0/14 0/0/15 1/0/2 1/0/3 1/1/2 1/1/3
ACX2100
MGMT CONSOLE/AUX
g017849
ALARM
1/1/2 1/1/3 1/2/1
1PPS 10MHz
IN OUT IN OUT
0 1 EXT REF CLK IN 0/0/0 0/0/1 0/0/2 0/0/3 0/0/4 0/0/5 0/0/6 0/0/7 1/0/0 1/0/1 1/1/0 1/1/1
SYS
COMBO PORTS 1/1/0 1/1/1 GE 1/2/0 1/3/0 XE 1/3/1
Table 11 on page 36 describes the hardware terms used in ACX2200 router documentation
and the corresponding terms used in the Junos OS command line interface (CLI).
Figure 10 on page 37 shows the port locations of the interfaces.
Table 11: CLI Equivalents of Terms Used in Documentation for ACX2200 Routers
Hardware Item (as Description (as Value (as displayed Item in Additional
displayed in the CLI) displayed in the CLI) in the CLI) Documentation Information
FPC (n) Abbreviated name of Value of n is always 0. The router does not Interface Naming
the Flexible PIC have actual FPCs. In Conventions Used in the
Concentrator (FPC) this case, FPC refers to Junos OS Operational
the router itself Commands
ACX2200
PIC (n) Abbreviated name of n is a value in the range The router does not Interface Naming
the Physical Interface of 0–3. have actual PIC Conventions Used in the
Card (PIC) devices; see entries for Junos OS Operational
PIC 0 through PIC 3 for Commands
the equivalent item on
the router
Table 11: CLI Equivalents of Terms Used in Documentation for ACX2200 Routers (continued)
Hardware Item (as Description (as Value (as displayed Item in Additional
displayed in the CLI) displayed in the CLI) in the CLI) Documentation Information
Xcvr (n) Abbreviated name of n is a value equivalent Optical transceivers Uplink Ports on
the transceiver to the number of the ACX2200 Routers
port in which the
transceiver is installed.
Power supply (n) Built-in power supply Value of n is always 0. DC power supply ACX2200 Power
Overview
GE
0/0/2 0/0/3 0/1/2 0/1/3
ACX2200
MGMT CONSOLE/AUX
g017872
ALARM
0/1/2 0/1/3 0/2/1
1PPS 10MHz
IN OUT IN OUT
0 1 EXT REF CLK IN
SYS 0/0/0 0/0/1 0/1/0 0/1/1
COMBO PORTS 0/1/0 0/1/1 GE 0/2/0 0/3/0 XE 0/3/1
Table 12 on page 38 describes the hardware terms used in ACX4000 router documentation
and the corresponding terms used in the Junos OS command line interface (CLI).
Figure 11 on page 39 shows the port locations of the interfaces.
Table 12: CLI Equivalents of Terms Used in Documentation for ACX4000 Routers
Hardware
Item (as
displayed Description (as Value (as displayed
in the CLI) displayed in the CLI) in the CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of Value of n is a value The router does not have actual Interface Naming
the Flexible PIC in the range of 0–1. FPC devices; see entries for Conventions Used in the
Concentrator (FPC) FPC 0 and FPC 1 for the Junos OS Operational
equivalent item on the router. Commands
ACX4000
PIC (n) Abbreviated name of n is a value in the The router supports up to two Interface Naming
the Modular Interface range of 0–2. MICs and has built-in interfaces, Conventions Used in the
Cards (MICs) or built-in both represented as PIC in the Junos OS Operational
interfaces CLI; see entries for PIC 0 through Commands
PIC 2 for the equivalent item on
the router.
8x 1GE(LAN) SFP, RJ45 FPC 0, PIC 0 Built-in network ports on the ACX4000 Uplink Ports
front panel of the router Overview
2x 1GE(LAN) SFP FPC 0, PIC 1 Built-in network ports on the ACX4000 Uplink Ports
front panel of the router Overview
2x 10GE(LAN) SFP+ FPC 0, PIC 2 Built-in network ports on the ACX4000 Uplink Ports
front panel of the router Overview
PEM (n) Power supply Value of n is a value AC or DC power supply ACX4000 Power Overview
in the range of 0–1.
Table 12: CLI Equivalents of Terms Used in Documentation for ACX4000 Routers (continued)
Hardware
Item (as
displayed Description (as Value (as displayed
in the CLI) displayed in the CLI) in the CLI) Item in Documentation Additional Information
Fan Tray Fan Tray Value of n is always Fan tray module Cooling System and
(n) 0. Airflow in an ACX4000
Router
g006541
5 4
Table 13: CLI Equivalents of Terms Used in Documentation for an ACX5048 Router
Hardware
Item (as
displayed in Description (as Value (as displayed
the CLI) displayed in the CLI) in the CLI) Item in Documentation Additional Information
Table 13: CLI Equivalents of Terms Used in Documentation for an ACX5048 Router (continued)
Hardware
Item (as
displayed in Description (as Value (as displayed
the CLI) displayed in the CLI) in the CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of Value of n is always 0. The router does not have Interface Naming Conventions
the Flexible PIC actual FPCs. In this case, Used in the Junos OS
Concentrator (FPC) FPC refers to the router Operational Commands
itself.
PIC (n) Abbreviated name of Value of n is always 0. The router does not have Interface Naming Conventions
the Physical Interface actual PIC devices; see Used in the Junos OS
Card (PIC) entries for PIC 0 for the Operational Commands
equivalent item on the
router.
Xcvr (n) Abbreviated name of n is a value equivalent Optical transceivers Port and Interface Specifications
the transceiver to the number of the
port in which the
transceiver is
installed.
Power Power supply n is a value in the AC power supply AC Power Supply for an
supply (n) range of 0-1. ACX5000 Router
DC power supply
DC Power Supply for an
ACX5000 Router
Table 14: CLI Equivalents of Terms Used in Documentation for an ACX5096 Router
Hardware
Item (as
displayed in Description (as Value (as displayed
the CLI) displayed in the CLI) in the CLI) Item in Documentation Additional Information
FPC (n) Abbreviated name of Value of n is always 0. The router does not have Interface Naming Conventions
the Flexible PIC actual FPCs. In this case, Used in the Junos OS
Concentrator (FPC) FPC refers to the router Operational Commands
itself.
PIC (n) Abbreviated name of Value of n is always 0. The router does not have Interface Naming Conventions
the Physical Interface actual PIC devices; see Used in the Junos OS
Card (PIC) entries for PIC 0 for the Operational Commands
equivalent item on the
router.
Xcvr (n) Abbreviated name of n is a value equivalent Optical transceivers Port and Interface
the transceiver to the number of the Specifications
port in which the
transceiver is installed.
Power Built-in power supply n is a value in the AC power supply AC Power Supply for an
supply (n) range of 0-1. ACX5000 Router
DC power supply
DC Power Supply for an
ACX5000 Router
• Routing Engines and Storage Media Names (ACX Series, M Series, MX Series, PTX
Series, T Series, TX Matrix, TX Matrix Plus, and JCS 1200 Routers) on page 45
• Boot Sequence on ACX Series Routers on page 48
• Dual-Root Partitioning ACX Series Routers Overview on page 48
• Understanding How the Primary Junos OS Image with Dual-Root Partitioning Recovers
on the ACX Series Router on page 49
• Junos OS Release 12.2 or Later Upgrades with Dual-Root Partitioning on ACX Series
Routers on page 51
• Installing Junos OS Using a USB Storage Device on ACX Series Routers on page 52
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
• Example: Installing Junos OS and Configuring a Dual-Root Partition on ACX Series
Routers Using the CLI on page 53
• Upgrading Software Packages on page 57
• Loading and Committing the Configuration File on page 60
• Checking the Current Configuration and Candidate Software Compatibility on page 61
• Unattended Boot Mode in ACX Series on page 61
• Understanding System Snapshot on an ACX Series Router on page 64
• Example: Taking a Snapshot of the Software and Configuration on page 65
• Understanding In-Service Software Upgrade (ISSU) in ACX5000 Series
Routers on page 68
• Performing an In-Service Software Upgrade (ISSU) in ACX5000 Series
Routers on page 69
Routing Engines and Storage Media Names (ACX Series, M Series, MX Series, PTX
Series, T Series, TX Matrix, TX Matrix Plus, and JCS 1200 Routers)
Table 15 on page 46 specifies the storage media names by Routing Engine. The storage
media device names are displayed when the router boots.
Table 15: Routing Engines and Storage Media Names (ACX Series, M
Series, MX Series, T Series, TX Matrix, TX Matrix Plus, and JCS 1200
Routers)
Removable
Media
CompactFlash Solid-State Emergency
Routing Engine Card Hard Disk Drive Boot Device
SSD2: ad2
SSD2: ad2
SSD1: ad1
Table 15: Routing Engines and Storage Media Names (ACX Series, M
Series, MX Series, T Series, TX Matrix, TX Matrix Plus, and JCS 1200
Routers) (continued)
Removable
Media
CompactFlash Solid-State Emergency
Routing Engine Card Hard Disk Drive Boot Device
SSD2
SSD2
SSD2
NOTE: On MX80 routers, the Routing Engine is a built-in device and has no
model number. The dual internal NAND flash devices are da0 and da1. The
USB storage device is da2.
NOTE: On ACX Series routers, the Routing Engine is a built-in device which
does not have a model number. The dual internal NAND flash devices are
da0s1 and da0s2. The USB storage device is da0s2a. Use the show chassis
hardware models command to obtain the field-replaceable unit (FRU) model
number—for example, ACX2000BASE-DC for the ACX2000 router.
To view the storage media currently available on your system, use the CLI show system
storage command. For more information about this command, see the CLI User Guide.
The router attempts to boot from the storage media in the following order:
Dual-root partitioning allows the ACX Series router to remain functional even if there is
file system corruption and to facilitate easy recovery of the file system. Dual-root
partitioning means that the primary and backup Junos OS images are kept in two
independently bootable root partitions. If the primary root partition becomes corrupted,
the system can still boot from the backup Junos OS image located in the other root
partition and remain fully functional.
• Boot Media and Boot Partition on the ACX Series Routers on page 48
• Important Features of the Dual-Root Partitioning Scheme on page 49
The following is the storage media available on the ACX Series router:
• The primary and backup copies of Junos OS images reside in separate partitions. The
partition containing the backup copy is mounted only when required. With the
single-root partitioning scheme, there is one root partition that contains both the
primary and the backup Junos OS images.
• The request system software add command for a Junos OS package erases the contents
of the other root partition. The contents of the other root partition will not be valid
unless software installation is completed successfully.
• Add-on packages, such as jais or jfirmware, can be reinstalled as required after a new
Junos OS image is installed.
• The request system software rollback command does not delete the current Junos OS
image. It is possible to switch back to the image by issuing the rollback command again.
Related • Understanding How the Primary Junos OS Image with Dual-Root Partitioning Recovers
Documentation on the ACX Series Router on page 49
• Installing Junos OS Using a USB Storage Device on ACX Series Routers on page 52
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
Understanding How the Primary Junos OS Image with Dual-Root Partitioning Recovers
on the ACX Series Router
If the ACX Series Universal Access router is unable to boot from the primary Junos OS
image and boots up from the backup Junos OS image in the backup root partition, a
message appears on the console at the time of login indicating that the device has booted
from the backup Junos OS image.
login: user
Password:
***********************************************************************
** **
** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **
** **
** properly, and so this device has booted from the backup copy. **
** **
** **
***********************************************************************
Because the system is left with only one functional root partition, you should immediately
restore the primary Junos OS image using one of the following methods:
• Install a new image using the CLI. When you install the new image, the new image is
installed on only one partition–the alternate partition, meaning the router is now running
two images. When you reboot, the router boots from the newly installed image, which
becomes the primary image. So now there are two different images running on the
router. Run the installation process again to update the other partition.
• Use a snapshot of the backup root partition by entering the request system snapshot
slice alternate command. After the primary root partition is recovered using this method,
the device will successfully boot from the primary root partition on the next reboot.
After the procedure, the primary root partition will contain the same version of Junos
OS as the backup root partition.
NOTE: You can use the CLI command request system snapshot slice
alternate to back up the currently running root file system (primary or
secondary) to the other root partition on the system.
• Save an image of the primary root partition in the backup root partition
when the system boots from the primary root partition.
• Save an image of the backup root partition in the primary root partition
when the system boots from the backup root partition.
WARNING: The process of restoring the alternate root by using the CLI
command request system snapshot slice alternate takes several minutes
to complete. If you terminate the operation before completion, the alternate
root might not have all required contents to function properly.
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
Junos OS Release 12.2 or Later Upgrades with Dual-Root Partitioning on ACX Series
Routers
To format the media with dual-root partitioning while upgrading to Junos OS Release
12.2 or later, use either of the following installation methods:
• Installation using a USB storage device. We recommend this method if console access
to the system is available and the system can be physically accessed to plug in a USB
storage device. See Installing Junos OS Using a USB Storage Device on ACX Series
Routers.
• Installation from the CLI. We recommend this method only if console access is not
available. This installation can be performed remotely. See Installing Junos OS Upgrades
from a Remote Server on ACX Series Routers.
• Installing Junos OS Using a USB Storage Device on ACX Series Routers on page 52
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
To install the Junos OS image on ACX Series routers using a USB storage device, you
must have access to the USB port physically and you must also have console access.
Perform the following steps to install the Junos OS image:
1. Insert the USB storage device that has a valid installation image into the USB port.
2. Reboot the router by either pressing the power button on the chassis or switching off
and turning on the power button behind the Routing Engine, or by entering the request
system reboot command from the CLI. The system LED starts blinking in green.
On the console, a message is displayed stating that your flash memory device (NAND
Flash device) will be formatted and you will lose all the data. You are prompted to
confirm the formatting of the flash memory device.
3. Press y to confirm and proceed with the formatting process. The flash memory device
is formatted and the image is installed on both the partitions.
4. After you remove the USB port and press Enter, the reboot begins. After the router is
rebooted, the new Junos OS version is loaded and functional. The LED glows steadily
in green.
NOTE: If an installation error occurs, the LEDs turn red. You must have console
access to the router to troubleshoot an installation error.
• Junos OS Release 12.2 or Later Upgrades with Dual-Root Partitioning on ACX Series
Routers on page 51
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
You can use the CLI to install Junos OS packages that are downloaded with FTP or HTTP
from the specified location on internal media, such as the NAND Flash device.
To install Junos OS upgrades from a remote server, enter the following command from
operational mode:
The new Junos OS image is installed on the router and the device is rebooted.
NOTE: On ACX5048 and ACX5096 routers, use the force-host option to force
installing the latest version of the Host OS.
• Junos OS Release 12.2 or Later Upgrades with Dual-Root Partitioning on ACX Series
Routers on page 51
• Installing Junos OS Using a USB Storage Device on ACX Series Routers on page 52
This example shows how to install Junos OS Release 12.2 or later and configure a dual-root
partition on ACX Series routers with the CLI.
• Requirements on page 53
• Overview on page 54
• Configuration on page 54
• Verification on page 56
Requirements
This example requires an ACX Series router. Before you begin, back up any important
data.
Overview
This example formats the NAND Flash device and installs the new Junos OS image on
the media with dual-root partitioning. Install the Junos OS Release 12.2 or later image
from the CLI by using the request system software add command. Partitions are
automatically created on ACX Series routers and no option needs to be manually entered
for creating partitions. This command copies the image to the device, and then reboots
the device for installation. The device boots with the Release 12.2 or later image installed
with the dual-root partitioning scheme. The formatting and installation process is
scheduled to run on the next reboot. Therefore, we recommend that this option be used
together with the reboot option.
NOTE: The process might take 15 to 20 minutes. The system is not accessible
over the network during this time.
WARNING: Using the request system software add command erases the
existing contents of the media. Only the current configuration is preserved.
You should back up any important data before starting the process.
NOTE: Dual, internal NAND Flash device (first daOs1, then daOs2) and USB
storage device are the storage media available on the ACX Series router. The
USB storage device is not dual-root partitioned.
• no-copy option to install the software package. However, do not save the copies of
the package files. You should include this option if you do not have enough space on
the internal media to perform an upgrade that keeps a copy of the package on the
device.
• no-validate option to bypass the compatibility check with the current configuration
before installation starts.
Configuration
CLI Quick To install Junos OS Release 12.2 or later and configure dual-root partitioning on ACX
Configuration Series routers, copy the following command, paste it in a text file, remove any line break,
and then copy and paste the command into the CLI.
Step-by-Step To install Junos OS Release 12.2 or later and configure a dual-root partition:
Procedure
1. Upgrade the ACX Series router to Junos OS Release 12.2 or later using the CLI. See
“Upgrading Software Packages” on page 57.
2. Install Junos OS Release 12.2 or later and configure the dual-root partition.
Results In operational mode, confirm your configuration by entering the show system storage
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
Sample output on a system with dual-root partitioning that displays information about
the root partition that is mounted (only one root partition is mounted at a point in time):
If you are done configuring the device, enter commit in configuration mode.
You can issue the fdisk command from the Junos prompt to display information about
the entire partition format on the NAND Flash device. All ACX Series routers run with
dual-root partitioning. The following example displays the partition details on an ACX
Series router with dual-root partitions:
user@host% fdisk
In the preceding example, partition 1 and 2 contain two partitions each internally, a root
partition and a configuration partition.
Verification
Confirm that the configuration is working properly.
Purpose Verify that the partitioning scheme details on the ACX Series router were configured.
Action In operational mode, enter the show system storage command. For details about the
output of this command and the descriptions of the output fields, see show system
storage.
Related • Junos OS Release 12.2 or Later Upgrades with Dual-Root Partitioning on ACX Series
Documentation Routers on page 51
• Installing Junos OS Using a USB Storage Device on ACX Series Routers on page 52
• Installing Junos OS Upgrades from a Remote Server on ACX Series Routers on page 52
NOTE: When you install individual software packages, the following notes
apply:
NOTE: If you are upgrading a Routing Engine on a PTX Series router to run
Junos OS Release 13.2R2 and later, and then make that Routing Engine the
master Routing Engine, then the master Routing Engine reports a major alarm
CB 0/1 ESW PFE Port Fail even though the Control Board’s Ethernet switch
links are up and running on both the master and the backup Routing Engines.
This is because the backup Routing Engine is still on Junos OS Release 13.2R1
or earlier. The alarm is cleared after you have completed the upgrade of Junos
OS on the backup Routing Engine.
1. Download the software packages you need from the Juniper Networks Support Web
site at http://www.juniper.net/support/. For information about downloading software
packages, see Downloading Software.
2. Back up the currently running and active file system so that you can recover to a known,
stable environment in case something goes wrong with the upgrade:
The root file system is backed up to /altroot, and /config is backed up to /altconfig.
The root and /config file systems are on the router’s CompactFlash card, and the
/altroot and /altconfig file systems are on the router’s hard disk or solid-state drive
(SSD).
NOTE: After you issue the request system snapshot command, you cannot
return to the previous version of the software, because the running copy
and the backup copy of the software are identical.
NOTE: This step is optional for SRX300, SRX320, SRX340, SRX345, and
SRX550M; for these devices, ensure that a USB flash drive is plugged into
the USB port of the device.
3. If you are copying multiple software packages to the router, copy them to the /var/tmp
directory on the hard disk or solid-state drive (SSD):
If you are upgrading more than one package at the same time, add jbase first. If you
are using this procedure to upgrade all packages at once, add them in the following
order:
• For M Series, MX Series, and T Series routers running Junos OS Release 12.2 and
later, you can add more than one software package at the same time. To add
multiple software packages:
• The full URL to the directory or tar file containing the list of installation packages.
Use the request system software add set command to retain any SDK configuration
by installing the SDK add-on packages along with the core Junos OS installation
package.
WARNING: Do not include the re0 | re1 option when you install a package
using the request system software add command, if the Routing Engine on
which the package is located and the Routing Engine on which you want
to install the package are the same. In such cases, the package gets
deleted after a successful upgrade.
This message indicates that someone manually deleted or changed an item that was
in a package. You do not need to take any action; the package is still properly deleted.
For more information about the request system software add command, see the CLI
Explorer.
6. After you have upgraded or downgraded the software and are satisfied that the new
software is successfully running, issue the request system snapshot command to back
up the new software:
NOTE: On an ACX router, you must issue the request system snapshot slice
alternate command.
The root file system is backed up to /altroot, and /config is backed up to /altconfig.
The root and /config file systems are on the router’s CompactFlash card, and the
/altroot and /altconfig file systems are on the router’s hard disk or solid-state drive
(SSD).
NOTE: After you issue the request system snapshot command, you cannot
return to the previous version of the software, because the running copy
and backup copy of the software are identical.
NOTE: To install the Junos OS software package and host software package
on routers with RE-MX-X6, RE-MX-X8, and RE-PTX-X8 Routing Engines, see
VM Host Installation
Once the saved configuration file is copied to the router, you load and commit the file:
[edit]
user@host#
2. Load the file into the current configuration. You should override the existing file.
user@host#
load override /var/tmp/filename
load complete
user@host# commit
commit complete
user@host# exit
user@host>
After you have installed the software on the router, committed the configuration, and
are satisfied that the new configuration is successfully running, issue the request
system snapshot command to back up the new software to the /altconfig file system.
If you do not issue the request system snapshot command, the configuration on the
alternate boot drive will be out of sync with the configuration on the primary boot
drive.
The request system snapshot command causes the root file system to be backed up
to /altroot, and /config to be backed up to /altconfig. The root and /config file systems
are on the router’s CompactFlash card, and the /altroot and /altconfig file systems
are on the router’s hard disk or solid-state drive (SSD).
When you upgrade or downgrade Junos OS, we recommend that you include the validate
option with the request system software add command to check that the candidate
software is compatible with the current configuration. By default, when you add a package
with a different release number, the validation check is done automatically.
NOTE: On an ACX Series router, you must ensure that the primary and backup
partitions are synchronized after an upgrade by issuing the request system
snapshot command.
• Installing Junos OS Upgrade Packages on SRX Series Devices from a Remote Server
Junos operating system (Junos OS) for ACX series router supports unattended boot
mode. Unattended boot mode feature blocks any known methods to get access to the
router from CPU reset till Junos OS login prompt, thereby preventing a user to make any
unauthorized changes on the router such as viewing, modifying, or deleting configuration
information.
To enable unattended boot mode, enter a bootloader password, commit the changes,
and then enable unattended boot mode:
[edit]
user@host# set system boot-loader-authentication plain-text-password
New Password: type password here
Retype new password: retype password here
[edit]
user@host# set system boot-loader-authentication encrypted-password password
[edit]
user@host# commit
[edit]
user@host#exit
user@host>
NOTE: After the router reboots, you need to enter the bootloader password
at the bootloader login prompt.
[edit]
user@host#set system unattended-boot
[edit]
user@host#commit
[edit]
user@host# exit
user@host>
To disable unattended boot mode, delete the bootloader password and then delete the
unattended boot mode:
[edit]
user@host# delete system boot-loader-authentication
[edit]
user@host# delete system unattended-boot
[edit]
user@host# commit
[edit]
user@host# exit
root@>
If unattended mode is enabled or configured, the USB mode of booting is disabled. If you
want to boot from an external USB device, you need use the bootfrom USB CLI command
at the bootloader prompt.
The system snapshot feature enables you to create copies of the software running on
an ACX Series router. You can use the system snapshot feature to take a “snapshot” of
the files currently used to run the router—the complete contents of the root (/) and
/config directories, which include the running Juniper Networks Juniper operating system
(Junos OS) and the active configuration—and copy all of these files to another media,
such as a universal serial bus (USB) storage device, the active slice of a dual-root
partitioned router, or the alternate slice of a dual-root partitioned router.
Typically, you can take a snapshot prior to the upgrade of an image on the dual internal
NAND flash device (da0s1 or da0s2), or to remedy a bad image, thereby preventing the
bad image from rendering the system useless. A snapshot to another media ensures that
the device can boot from the other media in case the system does not boot up from the
current image.
You can take a snapshot of the currently running software and configuration on a router
in the following situations:
• The router's active slice (for example, da0s1) is updated with a new Junos OS image
(using the jinstall package). In such a case, you must update the other slice (da0s2)
with the new image.
• The router's active slice (for example, da0s1) is corrupted and the router is rebooted
from the backup slice (that is, from da0s2). Therefore, you must restore a new image
on the active slice—that is, on da0s1.
• Both slices of the router's dual internal NAND flash device are corrupted and the router
continues trying to reboot. In this situation, you can insert a USB storage device, boot
the router from that device, and restore the NAND flash device slices—da0s1 and da0s2.
NOTE: Before you attempt to take a snapshot from the USB storage device,
ensure that the USB storage device contains an image of Junos OS from
which the router can boot up.
This example includes six scenarios in which you can take a snapshot of the currently
running software and configuration on an ACX Series router, prior to the upgrade of an
image or to remedy a bad image, thereby preventing the bad image from rendering the
system useless.
• Requirements on page 65
• Overview on page 65
• Taking a Snapshot on page 66
Requirements
This example uses the following hardware and software components:
Overview
In this example, the request system snapshot command is used to take a copy of the
currently running software and configuration on another media—for example, a universal
serial bus (USB) storage device, the active slice (da0s1 or da0s2) of a dual-root partitioned
router, or the alternate slice (da0s1 or da0s2) of a dual-root partitioned router. A snapshot
to another media ensures that the device can boot from the other media in case the
system does not boot up from the current image.
CAUTION: After you run the request system snapshot command, you cannot
return to the previous version of the software, because the running and backup
copies of the software are identical.
Taking a Snapshot
Scenario: To take a snapshot from a NAND flash device slice to a USB storage device:
1. Boot up the router from the NAND flash device and make sure that a formatted USB
storage device is plugged in to the router’s USB port. The USB storage device must
be formatted for the root (/) and /config directories.
The root (/) and /config directories from the currently mounted NAND flash slice are
copied to the USB storage device.
Scenario: To take a snapshot from a NAND flash device slice to a USB storage device
with formatting:
1. Boot up the router from the NAND flash device and make sure that a USB storage
device is plugged in to the router’s USB port.
NOTE: Formatting a USB storage device deletes all the data on the USB
storage device.
After the USB storage device is formatted, the root (/) and /config directories from
the currently mounted NAND flash slice are copied to the USB storage device.
Scenario: To take a snapshot from the active slice of the NAND flash device to the
alternate slice:
The root (/) and /config directories from the currently mounted NAND flash slice are
copied to the other slice.
Scenario: To take a snapshot from an active slice of the NAND flash device to the alternate
slice after partitioning:
The BSD label (disk partitioning information) for the active flash slice is installed and
then the root (/) and /config directories from the currently mounted NAND flash slice
are copied to the other slice.
Scenario: To take a snapshot from a USB storage device to the active slice of the NAND
flash device:
1. Boot up the router from a USB storage device containing the required Junos OS image.
The root (/) and /config directories from the USB storage device are copied to the
active NAND flash slice.
Scenario: To take a snapshot from a USB storage device to the active slice of the NAND
flash device after partitioning:
1. Boot up the router from a USB storage device containing the required Junos OS image.
The BSD label (disk partitioning information) for the active flash slice is installed and
then the root (/) and /config directories from the USB storage device are copied to
the active NAND flash slice.
An in-service software upgrade (ISSU) enables you to upgrade between two different
Junos OS releases with minimal disruption on the control plane and with minimal
disruption of traffic. During an ISSU, the Junos OS runs in two separate virtual machines
(VMs)—one VM is in the master role acting as the master Routing Engine, and the other
VM is in the backup role acting as the backup Routing Engine. The Junos OS is upgraded
on the backup VM. After a successful software upgrade, the backup VM then becomes
the master VM, and the original master VM is no longer needed and is shut down.
1. The management process (mgd) verifies that non-stop routing (NSR), graceful Routing
Engine switchover (GRES), and non-stop bridging (NSB) are enabled.
3. The ISSU state machine spawns the backup Routing Engine (RE) with the newer
software.
4. The ISSU state machine checks to see if the backup RE has synchronized all of the
data with the master RE.
5. The ISSU state machine moves the devices (for example, forwarding ASIC, FPGA,
management port and serial console) from the master RE to the backup RE.
6. The mastership is switched between the REs, so the backup RE becomes the master
RE.
Related
Documentation
You can use an in-service software upgrade to upgrade the software running on the router
with minimal traffic disruption during the upgrade.
• Ensure that nonstop active routing (NSR) and nonstop bridging (NSB) are enabled. If
enabled, disable graceful restart (GR), because NSR and GR cannot be enabled
simultaneously. NSB and GR enable NSB-supported Layer 2 protocols to synchronize
protocol information between the master and backup Routing Engines.
• If NSR is not enabled (Stateful Replication is Disabled), then enable NSR. NSR requires
you to configure graceful Routing Engine switchover (GRES). By default, NSR is disabled.
• Enable nonstop bridging (NSB). Nonstop bridging requires you to configure graceful
Routing Engine switchover (GRES). By default, NSB is disabled.
• (Optional) Back up the system software—Junos OS, the active configuration, and log
files—on the router to an external storage device with the request system snapshot
command.
On ACX5000 line of routers, you need to consider the following feature before performing
ISSU:
• ISSU supports link fault management (LFM) timeout sessions of 1 second interval.
During ISSU, you may notice LFM flaps for sessions having timeout interval of less than
1 second.
• Bidirectional Forwarding Detection (BFD) sessions having timeout interval of less than
1 second need to be reconfigured to 1 second before starting the ISSU process. You
can restore the timeout interval to its original value after completing the ISSU process.
• ISSU supports interval slow (every 30 seconds) for periodic transmission of Link
Aggregation Control Protocol (LACP) packets.
• IPv6 firewall, IPv6 COS (classification and rewrite), IPv6 VPN, and VPLS mesh group.
• Interval fast (every second) for periodic transmission of Link Aggregation Control
Protocol (LACP) packets. If the periodic interval fast is configured, then you may notice
traffic drops because of LACP links going down during ISSU. ACX5000 line of routers
can support LACP with fast hello by configuring the fast-hello-issu option (user@host#
set protocols lacp fast-hello-issu) on the main router and peer routers before starting
ISSU.
NOTE: The peer router must have Junos OS software to support this
functionality.
1. Download the software package from the Juniper Networks Support website
http://www.juniper.net/support/downloads/junos.html .
NOTE: To access the download site, you must have a service contract
with Juniper Networks and an access account. If you need help obtaining
an account, complete the registration form at the Juniper Networks website
https://www.juniper.net/registration/Register.jsp .
2. Go to ACX Series section and select the ACX5000 Series platform software you want
to download.
3. Copy the software package or packages to the router. We recommend that you copy
the file to the /var/tmp directory.
4. Log in to the console connection. Using a console connection allows you to monitor
the progress of the upgrade.
NOTE: During the upgrade, you will not be able to access the Junos OS
CLI.
The router displays status messages similar to the following messages as the upgrade
executes:
warning: Do NOT use /user during ISSU. Changes to /user during ISSU may get
lost!
[Oct 24 00:25:37]:ISSU: Validating Image
[Oct 24 00:25:44]:ISSU: Preparing Backup RE
Prepare for ISSU
[Oct 24 00:25:49]:ISSU: Backup RE Prepare Done
Extracting jinstall-acx5k-15.1X54-D60.3-domestic ...
Install jinstall-acx5k-15.1X54-D60.3-domestic completed
Spawning the backup RE
Spawn backup RE, index 0 successful
GRES in progress
GRES done in 0 seconds
Waiting for backup RE switchover ready
GRES operational
Copying home directories
Copying home directories successful
Initiating Chassis In-Service-Upgrade
Chassis ISSU Started
[Oct 24 00:31:56]:ISSU: Preparing Daemons
[Oct 24 00:32:57]:ISSU: Daemons Ready for ISSU
[Oct 24 00:33:02]:ISSU: Starting Upgrade for FRUs
[Oct 24 00:33:23]:ISSU: FPC Warm Booting
[Oct 24 00:34:41]:ISSU: FPC Warm Booted
[Oct 24 00:34:51]:ISSU: Preparing for Switchover
[Oct 24 00:34:57]:ISSU: Ready for Switchover
Checking In-Service-Upgrade status
Item Status Reason
FPC 0 Online (ISSU)
Send ISSU done to chassisd on backup RE
Chassis ISSU Completed
[Oct 24 00:35:18]:ISSU: IDLE
Console and management sessions will be disconnected. Please login again.
NOTE: An ISSU might stop instead of abort if the FPC is at the warm boot
stage. Also, any links that go down and up will not be detected during a
warm boot of the Packet Forwarding Engine (PFE).
NOTE: If the ISSU process stops, you can look at the log files to diagnose
the problem. The log files are located at /var/log/vjunos-log.tgz.
6. Log in after the router reboots. To verify that the software has been upgraded, enter
the following command:
7. Disable or delete the configuration done to enable the ISSU. This includes disabling
nonstop active routing (NSR), nonstop bridging (NBR) and graceful Routing Engine
(GRES).
Issue the show chassis in-service-upgrade command on the master Routing Engine.
Display the unified ISSU process messages by using the show log messages command.
Related
Documentation
Configuring Autoinstallation
Autoinstallation provides automatic configuration for a new router that you connect to
the network and turn on, or for a router configured for autoinstallation. The autoinstallation
process begins anytime a router is powered on and cannot locate a valid configuration
file in the CompactFlash (CF) card. Typically, a configuration file is unavailable when a
router is powered on for the first time, or if the configuration file is deleted from the CF
card. The autoinstallation feature enables you to deploy multiple routers from a central
location in the network.
For the autoinstallation process to work, you must store one or more host-specific or
default configuration files on a configuration server in the network and have a service
available—typically Dynamic Host Configuration Protocol (DHCP)—to assign an IP address
to the router.
If the server with the autoinstallation configuration file is not on the same LAN segment
as the new router, or if a specific router is required by the network, you must configure
an intermediate router directly attached to the new router, through which the new router
can send HTTP, FTP, Trivial File Transfer Protocol (TFTP), BOOTP, and Domain Name
System (DNS) requests. In this case, you specify the IP address of the intermediate router
as the location to receive HTTP, FTP, or TFTP requests for autoinstallation.
1. The new router sends out DHCP, BOOTP, or RARP requests on each connected
interface simultaneously to obtain an IP address.
If a DHCP server responds, it provides the router with some or all of the following
information:
• The location of the TFTP (typically), Hypertext Transfer Protocol (HTTP), or FTP
server on which the configuration file is stored.
• The name of the configuration file to be requested from the HTTP, FTP, or TFTP
server.
If the DHCP server provides only the hostname, a DNS server must be available on
the network to resolve the name to an IP address.
2. After the new router acquires an IP address, the autoinstallation process on the router
attempts to download a configuration file in the following ways:
a. If the configuration file is specified as a URL, the router fetches the configuration
file from the URL by using HTTP, FTP, or TFTP depending on the protocol specified
in the URL.
b. If the DHCP server specifies the host-specific configuration file (boot file)
hostname.conf, the router uses that filename in the TFTP server request. (In the
filename, hostname is the hostname of the new router.) The autoinstallation process
on the new router makes three unicast TFTP requests for hostname.conf. If these
attempts fail, the router broadcasts three requests to any available TFTP server
for the file.
c. If the new router cannot locate hostname.conf, the autoinstallation process unicasts
or broadcasts TFTP requests for a default router configuration file called
network.conf, which contains hostname-to-IP address mapping information, to
attempt to find its hostname.
d. If network.conf contains no hostname entry for the new router, the autoinstallation
process sends out a DNS request and attempts to resolve the new router’s IP
address to a hostname.
e. If the new router can determine its hostname, it sends a TFTP request for the
hostname.conf file.
f. If the new router is unable to map its IP address to a hostname, it sends TFTP
requests for the default configuration file router.conf.
3. After the new router locates a configuration file on a TFTP server, autoinstallation
downloads the file, installs the file on the router, and commits the configuration.
Related • Before You Begin Autoinstallation on an ACX Series Universal Access Router on page 77
Documentation
• Autoinstallation Configuration of ACX Series Universal Access Routers on page 78
• Make sure you have a DHCP server on your network to meet your network requirements.
• Create one of the following configuration files and store it on an HTTP, FTP, or TFTP
server in the network:
• A host-specific file with the name hostname.conf for each router undergoing
autoinstallation. Replace hostname with the name of a router. The hostname.conf
file typically contains all the configuration information necessary for the router with
this hostname.
• Physically attach the router to the network using a Gigabit Ethernet interface.
• If you configure the DHCP server to provide only the HTTP, FTP, or TFTP server
hostname, add an IP address-to-hostname mapping entry for the HTTP, FTP, or TFTP
server to the DNS database file on the DNS server in the network.
• If the new router is not on the same network segment as the DHCP server (or other
router providing IP address resolution), configure an existing router as an intermediate
to receive HTTP, FTP, or TFTP and DNS requests and forward them to the HTTP, FTP,
or TFTP and DNS servers. You must configure the LAN on the intermediate router with
the IP addresses of the hosts providing HTTP, FTP, or TFTP and DNS service. Connect
this interface to the new router.
• Configure the DHCP server to provide a hostname.conf filename to each new router.
Each router uses its hostname.conf filename to request a configuration file from the
TFTP server. Copy the necessary hostname.conf configuration files to the TFTP server.
• Create a default configuration file named network.conf and copy it to the TFTP server.
This file contains IP address-to-hostname mapping entries. If the DHCP server does
not send a hostname.conf filename to a new router, the router uses network.conf to
resolve its hostname based on its IP address.
Alternatively, you can add the IP address-to-hostname mapping entry for the new
router to a DNS database file.
The router uses the hostname to request a hostname.conf file from the server.
To configure autoinstallation:
1. Specify the URL address of one or more servers from which to obtain configuration
files.
[edit system]
[edit system]
user@host# set autoinstallation interfaces ge-0/0/0 bootp
Purpose After you have configured autoinstallation, display the status of autoinstallation on an
ACX Series router.
Action From the CLI, enter the show system autoinstallation status command.
Sample Output
Meaning The output shows the settings configured for autoinstallation. Verify that the values
displayed are correct for the router when it is deployed on the network.
If you have a new ACX Series router, you can use a Disk-on-Key USB memory stick (“USB
key”) to configure the router.
• A Disk-on-Key device with one of the following 16-bit or 32-bit file allocation table
(FAT) file systems:
• FAT32
• FAT32, LBA-mapped
• An ACX Series router with the factory configuration. If other Junos OS configuration
files exist on the router, the router cannot read the juniper-config.txt file from the
Disk-on-Key device.
3. Plug the Disk-on-Key device into the USB port on the new ACX Series router.
4. Power on the router by pressing the POWER button on the front panel. Wait for the
router to start and access the Disk-on-Key device (observe the LEDs on the Disk-on-Key
device).
The router reads the juniper-config.txt file from the Disk-on-Key device and commits
the configuration.
• Before You Begin Autoinstallation on an ACX Series Universal Access Router on page 77
The ACX Series router has an autoinstallation mechanism that allows the router to
configure itself out-of-the-box with no manual intervention, using the configuration
• The router can be sent from the warehouse to the deployment site without any
pre-configuration steps.
• The procedure required to deploy the device at the cell site is simplified, resulting in
reduced operational and administrative costs.
• You can roll out large numbers of these devices in a very short time.
ACX Series routers support the retrieval of partial configuration from an external USB
storage device plugged into the router’s USB port during the autoinstallation process.
This partial configuration in turn facilitates the network mode of autoinstallation to
retrieve the complete configuration file from the network. This method is called hybrid
mode of autoinstallation.
On the different ACX Series routers, autoinstallation is supported on the following Gigabit
Ethernet (ge) and 10- Gigabit Ethernet (xe) interfaces:
Before you perform autoinstallation on a router in hybrid mode, complete the following
tasks:
Using a text editor on a PC or laptop, create the configuration file, named juniper-config.txt,
as a sequence of configuration commands (“set” commands). To reuse configuration
from another ACX Series router, the configuration can be saved in configuration mode
as a sequence of configuration commands on the router using the “show | display set |
save <filename>” command and then copying the <filename> to the PC or router as
juniper-config.txt.
You must copy the juniper-config.txt file to an external USB storage device. Plug the USB
device into the USB port on the new ACX Series router. When you power on the router,
the router first attempts to access the external USB storage device. The router reads the
juniper-config.txt file from the external USB storage device and commits the configuration.
Perform all of the steps described in the “Before You Begin Autoinstallation on an ACX
Series Universal Access Router” on page 77 section, which prepares the router for
network-based autoinstallation.
You can perform autoinstallation on a new ACX Series router in hybrid mode, which is a
combination of the USB-based autoinstallation process and the network-based
autoinstallation process.
• An external USB storage device with one of the following 16-bit or 32-bit file allocation
table (FAT) file systems:
• FAT32
• FAT32, LBA-mapped
BOOTP, RARP and DHCP are the supported protocols for acquisition of IP address of
the router and TFTP, FTP, and HTTP are the supported protocols for downloading the
configuration file from an external server URL on which the configuration file is stored.
The following operations occur during autoinstallation in hybrid mode on ACX Series
routers:
1. When a new ACX Series router is powered on for the first time, the router performs
the following autoinstallation tasks: The router boots the Junos OS image. The
management process (mgd) is invoked and it determines whether a valid configuration
exists on the router’s Flash memory. If a valid configuration is not present on the router,
it loads and commits the factory-default configuration.
5. After acquiring the partial configuration from the juniper-config.txt file, the configuration
discovery procedure is initiated. For all physical Ethernet interfaces that transition to
the up state, the autoinstallation process verifies whether autoinstallation is configured
on that Ethernet interface. The autoinstallation process starts IP address acquisition
mechanism to obtain IP address of the server followed by the configuration file retrieval
mechanism.
6. For the interfaces that take part in the autoinstallation process, the IPv4 address
discovery procedure is triggered. The new ACX Series router sends out DHCP, or
BOOTP, or RARP requests on each connected interface simultaneously to obtain an
IP address. The interfaces statement in the autoinstallation configuration stanza at
the [edit system] hierarchy level in the factory-default configuration also specify the
protocols to be used for IPv4 address discovery. If the interfaces statement is not
configured, all the applicable protocols for an interface are used to send out requests
on each connected Ethernet interface.
7. If an IPv4 address cannot be retrieved, the autoinstallation process starts the DHCP
server on all participating interfaces (assigns static IP address in the form of 192.168.x.1
to allow a management station to connect to the router for manual configuration)
and terminates the autoinstallation procedure.
8. If a DHCP server responds, it provides the router with some or all of the following
information:
• The location of the TFTP server on which the configuration file is stored.
• The name of the configuration file to be requested from the TFTP server.
• If the DHCP server provides configuration server hostname, a DNS server must be
available on the network to resolve the name to an IP address.
NOTE: To use HTTP or FTP server, you need to specify the URL of the
configuration server under the [edit system autoinstallation
configuration-servers] hierarchy level.
9. After an IPv4 address is retrieved for an interface, the interface is configured with that
address and the autoinstallation process starts the configuration file discovery
procedure. The autoinstallation process on the router attempts to download a
configuration file in the following methods:
a. If the configuration file is specified as a URL, the router fetches the configuration
file from the URL by using HTTP, FTP, or TFTP depending on the protocol specified
in the URL.
b. If the DHCP server specifies the host-specific configuration file (either through file
field option or boot file option or host name), the router uses that filename in the
TFTP server request. In case of host name, the configuration filename is
hostname.conf. The autoinstallation process on the new router makes unicast
TFTP request for hostname.conf. If this attempt fails, the router broadcasts the
request to any available TFTP server for the configuration file.
c. If the new router is unable locate the configuration file, the autoinstallation process
unicasts or broadcasts TFTP requests for a default router configuration file called
network.conf, which contains hostname-to-IP address mapping information, to
attempt to find its hostname.
d. If network.conf contains no hostname entry for the new router, the autoinstallation
process sends out a DNS request and attempts to resolve the new router’s IP
address to a hostname.
e. If the new router can determine its hostname, it sends a TFTP request for the
hostname.conf file.
f. If the new router is unable to map its IP address to a hostname, it sends TFTP
requests for the default configuration file router.conf.
g. After the new router locates a configuration file on a TFTP server, autoinstallation
downloads the file, installs the file on the router, and commits the configuration.
To configure the router for autoinstallation in hybrid mode, perform the following tasks:
NOTE: To reuse a configuration from another ACX Series router, save the
configuration in configuration mode as a sequence of configuration
commands on the router using the “show | display set | save <filename>”
command and then copying the <filename> to the PC or router as
juniper-config.txt.
[edit system]
user@host# set autoinstallation continue-network-mode
3. Specify the URL address of one or more network servers from which to obtain the
complete configuration.
[edit system]
user@host# set autoinstallation configuration-servers
tftp://username:password@tftpconfig.sp.com/filename.conf
[edit system]
user@host# set root-authentication encrypted-password “password”;
[edit system]
user@host# set autoinstallation interfaces ge-0/0/0 bootp
7. Plug the external USB storage device to the router’s USB port.
From configuration mode, confirm your configuration by entering the show system
autoinstallation status command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
Autoinstallation status:
Master state: Active
Last committed file: None
The ACX Series routers support time-division multiplexing (TDM) T1 and E1 interfaces
and Ethernet (1 GbE copper, 1GbE, 10 GbE, and 40 GbE fiber) interfaces to support both
the legacy and evolution needs of the mobile network. Support for Power over Ethernet
(PoE+) at 65 watts per port mitigates the need for additional electrical cabling for
microwaves or other access interfaces.
• The ACX1000 router contains eight Gigabit Ethernet ports. The ACX1000 router also
supports either four RJ45 (Cu) ports or installation of four Gigabit Ethernet small
form-factor pluggable (SFP) transceivers.
• The ACX2000 router contains 16 Gigabit Ethernet ports and two PoE ports. The
ACX2000 router also supports installation of two Gigabit Ethernet SFP transceivers
and two 10-Gigabit Ethernet SFP+ transceivers.
• T1 and E1 channelization
• T1 and E1 encapsulation
T1 and E1 mode selection is at the PIC level. To set the T1 or E1 mode at the PIC level,
include the framing statement with the t1 or e1 option at the [chassis fpc slot-number pic
slot-number] hierarchy level. All ports can be T1 or E1. Mixing T1s and E1s is not supported.
NOTE: The ACX1000 router does not support the BITS interface.
• ATM CoS
• Denied packets counter in the output for the show interfaces at-fpc/pic/port extensive
command
• Media type specification (ACX1000 router with Gigabit Ethernet SFP and RJ45
interfaces)
• Flow control
NOTE: The ACX Series router does not support flow control based on
PAUSE frames.
• Loopback
The Gigabit Ethernet ports on the router have the capacity to work as a 1 or 10-Gigabit
Ethernet interface, depending on the type of small form-factor pluggable (SFP)
transceiver inserted. When you insert an SFP+ transceiver, the interface works at the
10-Gigabit speed. When you insert an SFP transceiver, the interface works at the 1-Gigabit
speed. Configuration is not required because the speed is determined automatically
based on the type of inserted SFP transceiver. The dual-speed interface is automatically
created with the xe prefix, for example, xe-4/0/0.
The same configuration statements are used for both speeds and CoS parameters are
scaled as a percentage of the port speed. To configure a dual-speed Gigabit Ethernet
interface, include the interface xe-fpc/pic/port statement at the [edit interfaces] hierarchy
level. To display the interface speed and other details, issue the show interfaces command.
NOTE: You need to use industrial grade of SFP below 0dC for ACX 1100 and
ACX 2100 boards.
When you are configuring point-to-point connections, the MTU sizes on both sides of the
connections must be the same. Also, when you are configuring point-to-multipoint
connections, all interfaces in the subnet must use the same MTU size. For details about
encapsulation overhead, see “Encapsulation Overhead by Encapsulation Type” on page 98.
NOTE: The actual frames transmitted also contain cyclic redundancy check
(CRC) bits, which are not part of the media MTU. For example, the media
MTU for a Gigabit Ethernet Version 2 interface is specified as 1514 bytes, but
the largest possible frame size is actually 1518 bytes; you need to consider
the extra bits in calculations of MTUs for interoperability.
The physical MTU for Ethernet interfaces does not include the 4-byte frame
check sequence (FCS) field of the Ethernet frame.
If you do not configure an MPLS MTU, the Junos OS derives the MPLS MTU
from the physical interface MTU. From this value, the software subtracts the
encapsulation-specific overhead and space for the maximum number of
labels that might be pushed in the Packet Forwarding Engine. Currently, the
software provides for three labels of four bytes each, for a total of 12 bytes.
In other words, the formula used to determine the MPLS MTU is the following:
If you configure an MTU value by including the mtu statement at the [edit
interfaces interface-name unit logical-unit-number family mpls] hierarchy level,
the configured value is used.
If you change the size of the media MTU, you must ensure that the size is equal to or
greater than the sum of the protocol MTU and the encapsulation overhead.
You configure the protocol MTU by including the mtu statement at the following hierarchy
levels:
If you configure the protocol MTU at any of these hierarchy levels, the configured value
is applied to all families that are configured on the logical interface.
NOTE: If you are configuring the protocol MTU for both inet and inet6 families
on the same logical interface, you must configure the same value for both
the families. It is not recommended to configure different MTU size values
for inet and inet6 families that are configured on the same logical interface.
802.1Q/Ethernet 802.3 21
802.1Q/Ethernet version 2 18
Cisco HDLC 4
Ethernet 802.3 17
Ethernet SNAP 22
Ethernet version 2 14
Frame Relay 4
PPP 4
VLAN CCC 4
VLAN VPLS 4
VLAN TCC 22
Table 17: Media MTU Sizes by Interface Type for ACX Series Routers
Default Media Maximum MTU Default IP Protocol
Interface Type MTU (Bytes) (Bytes) MTU (Bytes)
The loopback address (lo0) has several uses, depending on the particular Junos feature
being configured. It can perform the following functions:
• Device identification—The loopback interface is used to identify the device. While any
interface address can be used to determine if the device is online, the loopback address
is the preferred method. Whereas interfaces might be removed or addresses changed
based on network topology changes, the loopback address never changes.
When you ping an individual interface address, the results do not always indicate the
health of the device. For example, a subnet mismatch in the configuration of two
endpoints on a point-to-point link makes the link appear to be inoperable. Pinging the
interface to determine whether the device is online provides a misleading result. An
interface might be unavailable because of a problem unrelated to the device's
configuration or operation.
The Internet Protocol (IP) specifies a loopback network with the (IPv4) address
127.0.0.0/8. Most IP implementations support a loopback interface (lo0) to represent
the loopback facility. Any traffic that a computer program sends on the loopback network
is addressed to the same computer. The most commonly used IP address on the loopback
network is 127.0.0.1 for IPv4 and ::1 for IPv6. The standard domain name for the address
is localhost.
The device also includes an internal loopback address (lo0.16384). The internal loopback
address is a particular instance of the loopback address with the logical unit number
16384. Junos OS creates the loopback interface for the internal routing instance. This
interface prevents any filter on lo0.0 from disrupting internal traffic.
15.1X49-D10 Starting with Junos OS Release 15.1X49-D10, the special loopback interface
is no longer supported on SRX300, SRX320, SRX340, SRX345, and
SRX550HM devices. Refer Special Interfaces for more details on special
loopback interface.
NOTE: For Layer 3 virtual private networks (VPNs), you can configure multiple
logical units for the loopback interface. This allows you to configure a logical
loopback interface for each virtual routing and forwarding (VRF) routing
instance. For more information, see the Junos OS VPNs Library for Routing
Devices.
For some applications, such as SSL for Junos XML protocol, the address for
the interface lo0.0 must be 127.0.0.1.
You can configure loopback interfaces using a subnetwork address for both inet and
inet6 address families. Many protocols require a subnetwork address as their source
address. Configuring a subnetwork loopback address as a donor interface enables these
protocols to run on unnumbered interfaces.
If you configure the loopback interface, it is automatically used for unnumbered interfaces.
If you do not configure the loopback interface, the router chooses the first interface to
come online as the default. If you configure more than one address on the loopback
interface, we recommend that you configure one to be the primary address to ensure
that it is selected for use with unnumbered interfaces. By default, the primary address is
used as the source address when packets originate from the interface.
On the router, you can configure one physical loopback interface, lo0, and one or more
addresses on the interface.
1. To configure the physical loopback interface, include the following statements at the
[edit interfaces] hierarchy level:
[edit interfaces]
lo0 {
unit 0 {
family inet {
address loopback-address;
address <loopback-address2>;
...
}
family inet6 {
address loopback-address;
}
}
}
Example: Configuring Two Addresses on the Loopback Interface with Host Routes
To configure two addresses on the loopback interface with host routes:
[edit]
user@host# edit interfaces lo0 unit 0 family inet
[edit interfaces lo0 unit 0 family inet]
user@host# set address 172.16.0.1
[edit interfaces lo0 unit 0 family inet]
user@host# set address 10.0.0.1
[edit interfaces lo0 unit 0 family inet]
user@host# top
[edit]
user@host# show
interfaces {
lo0 {
unit 0 {
family inet {
10.0.0.1;
127.0.0.1;
172.16.0.1;
}
}
}
}
Example: Configuring Two Addresses on the Loopback Interface with Subnetwork Routes
To configure two addresses on the loopback interface with subnetwork routes:
[edit]
user@host# edit interfaces lo0 unit 0 family inet
[edit interfaces lo0 unit 0 family inet]
user@host# set address 192.16.0.1/24
[edit interfaces lo0 unit 0 family inet]
user@host# set address 10.2.0.1/16
[edit interfaces lo0 unit 0 family inet]
user@host# top
[edit]
user@host# show
interfaces {
lo0 {
unit 0 {
family inet {
10.2.0.1/16;
127.0.0.1/32;
192.16.0.1/24;
}
}
}
}
Example: Configuring an IPv4 and an IPv6 Address on the Loopback Interface with Subnetwork
Routes
To configure an IPv4 and an IPv6 address on the loopback interface with subnetwork
routes:
[edit]
user@host# edit interfaces lo0 unit 0 family inet
[edit interfaces lo0 unit 0 family inet]
user@host# set address 192.16.0.1/24
[edit interfaces lo0 unit 0 family inet]
user@host# up
[edit interfaces lo0 unit 0 family]
user@host# edit interfaces lo0 unit 0 family inet6
[edit interfaces lo0 unit 0 family inet6]
user@host# set address 3ffe::1:200:f8ff:fe75:50df/64
[edit interfaces lo0 unit 0 family inet6]
user@host# top
[edit]
user@host# show
interfaces {
lo0 {
unit 0 {
family inet {
127.0.0.1/32;
192.16.0.1/24;
}
family inet6 {
3ffe::1:200:f8ff:fe75:50df/64;
}
}
}
}
The following topics are general topics about the way encapsulation works on interfaces
and the Junos OS. For the ACX Series routers, keep the following points in mind when
referring to these topics:
• Not all encapsulation types or features are supported on the ACX Series routers, refer
to the documentation about the specific statement or feature for support details.
NOTE:
• When you configure the Tri-Rate Ethernet copper interface to operate at
1 Gbps, autonegotiation must be enabled.
For ACX Series routers, BERT is supported on ct1 and ce1 interfaces. The following BERT
algorithms are supported:
• all-ones-repeating
• all-zeros-repeating
• alternating-double-ones-zeros
• alternating-ones-zeros
• repeating-1-in-4
• repeating-1-in-8
• repeating-3-in-24
• pseudo-2e11-o152
• pseudo-2e15-o151
• pseudo-2e20-o151
The Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP is a channelized
circuit emulation MIC with rate-selectability. Its port speed can be specified as
COC3-CSTM1 or COC12-CSTM4. The default port speed is COC3-CSTM1.
Table 18: Platform Support for Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with
SFP
Interface Name Model Number Platform Supported Junos OS Release
• Pseudowire Emulation Edge to Edge (PWE3) control word for use over an MPLS
packet-switched network (PSN)
Related • Configuring SAToP on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with
Documentation SFP
• Superframe (D4)
• Unframed
• Clear channel and NxDS0 channelization. For T1 the value of N ranges from 1 through
24 and for E1 the value of N ranges from 1 through 31.
• Diagnostic features:
• T1/E1
• ATM pseudowires
• ATM (IMA) protocol at the T1/E1 level with up to 4 IMA groups. Each group can have 1
to 8 IMA links.
NOTE: ACX5048 and ACX5096 routers do not support T1/E1 interfaces and
related features.
Synchronous Ethernet is supported on the ACX Series routers with Gigabit Ethernet and
10-Gigabit Ethernet SFP and SFP+ transceivers and is compliant with ITU-T
Recommendation G.8261: Timing and synchronization aspects in packet networks and
ITU-T Recommendation G8264: Distribution of timing through packet
networks.Synchronous Ethernet is a physical layer frequency transfer technology modeled
The ITU-T G.8264 specification defines the Synchronization Status Message (SSM)
protocol and its format for Synchronous Ethernet to ensure interoperability between
Synchronous Ethernet equipment used for frequency transfer—for example, SONET/SDH.
Synchronous Ethernet provides stable frequency synchronization to a PRC and is not
affected by load on the network. However, it requires that all the nodes from the PRC to
the last downstream node are Synchronous Ethernet capable. Synchronous Ethernet is
a recommended technology for mobile networks that require frequency-only
synchronization—for example, 2G or 3G base stations.
• A pair of customer edge (CE) devices operate as though they were connected by an
emulated E1 or T1 circuit, which reacts to the alarm indication signal (AIS) and remote
alarm indication (RAI) states of the devices’ local attachment circuits.
• The PSN carries only an NxDS0 service, where N is the number of actually used time
slots in the circuit connecting the pair of CE devices, thus saving bandwidth.
Related • Configuring TDM CESoPSN on ACX Series Routers Overview on page 108
Documentation
• Configuring CESoPSN Encapsulation on DS Interfaces on page 205
CESoPSN features are supported on Juniper Networks ACX Series Universal Access
Routers:
Protocol Support
All protocols that support Structure-Agnostic TDM over Packet (SAToP) support
CESoPSN NxDS0 interfaces.
Packet Latency
The time required to create packets (from 1000 through 8000 microseconds).
CESoPSN Encapsulation
The following statements are supported at the [edit interfaces interface-name] hierarchy
level:
CESoPSN Options
The following statements are supported at the [edit interfaces interface-name
cesopsn-options] hierarchy level:
• idle-pattern pattern
• jitter-buffer-latency milliseconds
• jitter-buffer-packets packets
• packetization-latency microseconds
show Commands
The show interfaces interface-name extensive command is supported for t1, e1, and at
interfaces.
CESoPSN Pseudowires
CESoPSN pseudowires are configured on the logical interface, not on the physical
interface. So the unit logical-unit-number statement must be included in the configuration
at the [edit interfaces interface-name] hierarchy level. When you include the unit
logical-unit-number statement, circuit cross-connect (CCC) for the logical interface is
created automatically.
Figure 14 on page 111 shows a packet-switched network (PSN) in which two PE routers
(PE1 and PE2) provide one or more pseudowires to customer edge (CE) routers (CE1 and
CE2), establishing a PSN tunnel to provide a data path for the pseudowire.
g016956
Attachment Circuit PSN tunnel Attachment Circuit
Pseudowire 1
CE1 PE1 PE2 CE2
Pseudowire 2
Pseudowire traffic is invisible to the core network, and the core network is transparent
to the CEs. Native data units (bits, cells, or packets) arrive via the attachment circuit, are
encapsulated in a pseudowire protocol data unit (PDU), and carried across the underlying
network via the PSN tunnel. The PEs perform the necessary encapsulation and the
decapsulation of the pseudowire PDUs and handle any other function required by the
pseudowire service, such as sequencing or timing.
Ethernet ring protection switching (ERPS) helps achieve high reliability and network
stability. Links in the ring will never form loops that fatally affect the network operation
and services availability. The basic idea of an Ethernet ring is to use one specific link to
protect the whole ring. This special link is called a ring protection link (RPL). If no failure
happens in other links of the ring, the RPL blocks the traffic and is not used. The RPL is
controlled by a special node called an RPL owner. There is only one RPL owner in a ring.
The RPL owner is responsible for blocking traffic over the RPL. Under ring failure conditions,
the RPL owner is responsible for unblocking traffic over the RPL. A ring failure results in
protection switching of the RPL traffic. An automatic protection switching (APS) protocol
is used to coordinate the protection actions over the ring. Protection switching blocks
traffic on the failed link and unblocks the traffic on the RPL. When the failure clears,
revertive protection switching blocks traffic over the RPL and unblocks traffic on the link
on which the failure is cleared.
Acronyms
The following acronyms are used in the discussion about Ethernet ring protection switching
(ERPS):
• MA—Maintenance association
• WTB—Wait to block
• WTR—Wait to restore
Ring Nodes
Multiple nodes are used to form a ring. There are two different node types:
• RPL owner node—The node owns the RPL and blocks or unblocks traffic over the RPL.
• idle—No failure on the ring; the node is performing normally. For a normal node, traffic
is unblocked on both ring ports. For the RPL owner or RPL neighbor, traffic is blocked
on the ring port that connects to the RPL and unblocked on the other ring port.
• protection—A failure occurred on the ring. For a normal node, traffic is blocked on the
ring port that connects to the failing link and unblocked on working ring ports. For the
RPL owner, traffic is unblocked on both ring ports if they connect to non-failure links.
• pending—The node is recovering from failure or its state after a clear command is used
to remove the previous manual command. When a protection group is configured, the
node enters the pending state. When a node is in pending state, the WTR or WTB timer
will be running. All nodes are in pending state till WTR or WTB timer expiry.
• force switch—A force switch is issued. When a force switch is issued on a node in the
ring all nodes in the ring will move into the force switch state.
• manual switch—A manual switch is issued. When a manual switch is issued on a node
in the ring all nodes in the ring will move into the manual switch state.
There can be only one RPL owner for each ring. The user configuration must guarantee
this, because the APS protocol cannot check this.
The basic state transitions are logged in a single file named erp-default, which resides in
the /var/log directory of the switch. The maximum size of this file is 15 MB.
Default logging for ERPS can capture initial ERPS interface and state transitions, which
can help you troubleshoot issues that occur early in the ERPS protocol startup process.
However, if more robust logging is needed, you can enable traceoptions for ERPS by
entering the traceoptions statement in the [edit protocols protection-group] hierarchy.
Be aware that for ERPS, only default logging or traceoptions can be active at a time on
the switch. That is, default logging for ERPS is automatically enabled and if you enable
traceoptions for ERPS, the switch automatically disables default logging. Conversely, if
you disable traceoptions for ERPS, the switch automatically enables default logging.
Failure Detection
Ethernet ring operation depends on quick and accurate failure detection. The failure
condition signal failure (SF) is supported. For SF detection, an Ethernet continuity check
MEP must be configured for each ring link. For fast protection switching, a 10-ms
transmission period for this MEP group is supported. OAM monitors the MEP group's MA
and reports SF or SF clear events to the Ethernet ring control module. For this MEP group,
the action profile must be configured to update the interface device IFF_LINKDOWN flag.
OAM updates the IFF_LINKDOWN flag to notify the Ethernet ring control module.
Logical Ring
You can define multiple logical-ring instances on the same physical ring. The logical ring
feature currently supports only the physical ring, which means that two adjacent nodes
of a ring must be physically connected and the ring must operate on the physical interface,
not the VLAN. Multiple ring instances are usually defined with trunk mode ring interfaces.
FDB Flush
When ring protection switching occurs, normally an FDB flush is executed. The Ethernet
ring control module uses the same mechanism as the STP to trigger the FDB flush. The
Ethernet ring control module controls the ring port physical interface's default STP index
to execute the FDB flush.
Starting with Junos OS Release 14.2, the FDB flush depends on the RAPS messages
received on the both the ports of the ring node.
g017271
(01-19-a7-00-00-01)
Figure 16: Protocol Packets from the Router or Switch to the Network
east ring port (STP index state does not apply)
Juniper Networks switches and Juniper Networks routers use different methods to achieve
these routes.
The switches use forwarding database entries to direct the RAPS messages. The
forwarding database entry (keyed by the RAPS multicast address and VLAN) has a
composite next hop associated with it—the composite next hop associates the two ring
interfaces with the forwarding database entry and uses the split horizon feature to prevent
sending the packet out on the interface that it is received on. This is an example of the
forwarding database entry relating to the RAPS multicast MAC (a result of the show
ethernet-switching table detail command):
The routers use an implicit filter to achieve ERP routes. Each implicit filter binds to a
bridge domain. Therefore, the east ring port control channel and the west ring port control
channel of a particular ring instance must be configured to the same bridge domain. For
each ring port control channel, a filter term is generated to control RAPS message
forwarding. The filter number is the same as the number of bridge domains that contain
the ring control channels. If a bridge domain contains control channels from multiple
rings, the filter related to this bridge domain will have multiple terms and each term will
relate to a control channel. The filter has command parts and control-channel related
parts, as follows:
• Common terms:
node must drop the RAPS message if the source MAC address in the RAPS message
belongs to itself. The source MAC address is the node's node ID.
Multiple Rings
The Ethernet ring control module supports multiple rings in each node (two logical
interfaces are part of each ring). The ring control module also supports the interconnection
of multiple rings. Interconnection of two rings means that two rings might share the same
link or share the same node. Ring interconnection is supported only using
non-virtual-channel mode. Ring interconnection using virtual channel mode is not
supported.
Node ID
For each node in the ring, a unique node ID identifies each node. The node ID is the node's
MAC address.
For routers only, you can configure this node ID when configuring the ring on the node or
automatically select an ID like STP does. In most cases, you will not configure this and
the router will select a node ID, like STP does. It should be the manufacturing MAC address.
The ring node ID should not be changed, even if you change the manufacturing MAC
address. Any MAC address can be used if you make sure each node in the ring has a
different node ID. The node ID on switches is selected automatically and is not
configurable.
Ring ID
The ring ID is used to determine the value of the last octet of the MAC destination address
field of the RAPS protocol data units (PDUs) generated by the ERP control process. The
ring ID is also used to discard any RAPS PDU, received by this ERP control process with
a non-matching ring ID. Ring ID values 1 through 239 are supported.
Bridge Domains with the Ring Port (MX Series Routers Only)
On the routers, the protection group is seen as an abstract logical port that can be
configured to any bridge domain. Therefore, if you configure one ring port or its logical
interface in a bridge domain, you must configure the other related ring port or its logical
interface to the same bridge domain. The bridge domain that includes the ring port acts
as any other bridge domain and supports the IRB Layer 3 interface.
Wait-to-Block Timer
The RPL owner node uses a delay timer before initiating an RPL block in revertive mode
of operation or before reverting to IDLE state after clearing manual commands. The
Wait-to-Block (WTB) timer is used when clearing force switch and manual switch
commands. As multiple force switch commands are allowed to coexist in an Ethernet
ring, the WTB timer ensures that clearing of a single force switch command does not
trigger the re-blocking of the RPL. When clearing a manual switch command, the WTB
timer prevents the formation of a closed loop due to a possible timing anomaly where
the RPL Owner Node receives an outdated remote manual switch request during the
recovery process.
When recovering from a manual switch command, the delay timer must be long enough
to receive any latent remote force switch, signal failure, or manual switch commands.
This delay timer is called the WTB timer and is defined to be 5 seconds longer than the
guard timer. This delay timer is activated on the RPL Owner Node. When the WTB timer
expires, the RPL Owner Node initiates the reversion process by transmitting an RAPS
(NR, RB) message. The WTB timer is deactivated when any higher-priority request
preempts it.
14.2 Starting with Junos OS Release 14.2, the FDB flush depends on the RAPS
messages received on the both the ports of the ring node.
14.2 Starting with Junos OS Release 14.2, ring protection link neighbor nodes are
supported.
14.2 Starting with Junos OS Release 14.2, you can add or remove a node between
two nodes in an Ethernet ring.
protection-group {
ethernet-ring ring-name (
node-id mac-address;
ring-protection-link-owner;
east-interface {
control-channel channel-name {
ring-protection-link-end;
}
west-interface {
node-id mac-address;
control-channel channel-name {
ring-protection-link-end;
}
data-channel {
vlan number;
}
guard-interval number;
restore-interval number;
}
}
For each ring, a protection group must be configured. There may be several rings in each
node, so there should be multiple protection groups corresponding to the related Ethernet
rings.
This example describes how to configure Ethernet ring protection switching on an ACX
Series router:
Requirements
This example uses the following hardware and software components:
ge-1/0/4 ge-1/0/3
g017272
node 3
The configuration in this section is only for the RAPS channel. The bridge domain for user
traffic is the same as the normal bridge domain. The only exception is if a bridge domain
includes a ring port, then it must also include the other ring port of the same ring.
}
vlans {
vlan1 {
interface ge-1/2/4.1;
interface ge-1/0/1.1;
}
vlan100 {
interface ge-1/2/4.100;
interface ge-1/0/1.100;
}
}
protocols {
protection-group {
ethernet-ring pg101 {
ring-id 101;
compatibility-version 2;
node-id 00:01:01:00:00:01;
ring-protection-link-owner;
east-interface {
control-channel ge-1/0/1.1;
ring-protection-link-end;
}
west-interface {
control-channel ge-1/2/4.1;
}
data-channel vlan 100;
}
}
}
protocols {
oam {
ethernet {
connectivity-fault-management {
action-profile rmep-defaults {
default-action {
interface-down;
}
}
maintenance-domain d1 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/0/1;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
maintenance-domain d2 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/2/4;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
}
}
}
}
}
2. Configuring Node 2
interfaces {
ge-1/0/2 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1 {
encapsulation vlan-bridge;
vlan-id 1;
}
unit 100 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
ge-1/2/1 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1 {
encapsulation vlan-bridge;
vlan-id 1;
}
unit 100 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
vlans {
vlan1 {
interface ge-1/2/1.1;
interface ge-1/0/2.1;
}
vlan100 {
interface ge-1/2/1.100;
interface ge-1/0/2.100;
}
}
protocols {
protection-group {
ethernet-ring pg102 {
ring-id 102;
compatibility-version 2;
node-id 00:01:01:00:00:01;
east-interface {
control-channel ge-1/0/2.1;
}
west-interface {
control-channel ge-1/2/1.1;
}
data-channel vlan 100;
}
}
}
protocols {
oam {
ethernet {
connectivity-fault-management {
action-profile rmep-defaults {
default-action {
interface-down;
}
}
maintenance-domain d1 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/0/2;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
maintenance-domain d2 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/2/1;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
}
}
}
}
}
3. Configuring Node 3
interfaces {
ge-1/0/4 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1 {
encapsulation vlan-bridge;
vlan-id 1;
}
unit 100 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
ge-1/0/3 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1 {
encapsulation vlan-bridge;
vlan-id 1;
}
unit 100 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
vlans {
vlan1 {
interface ge-1/0/4.1;
interface ge-1/0/3.1;
}
vlan100 {
interface ge-1/0/4.100;
interface ge-1/0/3.100;
}
}
protocols {
protection-group {
ethernet-ring pg104 {
ring-id 104;
compatibility-version 2;
node-id 00:01:01:00:00:01;
east-interface {
control-channel ge-1/0/3.1;
}
west-interface {
control-channel ge-1/0/4.1;
}
data-channel vlan 100;
}
}
}
protocols {
oam {
ethernet {
connectivity-fault-management {
action-profile rmep-defaults {
default-action {
interface-down;
}
}
maintenance-domain d1 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/0/4;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
maintenance-domain d2 {
level 0;
maintenance-association 100 {
mep 1 {
interface ge-1/0/3;
remote-mep 2 {
action-profile rmep-defaults;
}
}
}
}
}
}
}
}
}
Examples: Ethernet This section provides output examples based on the configuration shown above. The
RPS Output show commands used in these examples can help verify configuration and correct
operation.
If the ring has no failure, the show command will have the following output for Node 1:
If the ring has a link failure between Node 2 and Node 3, the show command will have
the following outputs for Node 1:
RAPS received : 1
Local SF happened: : 0
Remote SF happened: : 1
NR event happened: : 0
NR-RB event happened: : 1
Under normal operating conditions, when Ethernet ring protection is configured correctly,
the ring protection link (RPL) owner (Router 1 in the configuration example) will see the
following:
Note that the ring protection link is blocked and the node is marked as the originator of
the protection.
Note that the protection interface is discarding while the other interface is forwarding.
Note that only minimal RAPS messages have been sent to establish the ring.
Under normal operating conditions, the other routers on the ring (Router 2 and Router
3) will see the following similar output:
Note that both interfaces are forwarding. Router 3 will see almost identical information.
Note that Router 2 is not the owner. Router 3 will see almost identical information.
• Example: Viewing Ethernet Ring Protection Status—Ring Failure Condition on page 129
This section assumes that Ethernet ring protection is configuring correctly, that Router
1 is the ring protection link (RPL) owner, and that there is a link failure between Router 2
and Router 3 in the configuration example.
Note that the ring protection link is no longer blocked and the node is no longer marked
as originator.
Note that the protection interface is now forwarding (so is the other interface).
Note that the R-APS messages have recorded the remote failure.
Under a failure condition, the other routers on the ring (Router 2 and Router 3) will see
the following similar output:
Note the failure event (SF). Router 3 will see almost identical information.
Note that the failed interface (ge-1/0/2.1) is not forwarding. Router 3 will see almost
identical information.
Note that Router 2 is not the owner. Router 3 will see almost identical information.
Note that the R-APS messages have recorded the remote failure. Router 3 will see almost
identical information.
• Example: Viewing Ethernet Ring Protection Status—Normal Ring Operation on page 127
You can configure Ethernet ring protection switching (ERPS) on ACX Series routers to
achieve high reliability and network stability. Links in the ring will never form loops that
fatally affect the network operation and services availability. The basic idea of an Ethernet
ring is to use one specific link to protect the whole ring. This special link is called a ring
protection link (RPL). If no failure happens in other links of the ring, the RPL blocks the
traffic and is not used. The RPL is controlled by a special node called an RPL owner.
A ring with only one port is supported. In such a scenario, only one port is configured for
a ring when two nodes are present. Use the interface-none statement to designate a port
to be not used for Ethernet ring protection. You can configure a ring port over LAG
interfaces.
ITU G.8031 Ethernet automatic protection switching (APS) and ERPS version 2 are not
supported. Also, you cannot configure ACX Series routers as trunk ports or access ports
in an Ethernet ring.
Multiple Ethernet ring instances that share the same physical ring are supported. Each
ring instance will have its own control channel and a specific data channel. You can
configure the data channel with a set of data VLAN IDs that belong to a ring instance.
Each ring instance can follow a different path to perform load balancing in the physical
ring. If you do not specify a data channel, ERPS operates on the VLAN ID associated with
the control channel. There is no limit to the number of VLAN IDs that you can configure
for a data channel.
Keep the following points in mind when you configure ERPS for ACX Series routers:
• The logical interfaces that you define for a control channel must be part of the same
bridge domain.
• Each VLAN that you configure in a data channel signifies an independent bridge domain.
• The traffic that is blocked on a ring port is the same for all the bridge domains that are
associated with the same control channel. When a topology change happens, the
forwarding databases of all these bridge domains are cleared.
• You cannot configure spanning-tree protocol (STP) (such as MSTP, RSTP, VSTP and
STP) and ERP on the same set of interfaces. However, ERP and Per-VLAN Spanning
Tree (PVST) can be configured on the same topology as long as PVST does not share
the same VLAN with any Ethernet ring instance configured on the physical port.
• You cannot configure STP and ERPS in the same bridge domain. Consider a sample
scenario in which a dual-homed customer edge (CE) router is connected to two ACX
Series routers, which function as provider edge (PE) devices. In such a topology, you
can configure either STP or an ERPS open ring to enable dual-homing functionality.
You can configure STP between the CE and the user-to-network interface (UNI) ports
of the two PE devices. Alternatively, if the CE router supports ERPS, you can configure
an open ring in the CE network.
• In the event of a single failure, switching times on all ACX routers is less than 100
milliseconds.
• The following parameters can impact the performance of the system based on your
network configuration:
• Number of ring instances corresponding to the ring that is impacted by the failure
• The ERPS control packets are copied to the CPU (Ethernet ring control module) only
when the VLAN ID and destination address of the packet matches with the values of
the RAPS message. Otherwise, the control packet is treated as a regular service frame
and forwarded accordingly. The packets that are copied to the CPU are queued in the
specified CPU queue, which is rate-limited. This mechanism ensures that a possible
Denial-of-Service (DoS) attack does not significantly impact the system. If a DoS
attack is detected, a firewall filter on the affected logical interfaces can be configured
in the bridge domain.
• For fast detection required for switchover within 50 milliseconds, we recommend that
you configure connectivity fault management (CFM) link-level MEPs with an interval
of 10 milliseconds for the duration between the transmission of CFM messages. This
link-level MEP can be used to trigger switchovers for all ring instances that share a
physical ring.
• Forwarding and flush mechanisms are common for STP and ERP.
• The maximum number of physical rings supported on different ACX Series routers is
as follows:
• The maximum number of ring instances supported on different ACX Series routers is
as follows:
ACX2000, ACX2100, and ACX4000 routers support the Dual Rate SFP+ optic modules.
These modules operate at either 1 Gbps or 10 Gbps speeds. When you plug in the module
to the small form-factor pluggable plus (SFP+) slot, the module can be set at either 1
Gbps or 10 Gpbs. Such a module support on ACX routers enables users to provision ACX
devices in network topologies utilising their existing 1 GE infrastructure and when the
network circuits are upgraded to a speed of 10 Gbps, a configuraiton change can be
performed without the need to extensively, separately maintain and configure every
single site device that requires an upgrade. Using Dual Rate SFP+ modules, you can
perform a seamless, smooth transition in such upgraded networks, thereby negating the
need to perform a bulk change in the networking gear of multiple service operators
(MSOs) that require upgrade to operate at 10 GE speed. Dual Rate SFP+ Support is
applicable only for 10-Gigabit Ethernet (xe) fiber ports and not for 1-Gigabit Ethernet
(ge) fiber (SFP) and copper ports.
NOTE: ACX5048 and ACX5096 routers do not support the Dual Rate SFP+
optic modules.
ACX routers use 2-port 10-Gigabit Ethernet (LAN) SFP+ MIC (2x 10GE(LAN) SFP+) in
the following two combinations:
To configure an xe port in 1GE mode , use the set interfaces xe-x/y/z speed 1g statement.
To configure an xe port in 10GE mode, use the set interfaces xe-x/y/z speed 10g statement.
To unconfigure an xe port in 1GE mode, use the delete interfaces xe-x/y/z speed 1g
statement. To unconfigure an xe port in 10GE mode, use the delete interfaces xe-x/y/z
speed 10g statement. The default speed mode of 1GE is used when you plug in a dual-rate
SFP+ module. You must use set interfaces xe-x/y/z speed (1g | 10g) statement to configure
1GE or 10GE speed mode only for dual-rate SFP+ optic modules. You must not use the
speed (1g | 10g) option with other optics of fixed speed plugged into the xe port.
740-051414 SFP+, 10GE-SR/GE-SX, MMF 300m, 850nm, 0~70C, 1.0W, FTLX8571D3BCV-J1 (0–70°)
DDM, Beige Latch, 2xLC
740-051415 SFP+, 10GE-LR/GE-LX, SMF 10Km, 1310nm, -5~70C, 1.0W, FTLX1471D3BCV-J1 (-5–70°)
DDM, Blue Latch, 2xLC
You can configure the SFP+ ports with the requested speed (1 GE or 10 GE) by using the
set interfaces xe-x/y/z speed (1g | 10g) statement at the [edit] hierarchy level. Dual Rate
SFP+ registers are preprogrammed with the autonegotiation settings and the underlying
physical layer (PHY) is defined with the required settings for the mode it is selected (1GE
or 10GE). You must unconfigure the speed that was defined earlier on Dual Rate SFP+
plugged into the XE port before replacing the optics in the port with a different type of
optic. Default speed of XE ports is changed from 10GE to 1GE (1000m Mbps) during a
Link Down state.
Junos OS for ACX5000 Universal Access Routers supports 10 Mbps, 100 Mbps and 1
Gbps speeds for SFP-FE-ET model.
To configure the speed on the interfaces with these tri-rate SFPs, include the speed CLI
statement at the [edit interfaces interface-name] hierarchy level. Auto speed not supported
in ACX5000 Series routers.
To verify the speed set for a configured interface, use the show interfaces interface-name
extensive | grep speed command.
The following is a sample output for show interfaces interface-name extensive | grep speed
command:
Link-level type: Ethernet, MTU: 9192, LAN-PHY mode, Link-mode: Full-duplex, Speed:
100mbps, BPDU Error: None,
Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote fault: OK,
Link partner Speed: 100 Mbps
Logical tunnel (lt-) interfaces provide quite different services depending on the host
router:
• On M Series, MX Series, and T Series routers, logical tunnel interfaces allow you to
connect logical systems, virtual routers, or VPN instances. M Series and T Series routers
must be equipped with a Tunnel Services PIC or an Adaptive Services Module (only
available on M7i routers). MX Series routers must be equipped with a Trio MPC/MIC
module. For more information about connecting these applications, see the Junos OS
VPNs Library for Routing Devices.
• On SRX Series Services Gateways, the logical tunnel interface is used to interconnect
logical systems. See the Junos OS Logical Systems Configuration Guide for Security
Devices.
• On ACX Series routers, logical tunnel interfaces allow you to connect a bridge domain
and a pseudowire. Logical systems are not supported on ACX Series routers.
For M Series, MX Series, and T Series routers, see the following section:
lt-fpc/pic/port {
unit logical-unit-number {
encapsulation encapsulation;
peer-unit unit-number; # peering logical system unit number
dlci dlci-number;
family (inet | inet6 | iso | mpls);
}
}
• [edit interfaces]
• You can configure each logical tunnel interface with one of the following encapsulation
types: Ethernet, Ethernet circuit cross-connect (CCC), Ethernet VPLS, Frame Relay,
Frame Relay CCC, VLAN, VLAN CCC, or VLAN VPLS.
• You can configure the IP, IPv6, International Organization for Standardization (ISO),
or MPLS protocol family.
• Do not reconfigure a logical tunnel interface that is an anchor point with pseudowire
devices stacked above it unless you first deactivate all broadband subscribers that are
using the pseudowire subscriber interface.
• The peering logical interfaces must belong to the same logical tunnel interface derived
from the Tunnel Services PIC or Adaptive Services Module.
• You can configure only one peer unit for each logical interface. For example, unit 0
cannot peer with both unit 1 and unit 2.
• To enable the logical tunnel interface, you must configure at least one physical interface
statement.
• Logical tunnels are not supported with Adaptive Services, Multiservices, or Link Services
PICs (but they are supported on the Adaptive Services Module on M7i routers, as noted
above).
• On M Series routers other than the M40e router, logical tunnel interfaces require an
Enhanced Flexible PIC Concentrator (FPC).
• On MX Series routers, logical tunnel interfaces require Trio MPC/MIC modules. They
do not require a Tunnel Services PIC in the same system.
For more information about configuring logical systems, see the Junos OS Routing
Protocols Library.
Observe the following guidelines while configuring logical tunnel (lt-) interfaces on ACX
Series routers:
• You can use a logical tunnel interface to connect only bridge domains and pseudowires.
• Only one logical tunnel (physical interface) per bandwidth type (1 Gbps or 10 Gbps)
can be configured on ACX routers. However, you can specify up to two logical tunnel
interfaces (one with 1 Gb bandwidth and another with 10 Gb bandwidth) on ACX routes.
• Guaranteed bandwidth for logical tunnels is 1 Gbps and certain platforms support up
to an additional 10 Gbps bandwidth. All the services configured using logical tunnel
interfaces share this bandwidth.
The bandwidth configured on the logical tunnel interface is shared between upstream
and downstream traffic on that interface. The effective bandwidth available for the
service is half the configured bandwidth.
• You can configure Ethernet VLAN, Ethernet CCC, VLAN bridge on Ethernet interfaces,
and VLAN on circuit cross-connects (CCC) as encapsulation types on logical tunnel
interfaces. Other encapsulation types such as Ethernet, VLAN, Ethernet VPLS, or VLAN
VPLS are not supported.
• When the encapsulation configured on the logical interface units is one of the supported
types such as Ethernet VLAN or VLAN bridge, you can enable only bridge domains or
CCC protocols on logical tunnel interfaces. Other address families or protocols such
as IPv4, IPv5, MPLS, or OSPF are not supported.
• Classifier, rewrite and ingress policer configuration are supported on logical tunnel
interfaces. Fixed, BA-based, and multifield classifiers are supported on the lt- interfaces
at the physical interface-level.
802.1p, 802.1ad, TOS and DSCP based BA classifiers are supported. Remarking rules
can be configured at the port level on the LT interface. 802.1p, 802.1ad, TOS and DSCP
fields in the packet can be rewritten in the LT interface. Ingress policers are supported.
Simple, Single-rate tricolor marking (srTCM), two-rate tricolor marking (trTCM) policers
are supported. Egress policers are not supported.
• Default classifiers do not work properly when lt- interfaces are configured on
non-Ethernet PICs.
• Port-level queuing is supported; up to eight queues per lt- interface are supported.
These eight queues are shared between the upstream and downstream traffic traversing
through the lt- interface. If the configured bandwidth on the lt- interface is not adequate
for the upstream and downstream traffic of the services configured on the interface,
a failure occurs with traffic propagation because multiple lt- interfaces are not
supported.
• Eight forwarding classes (0-7) are mapped to the eight queues based on the global
system configuration. The remainder of the scheduler configuration, buffer-size,
transmit-rate, shaping-rate, priority and WRED or drop profiles maps can be configured
on the lt- interface queues.
All firewall configurations are supported. The scaling limitation with such filters is the
same as the existing firewall filter restrictions.
• Similar to other physical interfaces, the number of logical interfaces that can be
supported on logical tunnel physical interfaces is 30.
• When a bridge domain is configured with a VLAN ID (bridge domain has normalized
VLANs), the difference is behavior between MX and ACX Series routers is that the MX
router does not match the user-vlan-id in output filter, whereas the ACX router matches
the user-vlan-id specified in the output filter.
• If the logical tunnel interface is created using non Ethernet PICs, then default classifier
is not bound to the interface.
To create logical tunnel interfaces and the bandwidth in gigabits per second to reserve
for tunnel services, include the tunnel-services bandwidth (1g | 10g) statement at the [edit
chassis fpc slot-number pic number] hierarchy level:
[edit interfaces]
lt-fpc/pic/port {
unit logical-unit-number {
encapsulation encapsulation;
peer-unit unit-number; # peering logical system unit number
dlci dlci-number;
family (inet | inet6 | iso | mpls);
}
}
The ACX5048 and ACX5096 routers support ethernet-vpls and vlan-vpls encapsulations.
These encapsulations are supported only on logical tunnel interface and are required for
configuring hierarchial VPLS.
You can use any unused physical port on the ACX5048 and ACX5096 routers to create
a logical tunnel interface as shown below:
The following sample configuration allows you to encapsulate vlan-ccc to vlan-vpls using
LT interface in ACX5048 and ACX5096 routers:
You can configure an ACX Series router to receive multicast traffic in a VRF domain. In
an IPTV solution, IPTV sources and receivers can be spread across different end points
of a network in a VRF domain. To receive the multicast traffic at the receiver’s side, it is
necessary for the multicast traffic to be tunneled across the network to reach the end
receiving device or the subscriber. This tunneling is usually done using the Multicast Virtual
Private Network (MVPN) technology.
ACX Series routers do not support MVPN technology. An alternate method for receiving
the multicast traffic in the VRF domain in ACX Series router is by associating a global
logical interface to a logical interface in the VRF domain. The global logical interface acts
as a proxy for receiving the multicast traffic on the logical interface in the VRF domain.
To associate a global logical interface to a logical interface in the VRF domain, you need
to configure an IRB interface in a global domain to act as a proxy for the logical interface
in the VRF domain.
[edit]
user@host# set chassis aggregated-devices ethernet device-count 1
user@host# set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
[edit]
user@host# set interfaces irb unit 0 family inet address 192.168.1.2/24
[edit]
user@host# set bridge-domains b1 vlan-id 101
user@host# set bridge-domains b1 interface lt-0/0/10.0
user@host# set bridge-domains b1 routing-interface irb.0
• show pfe vrf-mc-leak—Displays the association entries between proxy logical interface
and the logical interface in a VRF domain.
NOTE: When the router or PFE is rebooted, the proxy associations of logical
interfaces is removed and you need to once again create the proxy
associations of logical interface.
Limitations
The following limitations need to be considered for receiving multicast traffic in a VRF
domain:
• Multicast traffic cannot be forwarded from the logical interface in a VRF domain if the
first hop router is an ACX router.
Related
Documentation
Power over Ethernet (PoE) is the implementation of the IEEE 802.3af and IEEE 802.3at
standards that allows both data and electrical power to pass over a copper Ethernet
LAN cable.
Juniper Networks provides PoE on ACX2000 Universal Access Routers that allows power
delivery up to 65 W per PoE port. PoE ports transfer electrical power and data to remote
devices over standard twisted-pair cables in an Ethernet network. Using the PoE ports,
you can plug in devices that require both network connectivity and electrical power, such
as voice over IP (VoIP) and wireless LAN access points.
You can configure the ACX2000 Universal Access Router to act as a power sourcing
equipment (PSE), supplying power to powered devices that are connected on designated
ports.
Table 20 on page 143 lists the classes and their power ratings as specified by the IEEE
standards.
0 Default 15.4 W
1 Optional 4.0 W
2 Optional 7.0 W
3 Optional 15.4 W
PoE Options
For ACX2000 Universal Access Routers that support PoE ports, the factory default
configuration enables PoE on the PoE-capable ports, with default settings in effect. You
might not have to do any additional configuration if the default settings work for you.
Table 21 on page 143 shows the PoE configuration options and their default settings for
the PoE controller and for the PoE interfaces.
management static Sets the PoE power management mode for the router. The power
management mode determines how power to a PoE interface is
allocated:
Interface Options
disable (Power over Not included in default When included in the configuration, disables PoE on the interface. The
Ethernet) configuration interface maintains network connectivity but no longer supplies power
to a connected powered device. Power is not allocated to the interface.
priority (Power over low Sets an interface’s power priority to either low or high. If power is
Ethernet) insufficient for all PoE interfaces, the PoE power to low-priority interfaces
is shut down before power to high-priority interfaces is shut down. Among
interfaces that have the same assigned priority, the power priority is
determined by port number, with lower-numbered ports having higher
priority.
telemetries Not included in default When included in the configuration, enables the logging of power
configuration consumption records on an interface. Logging occurs every 5 minutes
for 1 hour unless you specify a different value for interval (Power over
Ethernet) or duration.
Power over Ethernet (PoE) ports supply electric power over the same ports that are used
to connect network devices. These ports allow you to plug in devices that need both
network connectivity and electric power, such as voice over IP (VoIP) phones, wireless
access points, and IP cameras.
Requirements
This example uses the following software and hardware components:
• Performed the initial router configuration. See “ACX Series Autoinstallation Overview”
on page 75,“Verifying Autoinstallation on ACX Series Universal Access Routers” on
page 79, and “Boot Sequence on ACX Series Routers” on page 48 for details.
Overview
This example consists of a router that has eight ports. Only two ports—ge-0/1/3 and
ge-0/1/7—support PoE, which means they provide both network connectivity and electric
power for powered devices such as VoIP telephones, wireless access points, and IP
security cameras that require power up to 65 W. The remaining six ports provide only
network connectivity. You use the standard ports to connect devices that have their own
power sources, such as desktop and laptop computers, printers, and servers.
Table 22 on page 145 details the topology used in this configuration example.
Property Settings
Hardware ACX2000 router with 8 Gigabit Ethernet ports: Two PoE
interfaces (ge-0/1/3 and ge-0/1/7) and 6 non-PoE interfaces
(ge-0/1/0, ge-0/1/1, ge-0/1/2, ge-0/1/4, ge-0/1/5, ge-0/1/6).
Direct connections to desktop PCs, file servers, integrated ge-0/1/0 through ge-0/1/2
printer/fax/copier machines (no PoE required)
Configuration
To configure PoE on an ACX2000 router:
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure PoE:
[edit]
user@host# set poe management high-power
NOTE:
• Set the PoE management mode to high-power only when the power
[edit]
user@host# set poe guard-band 19
3. Enable PoE.
[edit]
user@host# edit poe interface ge-0/1/3
NOTE: Set the maximum PoE power for a port only when the power
requirement is more than 32 W and up to 65 W. If the power requirement
is less than or equal to 32 W, then you do not need to configure the
maximum PoE power.
Results
In configuration mode, confirm your configuration by entering the show poe interface
ge-0/1/3 command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show poe interface ge-0/1/3
priority high;
maximum-power 65;
telemetries;
If you are done configuring the device, enter commit in configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Purpose Verify that the PoE interfaces are enabled and set to the desired priority settings.
Action In operational mode, enter the show poe interface ge-0/1/3 command.
Meaning The show poe interface ge-0/1/3 command lists PoE interfaces configured on the
ACX2000 router, with their status, priority, power consumption, and class.
Purpose Verify the PoE interface's power consumption over a specified period.
Action In operational mode, enter the show poe telemetries interface command.
Meaning The telemetry status displays the power consumption history for the specified interface,
provided telemetry has been configured for that interface.
Purpose Verify global parameters such as guard band, power limit, and power consumption.
Meaning The show poe controller command lists the global parameters configured on the router.
Related • Understanding PoE on ACX Series Universal Access Routers on page 142
Documentation
This example shows how to disable PoE on all interfaces or on a specific interface.
Requirements
Before you begin:
• Configure PoE on all interfaces. See “Example: Configuring PoE on ACX2000 Routers”
on page 144.
Overview
In this example, you disable PoE on all interfaces and on a specific interface, which in
this case is ge-0/1/3.
Configuration
[edit]
user@host# set poe interface ge-0/1/3 disable
Verification
To verify the configuration is working properly, enter the show poe interface command.
Related • Understanding PoE on ACX Series Universal Access Routers on page 142
Documentation
On ACX1100 routers, you can configure a service package on the router for the RFC
2544-based benchmarking test, or for NAT and IPsec applications. When you configure
the service package for the RFC 2544-based benchmarking test or for the NAT and IPsec
applications, a reboot of the Forwarding Engine Board (FEB) occurs to apply the service
package selection. By default, the service package for RFC 2544 benchmarking test is
selected. The selection of a service package is needed on ACX1100 routers when you
configure such routers for IEEE 1588v2 Precision Time Protocol (PTP) because both RFC
2544-based benchmarking tests and a combination of NAT and IPsec protocols are not
supported simultaneously; you can configure only PTP and RFC 2544-based tests, or
PTP and the combination of NAT and IPsec at a point in time.
You need to specify the service package to be RFC 2544-based or NAT and IPsec-based
only for ACX1100-AC routers. The selection of a service package is not needed on ACX
Series routers other than the ACX1100-AC and ACX500 routers because on such routers,
only the RFC 2544-based benchmarking tests are supported; NAT and IPsec applications
are not supported on those routers.
To configure the RFC 2544-based service package on a particular FPC, include the
service-package bundle-rfc2544 statement at the [edit chassis fpc slot-number] hierarchy
level.
[edit chassis]
fpc slot-number {
service-package bundle-rfc2544;
}
To configure the NAT and IPsec applications service package on a particular FPC, include
the service-package bundle-nat-ipsec statement at the [edit chassis fpc slot-number]
hierarchy level.
[edit chassis]
fpc slot-number {
service-package bundle-nat-ipsec;
}
Purpose To monitor Fast Ethernet and Gigabit Ethernet interfaces and begin the process of isolating
interface problems when they occur.
Action Table 23 on page 151 provides links and commands for monitoring Fast Ethernet and
Gigabit Ethernet interfaces.
Table 23: Checklist for Monitoring Fast Ethernet and Gigabit Ethernet
Interfaces
Tasks Command or Action
2. Display the Status of a Specific Fast Ethernet or Gigabit show interfaces (fe-fpc/pic/port | ge-fpc/pic/port)
Ethernet Interface
3. Display Extensive Status Information for a Specific Fast show interfaces (fe-fpc/pic/port | ge-fpc/pic/port) extensive
Ethernet or Gigabit Ethernet Interface
4. Monitor Statistics for a Fast Ethernet or Gigabit Ethernet monitor interface (fe-fpc/pic/port | ge-fpc/pic/port)
Interface
Meaning You can use the above described commands to monitor and to display the configurations
for Fast Ethernet and Gigabit Ethernet interfaces.
Purpose To monitor T1 interfaces and begin the process of isolating T1 interface problems when
they occur.
Action Table 24 on page 151 provides the links and commands for monitoring T1 interfaces.
Monitor T1 Interfaces
1. Display the Status of T1 Interfaces show interfaces terse t1*
3. Display Extensive Status Information for a Specific T1 show interfaces t1-fpc/pic/port extensive
Interface
Ethernet link aggregation is mechanism for increasing the bandwidth linearly and
improving the resiliency of Ethernet links by bundling or combining multiple full-duplex
same-speed point-to-point Ethernet links into a single virtual link. The virtual link interface
is referred to as link aggregation group (LAG) or aggregated Ethernet (AE) interface. The
LAG balances traffic across the member links within an aggregated Ethernet bundle and
effectively increases the uplink bandwidth. Another advantage of link aggregation is
increased availability, because the LAG is composed of multiple member links. If one
member link fails, the LAG continues to carry traffic over the remaining links.
On ACX Series routers, up to 128 AE interfaces can be created with each AE interface
having up to 8 physical interfaces. AE interfaces can be created across PICs and
fixed-ports on the chassis.
ACX Series routers do not support statistics for aggregated Ethernet interface. However,
statistics can be retrieved for member interface.
[edit chassis]
user@host# set aggregated-devices ethernet device-count number
2. Specify the minimum number of links for the aggregated Ethernet interface (aex),
that is, the defined bundle, to be labeled “up”:
NOTE: By default only one link must be up for the bundle to be labeled
“up”.
[edit interfaces]
user@host# set ae0 aggregated-ether-options minimum-links number (1 — 8)
[edit interfaces]
user@host# set ae0 aggregated-ether-options link-speed speed (10g | 1g | 100m)
[edit interfaces]
user@host# set ge-1/0/0 gigether-options 802.3ad ae0
user@host# set ge-1/0/1 gigether-options 802.3ad ae0
[edit interfaces]
user@host# set ae0 unit 0 family inet address ip-address
The above procedure creates an AE interface and they would be up and ready for running
the services defined on AE logical interfaces.
This step changes the interface state to down and removes the configuration
statements related to aex.
[edit]
[edit]
user@host#delete chassis aggregated-devices ethernet device-count
For aggregated Ethernet interfaces, you can configure the Link Aggregation Control
Protocol (LACP). LACP is one method of bundling several physical interfaces to form
one logical interface. You can configure both VLAN-tagged and untagged aggregated
Ethernet with or without LACP enabled.
Load Balancing
JUNOS load-balances traffic across member links in an AE bundle based on the Layer 3
information in the packet. You can globally configure what fields are used for
load-balancing for inet and MPLS
On ACX Series Routers, the inet family knobs are available at PIC level. You can configure
inet family Layer 3 and Layer 4 fields to be used for load-balancing. For bridge family,
Layer 2, layer 3 and Layer 4 fields to be used for load-balancing.
ACX Series routers also support load balancing across the member links using Layer 2
source MAC addresses, destination MAC addresses, or both. This can be configured at
the [edit forwarding-options hash-key family multiservice] hierarchy level. Layer 2 source
MAC addresses and destination MAC addresses are used as hash-keys for load balancing.
[edit]
forwarding-options {
hash-key {
family multiservice {
destination-mac;
source-mac;
}
}
}
NOTE:
• For IP Layer 2 packets, only IP fields are used for load balancing across
member links. Source MAC address and destination MAC address are not
be used for load balancing.
• For non-IP Layer 2 packets, either Source MAC address or destination MAC
address is used as hash-keys for load balancing.
• If you want to hash based on layer 2 fields, then you need to configure
multiservice.
• If you want to hash based on layer 3 and layer 4 fields, then you need to
configure family (inet | inet6)
LACP Monitoring
LACP exchanges are made between actors and partners. An actor is the local interface
in an LACP exchange. A partner is the remote interface in an LACP exchange.
• Automatic addition and deletion of individual links to the aggregate bundle without
user intervention
• Link monitoring to check whether both ends of the bundle are connected to the correct
group
The Junos OS implementation of LACP provides link monitoring but not automatic addition
and deletion of links.
LACP monitoring can be either distributed or centralized. The default is distributed and
it can be overriden by configuring the centralized knob under LACP protocols. LACP
exchanges are made between actors and partners. An actor is the local interface in an
LACP exchange. A partner is the remote interface in an LACP exchange.
By default, LACP does not initiate a LACP PDU exchange. LACP packets can be configured
to exchange LACP PDUs at a rate of 1 packet per second, or a slower rate of 1 packet for
30 seconds.
The LACP mode can be active or passive. If the actor and partner are both in passive
mode, they do not exchange LACP packets, which results in the aggregated Ethernet
links not coming up. If either the actor or partner is active, they do exchange LACP packets.
By default, LACP is turned off on aggregated Ethernet interfaces. If LACP is configured,
it is in passive mode by default. To initiate transmission of LACP packets and response
to LACP packets, you must configure LACP in active mode.
To enable LACP active mode, include the lacp statement at the [edit interfaces
interface-name aggregated-ether-options] hierarchy level, and specify the active option:
NOTE: The LACP process exists in the system only if you configure the system
in either active or passive LACP mode.
To restore the default behavior, include the lacp statement at the [edit interfaces
interface-name aggregated-ether-options] hierarchy level, and specify the passive option:
Link Protection
Link protection can be configured on AE interfaces to provide 1:1 link resiliency using LACP.
Primary and backup links can be configured within an AE bundle. The primary link is used
for all transit traffic and host generated traffic. The backup link is used when the primary
link fails.
Link protection is supported only when the AE bundles have no more than 2 member
links, one primary and another backup. LACP works in revertive link-protection mode by
default and can be configured to work in non-revertive mode.
Aggregated Ethernet interfaces support link protection to ensure QoS on the interface.
To disable link protection, issue the delete interface revert aex configuration command.
The hashing algorithm makes hashing decisions based on values in various packet fields,
as well as on some internal values like source port ID and source device ID. You can
configure some of the fields that are used by the hashing algorithm.
The hashing algorithm is used to make traffic-forwarding decisions for traffic entering a
LAG bundle.
For LAG bundles, the hashing algorithm determines how traffic entering a LAG bundle is
placed onto the bundle’s member links. The hashing algorithm tries to manage bandwidth
by evenly load-balancing all incoming traffic across the member links in the bundle.
The hashing algorithm makes hashing decisions based on values in various packet fields,
as well as on some internal values like source port ID and source device ID. The packet
fields used by the hashing algorithm varies by the packet’s EtherType and, in some
instances, by the configuration on the router. The hashing algorithm recognizes the
following EtherTypes:
• IPv4
• MPLS
Traffic that is not recognized as belonging to any of these EtherTypes is hashed based
on the Layer 2 header. IP and MPLS traffic are also hashed based on the Layer 2 header
when a user configures the hash mode as Layer 2 header.
You can configure some fields that are used by the hashing algorithm to make traffic
forwarding decisions. You cannot, however, configure how certain values within a header
are used by the hashing algorithm.
• The fields selected for hashing are based on the packet type only. The fields are not
based on any other parameters, including forwarding decision (bridged or routed) or
egress LAG bundle configuration (Layer 2 or Layer 3).
• The same fields are used for hashing unicast and multicast packets. Unicast and
multicast packets are, however, hashed differently.
Table 25 on page 157 describes the fields used for hashing by Layer 2 services. The table
explains the default behavior and the configurable fields based on the type of traffic
received on the Layer 2 service
Table 25: Hashing Behavior for Pseudowire (Layer 2 Circuit) and Bridging Services
Traffic Type Default Hash Fields Configurable Fields (Hash keys)
Destination MAC
Destination MAC
Destination MAC
Table 26 on page 158 describes the fields used for hashing by Layer 3 services. The table
explains the default behavior and the configurable fields based on the type of traffic
received on the Layer 3 service
Related • CoS on ACX Series Universal Access Routers Features Overview on page 864
Documentation
• Controlling Network Access Using Traffic Policing Overview on page 908
• Standard Firewall Filter Match Conditions and Actions on ACX Series Routers Overview
on page 1052
The ACX Series router alarm contact port—labeled ALARM on the front panel—allows
you to manage sensors and external devices connected to the router in remote unstaffed
facilities.
Alarm Input
Alarm input provides dry contacts to connect to security sensors such as door or window
monitors. The alarm input—open or closed—is sensed and reported to the management
software. You can configure up to four alarm input relay ports (0 through 3) to operate
as normally open or normally closed, and to trigger a red alarm condition or a yellow
alarm condition or to ignore alarm conditions.
Alarm Output
Alarm output provides dry contacts to connect to external equipment, such as an audible
or visual alarm that switches on or off–for example, a bell or a light. The four alarm output
relay ports—0 through 3—are set up as follows:
• Ports 0 and 1—These ports can be configured to trigger an alarm when the system
temperature goes to the red alarm status and when an alarm input port is triggered.
• Ports 2 and 3—These ports are not configured. They are used to indicate system major
and minor alarms and are normally open. When a condition triggers an alarm, an alarm
message is displayed.
To view the alarm input and output relay information, issue the show chassis craft-interface
command from the Junos OS command line interface.
On ACX Series routers, you can configure alarm relays that can trigger alarms and turn
external devices on or off. For example, if the router heats up to more than the critical
temperature, the output port is activated and a device connected to the output port—such
as a fan—is turned on.
To configure conditions that trigger alarms, include the relay statement with the input
and output options at the [edit chassis alarm] hierarchy level.
The ACX Series router alarm contact port—labeled ALARM on the front panel—allows
you to manage sensors and external devices connected to the router in remote unstaffed
facilities. You can configure up to four alarm input ports (0 through 3) to operate as
normally open or normally closed, and to trigger a red alarm condition or a yellow alarm
condition or to ignore alarm conditions.
[edit chassis alarm relay input port port-number mode (close | open)]
[edit chassis alarm relay input port port-number trigger (ignore | red | yellow)]
To view the alarm input relay information, issue the show chassis alarms or show chassis
craft-interface commands from the Junos OS command line interface.
The ACX Series router alarm contact port—labeled ALARM on the front panel—allows
you to manage sensors and external devices connected to the router in remote unstaffed
facilities. You can configure up to two alarm output relay ports (0 and 1) to operate as
normally open or normally closed, and to trigger an alarm when the system temperature
goes to the red alarm status and when an alarm input port is triggered.
NOTE: Ports 2 and 3 are not configured. They are used to indicate system
major and minor alarms and are normally open. When a condition triggers
an alarm, an alarm message is displayed, and the corresponding LED turns
on.
[edit chassis alarm relay output port port-number (input-relay | mode | temperature)]
For example, to set off the alarm when the system temperature goes into the red
status:
To view the alarm output relay information, issue the show chassis alarms or show chassis
craft-interface command from the Junos OS command line interface.
Chassis Definitions for Router Model MIB for ACX Series Routers
The enterprise-specific Chassis Definitions for Router Model MIB contain the OIDs that
are used by the Chassis MIB to identify platform and chassis components. The Chassis
Definitions for Router Model MIB provide information that changes less often.
The last number in each sysObjectId, shown in Table 27 on page 162, corresponds to the
router model and therefore does not change. This table displays the different ACX router
model numbers, their jnxProductName object names, and the associated sysObjectId
values.
Table 27: Router Models and Their sysObjectIds for ACX Series Routers
Model SysObjectID jnxProductName
Table 27: Router Models and Their sysObjectIds for ACX Series
Routers (continued)
Model SysObjectID jnxProductName
For a downloadable version of the Chassis Definitions for Router Model MIB, see
http://www.juniper.net/techpubs/en_US/junos15.1/topics/reference/mibs/mib-jnx-chas-defines.txt.
• Chassis Traps
This topic discusses BERT properties for the E1 interface specifically. For general
information about the Junos OS implementation of the BERT procedure, see Configuring
Interface Diagnostics Tools to Test the Physical Layer Connections.
By default, the BERT period is 10 seconds. You can configure the BERT period to last
from 1 through 239 seconds on some PICs and from 1 through 240 seconds on other PICs.
Standard CE1, standard E1, E1 IQ, and E1 IQE interfaces, and PICs partitioned to CE1 and
E1 channels, support an extended BERT period range, up to 86,400 seconds (24 hours),
and have a default BERT period value of 240 seconds.
rate is the bit error rate. This can be an integer from 0 through 7, which corresponds to a
–0 –7
bit error rate from 10 (0, which corresponds to no errors) to 10 (1 error per 10 million
bits). The default is 0.
For channelized E1 intelligent queuing (IQ and IQE) interfaces, you can configure the
BERT algorithm by including the bert-algorithm statement at the [edit interfaces
ce1-fpc/pic/port e1-options] or [edit interfaces e1-fpc/pic/port e1-options] hierarchy level:
For a list of supported algorithms, enter a ? after the bert-algorithm statement; for
example:
For specific hierarchy information, see individual interface types. For information about
running the BERT procedure, see the CLI Explorer.
You can configure loopback capability between the local E1 interface and the remote
channel service unit (CSU), as shown in Figure 18 on page 167. You can configure the
loopback to be local or remote. With local loopback, the E1 interface can transmit packets
to the CSU, but receives its own transmission back again and ignores data from the CSU.
With remote loopback, packets sent from the CSU are received by the E1 interface,
forwarded if there is a valid route, and immediately retransmitted to the CSU.
To exchange BERT patterns between a local router and a remote router, include the
loopback remote statement in the interface configuration at the remote end of the link.
From the local router, you issue the test interface command.
For more information about configuring BERT, see Configuring Interface Diagnostics Tools
to Test the Physical Layer Connections. For more information about using operational
mode commands to test interfaces, see the CLI Explorer.
[edit]
user@host# edit interfaces interface-name fpc/pic/port e1-options
2. Include the loopback statement. Note that the loopback local statement causes the
interface to loop within the PIC just before the data reaches the transceiver.
3. To determine whether a problem is internal or external, loop packets on both the local
and the remote router. Include the no-keepalives and encapsulation cisco-hdlc
statements at the [edit interfaces interface name] hierarchy level. With this
configuration, the link stays up, so you can loop ping packets to a remote router.
4. Check the error counters in the output of the show interface interface-name extensive
to determine whether there is an internal problem or an external problem.
5. View the configuration by issuing the show command at the [edit interfaces
e1-fpc/pic/port ] hierarchy level.
[edit interfaces]
user@host# show
e1-1/0/0 {
no-keepalives;
encapsulation cisco-hdlc;
e1-options {
loopback local;
}
unit 0 {
family inet {
address 10.100.100.1/24;
}
}
}
NOTE:
• You can turn off the loopback capability by removing the loopback
statement from the configuration
[edit]
user@host# delete interfaces e1-fpc/pic/port e1-options loopback
• You can configure the CE1 loopback capability on the 16-port Channelized
E1/T1 Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE), by including the
loopback statement at the [edit interfaces ce1-fpc/pic/port] hierarchy level.
This section discusses BERT properties for the T1 interface specifically. For general
information about the Junos implementation of the BERT procedure, see Configuring
Interface Diagnostics Tools to Test the Physical Layer Connections.
You can configure a T1 interface or partitioned CT1 or T1 channel to execute a bit error
rate test (BERT) when the interface receives a request to run this test. You specify the
duration of the test and the error rate to include in the bit stream by including the
bert-period and bert-error-rate statements at the [edit interfaces interface-name t1-options]
hierarchy level:
seconds is the duration of the BERT procedure. The test can last from 1 through
239 seconds; the default is 10 seconds. Standard CT1, standard T1, T1 IQ, and T1 IQE
interfaces, and PICs partitioned to CT1 and T1 channels, support an extended BERT period
range, up to 86,400 seconds (24 hours), and have a default BERT period value of 240
seconds.
rate is the bit error rate. This can be an integer from 0 through 7, which corresponds to a
–0 –7
bit error rate from 10 (1 error per bit) to 10 (1 error per 10 million bits).
algorithm is the pattern to send in the bit stream. On T1 interfaces, you can also select
the pattern to send in the bit stream by including the bert-algorithm statement at the
[edit interfaces interface-name interface-options] hierarchy level:
For a list of supported algorithms, enter a ? after the bert-algorithm statement; for
example:
For specific hierarchy information, see individual interface types. For information about
running the BERT procedure, see the CLI Explorer.
You can configure loopback capability between the local T1 interface and the remote
channel service unit (CSU), as shown in Figure 19 on page 170. You can configure the
loopback to be local or remote. With local loopback, the T1 interface can transmit packets
to the CSU, but receives its own transmission back again and ignores data from the CSU.
With remote loopback, packets sent from the CSU are received by the T1 interface,
forwarded if there is a valid route, and immediately retransmitted to the CSU.
Packets can be looped on either the local router or the remote CSU. Local and remote
loopback loop back both data and clocking information.
To exchange BERT patterns between a local router and a remote router, include the
loopback remote statement in the interface configuration at the remote end of the link.
From the local router, issue the test interface command.
For more information about configuring BERT, see Configuring Interface Diagnostics Tools
to Test the Physical Layer Connections. For more information about using operational
mode commands to test interfaces, see the CLI Explorer.
For channelized T3, T1, and NxDS0 intelligent queuing (IQ) interfaces only, you can include
the loopback payload statement in the configuration to loop back data only (without
clocking information) on the remote router’s PIC. In payload loopback, overhead is
recalculated. For T3 IQ interfaces, you can include the loopback payload statement at
the [edit interfaces ct3-fpc/pic/port] and [edit interfaces t3-fpc/pic/port:channel] hierarchy
levels. For T1 interfaces, you can include the loopback payload statement in the
configuration at the [edit interfaces t1-fpc/pic/port:channel] hierarchy level; it is ignored
if included at the [edit interfaces ct1-fpc/pic/port] hierarchy level. For NxDS0 interfaces,
payload and remote loopback are the same. If you configure one, the other is ignored.
NxDS0 IQ interfaces do not support local loopback.
To determine whether a problem is internal or external, you can loop packets on both
the local and the remote router. To do this, include the no-keepalives and encapsulation
cisco-hdlc statements at the [edit interfaces interface-name] hierarchy level and the
loopback local statement at the [edit interfaces interface-name t1-options] hierarchy level,
as shown in the following example:
[edit interfaces]
t1-1/0/0 {
no-keepalives;
encapsulation cisco-hdlc;
t1-options {
loopback local;
}
unit 0 {
family inet {
address 10.100.100.1/24;
}
}
}
With this configuration, the link stays up, so you can loop ping packets to a remote router.
The loopback local statement causes the interface to loop within the PIC just before the
data reaches the transceiver.
To turn off the loopback capability, remove the loopback statement from the configuration:
[edit]
user@host# delete interfaces t1-fpc/pic/port t1-options loopback
On ACX series routers, you configure an ATM pseudowire with Layer 2 encapsulation for
Inverse Multiplexing for ATM (IMA).
• Pseudowire Overview for ACX Series Universal Access Routers on page 590
You can configure 42 IMA groups. Each group can contain from 1 through 32 links.
You can configure a maximum of 16 IMA groups on the 16-port Channelized E1/T1 Circuit
Emulation MIC (ACX-MIC-16CHE1-T1-CE) and each group can have from 1 through 8 IMA
links. Port numbers starting from 0 through 15 are used for T1/E1 ports; therefore, IMA
port numbers start from 16 onward.
To configure an IMA group, execute the set chassis fpc fpc-slot pic pic-slot aggregated
devices ima device-count count configuration command, where count results in the
creation of interfaces from at-x/y/g through at-x/y/g+count-1. The variable g is picked
from 16 onward. For example, if the count variable is set to 4, then the new ATM interfaces
are created from at-x/y/16 through at-x/y/19.
You can implement inverse multiplexing for ATM (IMA) on Juniper Networks ACX Series
routers by configuring an IMA group and its options. The following sections explain the
various options that can be set for an IMA group:
IMA Version
Either IMA 1.0 (af-phy-0086.000-IMA) or IMA 1.1 (af-phy-0086.001-IMA) can be selected
through the CLI. To choose the IMA specification version, execute the set interfaces
interface-name ima-group-options (1.0|1.1) configuration command. Note that, if you do
not specify the version, IMA 1.1 is selected by default.
The IMA v1.1 specification increments the operations and maintenance (OAM) label value
used in the IMA OAM cells in order to differentiate v1.1 from v1.0 IMA units.
Transmit Clock
When you create an IMA group, you can configure a common transmit clock timing mode
or an independent transmit clock timing mode to reflect the primary reference source
(PRS) of the clock for each link in a group. By default, the common mode is selected. To
select the transmit clock timing mode, execute the set interface interface-name
ima-group-options transmit-clock (common | independent) configuration command.
• Symmetrical configuration and operation—In this mode, on the ATM IMA device, an
IMA link must be configured in each direction for all physical links that the ATM IMA
device is configured to use. In this mode, the ATM IMA device can transmit and receive
ATM layer cells over the physical links on which the IMA links running in both directions
are Active.
The mode can be configured through the CLI when an IMA group is created. To select
the symmetry option, execute the set interface interface-name ima-group-options symmetry
(symmetrical-config-and-operation | symmetrical-config-asymmetrical-operation)
configuration command. By default, symmetrical configuration and operation is selected.
• P is the minimum number of links required to be active in the transmit direction for
Tx
the IMA group to move into the operational state.
• P is the minimum number of links required to be active in the receive direction for the
Rx
IMA group to move into the operational state.
You configure P and P through the CLI when an IMA group is created. By default, 1 is
Tx Rx
selected.
To set the frame synchronization option, execute the set interface interface-name
ima-group-options frame-synchronization alpha number beta number gamma number
configuration command.
• Configure an ATM interface with one T1 link or one E1 link with the set interfaces
interface-name ima-link-options group-id g configuration command.
To delete the configured IMA link, you must execute the following configuration
commands:
The following options can be set according to the requirement at the [edit interface
interface-name ima-group-options test-procedure] hierarchy level:
• pattern number—IMA test pattern that can be set from 1 through 254
• period number—Length of the IMA test pattern that can be set from 1 second through
4,294,967,294 seconds. Default is 10 seconds.
To perform the test pattern procedure, execute the test interface interface-name
ima-test-start and test interface interface-name ima-test-stop operational mode
commands to start and to stop the IMA test, respectively.
Table 29: IMA Group Alarms with IMA Standard Requirement Numbers
Alarm IMA Standard Requirement Number
Start-up-FE R-145
Config-Aborted R-146
Config-Aborted-FE R-147
Insufficient-Links R-148
Insufficient-Links-FE R-149
Blocked-FE R-150
Table 29: IMA Group Alarms with IMA Standard Requirement Numbers (continued)
Alarm IMA Standard Requirement Number
Timing-Mismatch R-151
Blocked
Version-Mismatch
Table 30 on page 178 shows the supported IMA group defects and their associated IMA
standard requirement numbers. This is displayed in the group status and control field of
an ICP cell.
Table 30: IMA Group Defects with IMA Standard Requirement Numbers
Defects IMA Standard Requirement Number
Start-up-FE R-145
Config-Aborted R-146
Config-Aborted-FE R-147
Insufficient-Links R-148
Insufficient-Links-FE R-149
Blocked-FE R-150
Timing-Mismatch R-151
Blocked
Version-Mismatch
Table 31: IMA Link Alarms with IMA Standard Requirement Numbers
IMA Standard Requirement
Alarm Number Description
Table 31: IMA Link Alarms with IMA Standard Requirement Numbers (continued)
IMA Standard Requirement
Alarm Number Description
Table 32 on page 179 shows the supported IMA link defects that are reported to the unit
management with their associated IMA standard requirement numbers.
Table 32: IMA Link Defects with IMA Standard Requirement Numbers
IMA Standard Requirement
Defect Number Description
• Running seconds
• Unavailable seconds
For more information about IMA group statistics, see the show interfaces command
description in the CLI Explorer.
Table 33: IMA Link Statistics with IMA Standard Requirement Numbers
Performance Parameter IMA Standard Requirement Number
Rx LIF –
Rx ICP cells –
Rx LODS R-106
Rx stuff O-17
Near-end Tx failure –
Far-end defects –
Far-end Rx failure –
Tx ICP cells –
Tx stuff O-16
Table 33: IMA Link Statistics with IMA Standard Requirement Numbers (continued)
Performance Parameter IMA Standard Requirement Number
Far-end Tx failure –
IMA Clocking
Interface clock source is applicable only to IMA links.
You can set the interface clock source as external or internal with the set interfaces
at-x/y/z clocking (external | internal) configuration command. Note that the clocking
statement is not applicable to the at-x/y/g interface because the IMA group it represents
is a virtual interface.
Differential Delay
You can set the maximum differential delay from 1 millisecond through 56 milliseconds
among links in an IMA group. By default, a differential delay of 25 milliseconds is set.
Execute the set interfaces interface-name ima-group-options differential-delay delay
configuration command to set the differential delay.
The following sections explain how to create an ATM IMA group and to configure it
according to your requirements:
[edit]
user@host# edit chassis
2. Configure the Flexible Port Concentrator (FPC) slot and the Physical Interface Card
(PIC) slot as needed.
[edit chassis]
user@host# set fpc fpc-slot pic pic-slot
3. Configure the device count. The device count can be set starting from 1 through 42 in
the aggregated device options for inverse multiplexing for ATM at the [edit chassis
fpc fpc-slot pic pic-slot] hierarchy level.
This results in the creation of interfaces from at-x/y/g through at-x/y/g+count–1, where
the variable count is the number of interfaces and the variable g is picked from 16 onwards.
The PIC is automatically rebooted when a configuration that changes the IMA group
count is committed.
[edit]
user@host# edit interface interface-name
3. Configure the IMA group ID from 16 through 57. Note that this group ID is the same for
all T1/E1 interfaces for a particular ATM IMA interface.
[edit]
user@host# edit interface interface-name
2. Configure the logical interface (unit) as 0 and set the encapsulation for this logical
interface as either ATM cell relay for CCC or ATM VC for CCC.
[edit]
user@host# edit interface interface-name ima-group-options
2. Configure the maximum differential delay between the links in the IMA group. You
can configure the maximum differential delay from 1 millisecond through 56
milliseconds. By default, 25 milliseconds is set.
3. Configure the frame length of the ICP cell as 32, 64, 128, or 256. By default, 128 is set.
4. Configure the IMA group frame synchronization state parameters alpha, beta, and
gamma.
For the default values and parameter range for alpha, beta, and gamma, see
“Understanding ATM IMA Configuration on ACX Series Router” on page 174.
5. Configure IMA group minimum active links. You can configure between 1 to 16 links. 1
is set by default.
6. Configure the symmetry of the IMA group as either symmetrical configuration and
operation or symmetrical configuration and asymmetrical operation.
For information about symmetry, see “Understanding ATM IMA Configuration on ACX
Series Router” on page 174.
7. Configure a test procedure to start and end the test pattern procedure.
For information about test procedure, see “Understanding ATM IMA Configuration on
ACX Series Router” on page 174.
8. Configure a transmit clock to reflect the primary reference source (PRS) of the clock
for each link in a group either in common timing mode or independent timing mode.
By default, common timing mode is selected.
9. Configure the IMA specification version as either version 1.0 or version 1.1. By default,
IMA version 1.1 is selected.
Related • Understanding ATM IMA Configuration on ACX Series Router on page 174
Documentation
Inverse multiplexing for ATM is a technique of transporting ATM traffic over a bundle of
T1 or E1 interfaces. Inverse multiplexing is the opposite of multiplexing. Multiplexing is a
technique of combining multiple signals into a single signal. Inverse multiplexing is a
technique that divides a data stream into multiple concurrent streams that are transmitted
at the same time across separate channels (such as T1 or E1 interfaces) and then
reconstructed at the other end back into the original data stream. Inverse multiplexing
is used to speed up the flow of data across a slower interface, such as a T1 or E1 interface,
by load balancing the data stream across multiple T1 or E1 interfaces, increasing the line
capacity.
With ATM inverse multiplexing, an ATM cell stream is transported over a bundle of T1 or
E1 interfaces called an IMA group. The ATM cells are inverse multiplexed and
demultiplexed cyclically across the IMA group to create a higher-bandwidth logical link
whose rate is approximately the sum of all the interfaces in the group.
Inverse multiplexing for ATM (IMA) is a standardized technology used to transport ATM
traffic over a bundle of T1 or E1 interfaces, also known as an IMA Group, allowing for an
increase in the bandwidth capacity. When you configure IMA on ACX Series routers, you
must configure the following:
• The aggregated device count—The device count is the number of IMA group interfaces
created on the CT1 or CE1 interfaces. The logical ATM interface that is part of the IMA
group has the following naming format: at-fpc/pic/port with the port number taken
from the last port on the MIC plus 1. For example, on the ACX2000 router with a 16-port
built-in T1/E1 TDM MIC, the IMA group interface numbering starts with at-0/0/16 and
increments by 1 to at-0/0/17, and so on. On the ACX1000 router with an 8-port built-in
T1/E1 TDM MIC, the IMA group interface numbering starts with at-0/0/8 and increments
by 1 to at-0/0/9, and so on
• The T1 or E1 interface as a member of the IMA group of the respective IMA link—Each
child T1 or E1 interface of a channelized CT1 or CE1 interface is the physical interface
over which the ATM signals are carried. This T1 or E1 interface must be specified as a
member of an IMA group so that the IMA link will work.
Circuit Emulation PICs on ACX Series routers provide Asynchronous Transfer Mode (ATM)
support for the following Operations, Administration, and Maintenance (OAM) fault
management cell types:
• F4 loopback (end-to-end)
• F5 loopback
• F5 AIS
• F5 RDI
ATM OAM is supported on ACX1000, ACX2000, and ACX2200 routers, and on Channelized
E1/T1 Circuit Emulation MICs on ACX4000 routers.
The following methods of processing OAM cells that traverse through pseudowires with
circuit cross-connect (CCC) encapsulation are supported:
For ATM pseudowires, the F4 flow cell is used to manage the VP level. On ACX Series
routers with ATM pseudowires (CCC encapsulation), you can configure OAM F4 cell
flows to identify and report virtual path connection (VPC) defects and failures. Junos OS
supports three types of OAM F4 cells in end-to-end F4 flows:
For OAM F4 and F5 cells, IP termination is not supported. Also, Junos OS does not support
segment F4 flows, VPC continuity check, or VP performance management functions.
The maximum number of ATM VCs that you can configure on ACX Series routers is 1000.
ACX Series routers do not support the transmission and reception of OAM F5 loopback
cells. Therefore, for ATM1 and ATM2 IQ interfaces with an ATM encapsulation, you cannot
configure the OAM F5 loopback cell period on virtual circuits on ACX Series routers.
For OAM F4 cells, on each VP, you can configure an interval during which to transmit
loopback cells by including the oam-period statement at the [edit interfaces interface-name
atm-options vpi vpi-identifier] hierarchy level. To modify OAM liveness values on a VP,
include the oam-liveness statement at the [edit interfaces interface-name atm-options
vpi vpi-identifier] hierarchy level.
For interfaces that are configured for ATM cell-relay promiscuous virtual path identifier
(VPI) mode, the show interfaces command output does not display the OAM F4 cell
statistics. Also, the Input OAM cell no buffers field is not displayed to indicate the number
of received OAM cells or raw cells dropped because of non-availability of buffers in the
output of the show interfaces command for ATM interfaces. You cannot configure a fiber
channel separately for OAM cells than the one used for other packets.
You can also configure the maximum number of ATM cells per frame on the physical or
logical interface. To set the maximum number of cells per frame, include the
cell-bundle-size statement at the [edit interfaces at-fpc/pic/port atm-options] and the
[edit interfaces at-fpc/pic/port unit logical-unit-number] hierarchy levels. The cell bundle
size can be from 1 through 26.
Related • Defining the ATM OAM F5 Loopback Cell Period on page 187
Documentation
• Configuring the ATM OAM F5 Loopback Cell Threshold on page 188
• Configuring the Timeout for Bundling of Layer 2 Circuit Cell-Relay Cells on page 188
• Configuring the Layer 2 Circuit Cell-Relay Cell Maximum Overview on page 189
For ATM1 and ATM2 IQ interfaces with an ATM encapsulation, you can configure the OAM
F5 loopback cell period on virtual circuits. This is the interval at which OAM F5 loopback
cells are transmitted.
By default, no OAM F5 loopback cells are sent. To send OAM F5 loopback cells, include
the oam-period statement:
For a list of hierarchy levels at which you can include this statement, see oam-period.
The period can be from 1 through 900 seconds. You can also choose the disable option
to disable the OAM loopback cell transmit feature.
OAM VC-AIS and VC-RDI defect indication cells are used for identifying and reporting
VC defects end-to-end. When a physical link or interface failure occurs, intermediate
nodes insert OAM AIS cells into all the downstream VCs affected by the failure. Upon
receiving an AIS cell on a VC, the router marks the logical interface down and sends an
RDI cell on the same VC to notify the remote end of the error status. When an RDI cell is
received on a VC, the router sets the logical interface status to down. When no AIS or
RDI cells are received for 3 seconds, the router sets the logical interface status to up. You
do not need to configure anything to enable defect indication.
For ATM1 and ATM2 IQ interfaces with an ATM encapsulation, you can configure the
OAM F5 loopback cell threshold on VCs. This is the minimum number of consecutive
OAM F5 loopback cells received before a VC is declared up, or the minimum number of
consecutive OAM F5 loopback cells lost before a VC is declared down.
By default, when five consecutive OAM F5 loopback cells are received, the VC is considered
to be up, and when five consecutive cells are lost, the VC is considered to be down. To
modify these values, include the oam-liveness statement:
oam-liveness {
up-count cells;
down-count cells;
}
For a list of hierarchy levels at which you can include this statement, see oam-liveness.
Based on this configuration, the router attempts to collect and concatenate ATM cells
in a single ATM cell relay-encapsulated packet and transmit the packet on a pseudowire
connection. When the router detects that the allotted time interval has expired, the router
forwards the packet even if it contains fewer than the specified maximum number of
aggregated cells per packet. The cell concatenation or bundling functionality is controlled
by the timeout value and the maximum number of cells to be concatenated.
To configure the period for which the ATM cells are aggregated and bundled before they
are transmitted in a single frame on a pseudowire connection:
• Specify the number of microseconds for which the ATM cells must be bundled before
the timer expires and the cells are transmitted in a single frame.
When the router detects that the allotted time interval has expired, the router forwards
the MPLS packet even if it contains fewer than the specified maximum number of
aggregated cells per packet.
Related • Configuring the Layer 2 Circuit Cell-Relay Cell Maximum Overview on page 189
Documentation
• cell-bundle-timeout
By default, each frame contains one cell. For ATM interfaces with Layer 2 circuit cell-relay
transport mode configured, you can configure the maximum number of ATM cells per
frame on the physical or logical interface. To set the maximum number of cells per frame,
include the cell-bundle-size statement:
cell-bundle-size cells;
After 125 microseconds, cell bundling times out. This means that after 125 microseconds
if the frame does not contain the configured value, the frame is transmitted anyway.
The transmit rates you configure on the routers at each end of the connection must be
the same value.
• CBR and real-time variable bit rate (RTVBR) cells are not bundled. They are always
sent as single-cell packets.
• Cells with the same CLP bits are bundled together. This means all the cells in a bundle
contain the same CLP value.
• Cells with the same CoS bits are bundled together. This means all the cells in a bundle
belong to the same class of service.
• As alluded to in the previous rules, several triggers cause early packet transmission,
meaning that the packet is transmitted before the number of cells received is equal to
the value configured with the cell-bundle-size statement. These triggers are as follows:
CoS-based cell bundling optimizes the release of a bundle by sending out the cell that
triggers early packet transmission as a single-cell packet. This means that when a cell
triggers early packet transmission, that cell is not bundled. Consequently, certain input
data patterns might cause primarily single-cell packets to be transmitted. For example,
say the output interface receives a steady pattern of two cells from a non-RTVBR queue,
followed by two cells from a UBR queue. In this case, all transmitted packets contain a
single cell because the first cell triggers a transition and is transmitted by itself. The
second cell is also transmitted by itself because the third cell triggers another transition,
and so on. This effect might not be dramatic with a mix of traffic; it is most evident with
steady traffic patterns, as generated by ATM test equipment programmed to emit regular
sequences of CoS queue transitions.
This configuration is the base configuration of SAToP on an ACX Series router as described
in RFC 4553, Structure-Agnostic Time Division Multiplexing (TDM) over Packet (SAToP).
When you configure SAToP on built-in channelized T1 and E1 interfaces, the configuration
results in a pseudowire that acts as a transport mechanism for the T1 and E1 circuit signals
across a packet-switched network.
The network between the customer edge (CE) routers appears transparent to the CE
routers, making it seem that the CE routers are directly connected. With the SAToP
configuration on the provider edge (PE) router’s T1 and E1 interfaces, the interworking
function (IWF) forms a payload (frame) that contains the CE router’s T1 and E1 Layer 1
data and control word. This data is transported to the remote PE over the pseudowire.
The remote PE removes all the Layer 2 and MPLS headers added in the network cloud
and forwards the control word and the Layer 1 data to the remote IWF, which in turn
forwards the data to the remote CE.
Pseudowire 1
CE1 PE1 PE2 CE2
Pseudowire 2
In Figure 20 on page 191 the Provider Edge (PE) router represents the ACX Series router
that is being configured in these steps. The result of these steps is the pseudowire from
PE1 to PE2. Topics include:
For example:
After a PIC is brought online and depending on the framing option used (t1 or e1), on
the ACX2000 router, 16 CT1 or 16 CE1 interfaces are created, and on the ACX1000
router, 8 CT1 or 8 CE1 interfaces are created.
The following output from the show interfaces terse command shows the 16 CT1
interfaces created with the framing configuration.
NOTE: If you set the framing option incorrectly for the PIC type, the commit
operation fails.
If you change the mode, the router will reboot the built-in T1 and E1 interfaces.
Bit error rate test (BERT) patterns with all ones received by T1 and E1
interfaces configured for SAToP do not result in an alarm indication signal
(AIS) defect. As a result, the T1 and E1 interfaces remain up.
For example:
[edit]
user@host# show interfaces
ct1-0/0/0 {
no-partition interface-type t1;
}
The preceding command creates the t1-0/0/0 interface on the channelized ct1-0/0/0
interface. Check the configuration with the show interfaces interface-name extensive
command. Run the command to display output for the channelized interface and the
newly created T1 or E1interface. The following output provides an example of the output
for a CT1 interface and the T1 interface created from the preceding example configuration.
Notice that ct1-0/0/0 is running at T1 speed and that the media is T1.
In the following output for the T1 interface, the parent interface is shown as ct1-0/0/0
and the link level type and encapsulation are TDM-CCC-SATOP.
0 best-effort 0 0 0
1 expedited-fo 0 0 0
2 assured-forw 0 0 0
3 network-cont 0 0 0
1 expedited-forwarding
2 assured-forwarding
3 network-control
DS1 alarms : None
DS1 defects : None
SAToP configuration:
Payload size: 192
Idle pattern: 0xFF
Octet aligned: Disabled
Jitter buffer: packets: 8, latency: 7 ms, auto adjust: Disabled
Excessive packet loss rate: sample period: 10000 ms, threshold: 30%
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue Bandwidth Buffer Priority
Limit
% bps % usec
0 best-effort 95 1459200 95 0 low
none
3 network-control 5 76800 5 0 low
none
Logical interface t1-0/0/0.0 (Index 308) (SNMP ifIndex 789) (Generation 11238)
For example:
[edit interfaces ]
user@host# set (t1 | e1)–fpc/pic/port unit logical-unit-number
For example:
[edit interfaces]
user@host# set t1-0/0/0 unit 0
[edit interfaces]
user@host# show t1-0/0/0
encapsulation satop;
unit 0;
The following sections describes configuring SAToP on the 12-port Channelized T1/E1
Circuit Emulation PICs:
After a PIC is brought online, interfaces are created for the PIC’s available ports according
to the PIC type and the framing option used:
• If you include the framing t1 statement (for a T1 Circuit Emulation PIC), 12 CT1 interfaces
are created.
• If you include the framing e1 statement (for an E1 Circuit Emulation PIC), 12 CE1 interfaces
are created.
NOTE: If you set the framing option incorrectly for the PIC type, the commit
operation fails.
Circuit Emulation PICs with SONET and SDH ports require prior channelization
down to T1 or E1 before you can configure them. Only T1/E1 channels support
SAToP encapsulation or SAToP options.
Bit error rate test (BERT) patterns with all ones received by T1/E1 interfaces
on Circuit Emulation PICs configured for SAToP do not result in an alarm
indication signal (AIS) defect. As a result, the T1/E1 interfaces remain up.
[edit]
user@host# [edit interfaces e1 fpc-slot/pic-slot/port]
For example:
[edit]
[edit interfaces e1-1/0/0]
For example:
You do not need to configure any cross-connect circuit family because it is automatically
created for the above encapsulation.
To configure loopback capability between the local T1 interface and the remote channel
service unit (CSU), see “Configuring T1 Loopback Capability” on page 170. To configure
loopback capability between the local E1 interface and the remote channel service unit
(CSU), see “Configuring E1 Loopback Capability” on page 167.
[edit]
user@host# edit interfaces e1-fpc-slot/pic-slot/port
For example:
[edit]
user@host# edit interfaces e1-1/0/0
[edit]
user@host# edit satop-options
3. In this hierarchy level, using the set command you can configure the following SAToP
options:
• groups—Specify groups.
NOTE: In this section, we are configuring only one SAToP option. You can
follow the same method to configure all the other SAToP options.
For example:
To verify this configuration, use the show command at the [edit interfaces e1-1/0/0]
hierarchy level:
To configure the TDM pseudowire at the provider edge (PE) router, use the existing
Layer 2 circuit infrastructure, as shown in the following procedure:
[edit]
user@host# edit protocol l2circuit
2. Configure the IP address of the neighboring router or switch, interface forming the
layer 2 circuit and the identifier for the layer 2 circuit.
For example:
3. To verify the configuration use the show command at the [edit protocols l2circuit]
hierarchy level.
After the customer edge (CE)-bound interfaces (for both PE routers) are configured with
proper encapsulation, payload size, and other parameters, the two PE routers try to
establish a pseudowire with Pseudowire Emulation Edge-to-Edge (PWE3) signaling
extensions. The following pseudowire interface configurations are disabled or ignored
for TDM pseudowires:
• ignore-encapsulation
• mtu
When the local interface parameters match the received parameters, and the pseudowire
type and control word bit are equal, the pseudowire is established.
For detailed information about configuring TDM pseudowire, see the Junos OS VPNs
Library for Routing Devices.
For detailed information about PICs, see the PIC Guide for your router.
NOTE: When T1 is used for SAToP, the T1 facility data-link (FDL) loop is not
supported on the CT1 interface device. The is because SAToP does not analyze
T1 framing bits.
The following sections describes configuring SAToP on the 16-Port Channelized E1/T1
Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE).
[edit]
[edit chassis fpc fpc-slot pic pic-slot]
After a MIC is brought online, interfaces are created for the MIC’s available ports on the
basis of the MIC type and the framing option used:
• If you include the framing t1 statement, 16 channelized T1 (CT1) interfaces are created.
• If you include the framing e1 statement, 16 channelized E1 (CE1) interfaces are created.
NOTE: If you set the framing option incorrectly for the MIC type, the commit
operation fails.
Circuit Emulation PICs with SONET and SDH ports require prior channelization
down to T1 or E1 before you can configure them. Only T1/E1 channels support
SAToP encapsulation or SAToP options.
Bit error rate test (BERT) patterns with all binary 1s (ones) received by CT1/CE1 interfaces
on Circuit Emulation MICs configured for SAToP do not result in an alarm indication signal
(AIS) defect. As a result, the CT1/CE1 interfaces remain up.
NOTE: To configure a CE1 port down to the E1 channel, replace ct1 with ce1
and t1 with e1 in the procedure.
[edit]
user@host# edit interfaces ct1-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces ct1-1/0/0
2. On the CT1 interface, set the no-partition option and then set the interface type as T1.
NOTE: To configure a CE1 port down to a DS channel, replace ct1 with ce1 in
the following procedure.
[edit]
user@host# edit interfaces ct1-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces ct1-1/0/0
2. Configure the partition, the time slot, and the interface type.
To verify the configuration of the ct1-1/0/0 interface, use the show command at the [edit
interfaces ct1-1/0/0] hierarchy level.
After you partition the DS interface, configure the SAToP options on it. See “Setting the
SAToP Options” on page 198.
Related • Understanding Circuit Emulation Services and the Supported PIC Types
Documentation
• Setting the SAToP Options on page 198
[edit interfaces]
user@host# edit interface ds-fpc/pic/port:partition
For example:
[edit interfaces]
user@host# edit interface ds-0/0/1:1
For example:
When you are finished configuring CESoPSN encapsulation on the DS0 interface, enter
the commit command from configuration mode.
From configuration mode, confirm your configuration by entering the show command.
for example:
[edit interfaces]
user@host# show
ds-1/0/0:1:1 {
encapsulation cesopsn;
unit 0;
}
1. In configuration mode, go to the [edit chassis fpc slot pic slot port slot] hierarchy level.
[edit]
user@host# edit chassis fpc slot pic slot port slot
For example:
[edit]
user@host# edit chassis fpc 1 pic 0 port 0
For example:
After a MIC is brought online, interfaces are created for the MIC’s available ports on the
basis of the MIC type and the framing option used.
• If you include the framing sonet statement, four COC3 interfaces are created when the
speed is configured as coc3-cstm1.
• If you include the framing sdh statement, four CSTM1 interfaces are created when the
speed is configured as coc3-cstm1.
• If you include the framing sonet statement, one COC12 interface is created when the
speed is configured as coc12-cstm4.
• If you include the framing sdh statement, one CSTM4 interface is created when the
speed is configured as coc12-cstm4.
• If you do not specify framing at the MIC level, then the default framing is SONET for
all the ports.
NOTE: If you set the framing option incorrectly for the MIC type, the commit
operation fails.
Bit error rate test (BERT) patterns with all binary 1s (ones) received by CT1/CE1
interfaces on Circuit Emulation MICs configured for CESoPSN do not result
in an alarm indication signal (AIS) defect. As a result, the CT1/CE1 interfaces
remain up.
When configuring COC3 ports down to CT1 channels, on any MIC configured for SONET
framing (numbered 0 through 3), you can configure three COC1 channels (numbered 1
through 3). On each COC1 channel, you can configure a maximum of 28 CT1 channels
and a minimum of 1 CT1 channel based on the time slots.
When configuring COC12 ports down to CT1 channels on a MIC configured for SONET
framing, you can configure 12 COC1 channels (numbered 1 through 12). On each COC1
channel, you can configure 24 CT1 channels (numbered 1 through 28).
To configure COC3 channelization down to COC1 and then down to CT1 channels, include
the partition statement at the [edit interfaces (coc1 | coc3)-mpc-slot/mic-slot/port-number]
hierarchy level:
NOTE: To configure COC12 ports down to CT1 channels, replace coc3 with
coc12 in the following procedure.
[edit]
user@host# edit interfaces coc3-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces coc3-1/0/0
2. Configure the sublevel interface partition index and the range of SONET/SDH slices,
and set the sublevel interface type as coc1.
For example:
For example:
4. Configure the channelized OC1 interface and the sublevel interface partition index,
and set the interface type as ct1.
[edit interfaces]
user@host# set coc1-1/0/0:1 partition partition-number interface-type ct1
For example:
[edit interfaces]
user@host# set coc1-1/0/0:1 partition 1 interface-type ct1
To verify the configuration, use the show command at the [edit interfaces] hierarchy
level.
[edit interfaces]
user@host# show
coc3-1/0/0 {
partition 1 oc-slice 1 interface-type coc1;
}
coc1-1/0/0:1 {
partition 1 interface-type ct1;
}
To configure CT1 channels down to a DS interface, include the partition statement at the
[edit interfaces ct1-mpc-slot/mic-slot/port-number:channel:channel] hierarchy level:
[edit]
user@host# edit interfaces ct1-mpc-slot/mic-slot/port-number:channel:channel
For example:
[edit]
user@host# edit interfaces ct1-1/0/0:1:1
2. Configure the partition, the time slots, and the interface type.
For example:
NOTE: You can assign multiple time slots on a CT1 interface. In the set
command, separate the time slots by commas and do not include spaces
between them. For example:
To verify this configuration, use the show command at the [edit interfaces ct1-1/0/0:1:1]
hierarchy level.
The value of N is 1 through 24 when a DS0 interface is configured from a CT1 interface.
After you partition the DS interface, configure the CESoPSN options on it. See “Setting
the CESoPSN Options” on page 216.
[edit]
user@host# edit interfaces ds-mpc-slot/mic-slot/ port-number:channel:channel:channel
For example:
[edit]
user@host# edit interfaces ds-1/0/0:1:1:1
2. Configure CESoPSN as the encapsulation type and the logical interface for the DS
interface.
For example:
To verify this configuration, use the show command at the [edit interfaces ds-1/0/0:1:1:1]
hierarchy level.
user@host# show
encapsulation cesopsn;
unit 0;
On any port configured for SDH framing (numbered 0 through 3), you can configure one
CAU4 channel. On each CAU4 channel, you can configure 31 CE1 channels (numbered 1
through 31).
To configure CSTM1 channelization down to CAU4 and then down to CE1 channels,
include the partition statement at the [edit interfaces (cau4 |
cstm1)-mpc-slot/mic-slot/port-number] hierarchy level, as shown in the following example:
[edit]
user@host# edit interfaces cstm1-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces cstm1-1/0/1
2. On the CSTM1 interface, set the no-partition option, and then set the interface type
as cau4.
For example:
For example:
4. Configure the MPC slot, the MIC slot, and the port for the CAU4 interface. Set the
sublevel interface partition index and set the interface type as ce1.
[edit interfaces]
user@host# set cau4-mpc-slot/mic-slot/port-number partition partition-number
interface-type ce1
For example:
[edit interfaces]
user@host# set cau4-1/0/1 partition 1 interface-type ce1
To verify this configuration, use the show command at the [edit interfaces] hierarchy
level.
[edit interfaces]
user@host# show
cstm1-1/0/1 {
no-partition interface-type cau4;
}
cau4-1/0/1 {
partition 1 interface-type ce1;
}
NOTE: When the port speed is configured as coc12-cstm4 at the [edit chassis
fpc slot pic slot port slot] hierarchy level, you must configure CSTM4 ports
down to CE1 channels.
On a port configured for SDH framing, you can configure one CAU4 channel. On the CAU4
channel, you can configure 31 CE1 channels (numbered 1 through 31).
To configure CSTM4 channelization down to CAU4 and then down to CE1 channels,
include the partition statement at the [edit interfaces
(cau4|cstm4)-mpc-slot/mic-slot/port-number] hierarchy level.
[edit]
user@host# edit interfaces cstm4-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces cstm4-1/0/0
2. Configure the sublevel interface partition index and the range of SONET/SDH slices,
and set the sublevel interface type as cau4.
For oc-slice, select from the following ranges: 1–3, 4–6, 7–9, and 10–12.
For example:
For example:
4. Configure the MPC slot, the MIC slot, and the port for the CAU4 interface. Set the
sublevel interface partition index and set the interface type as ce1.
[edit interfaces]
user@host# set cau4-mpc-slot/mic-slot/port-number:channel partition
partition-number interface-type ce1
For example:
[edit interfaces]
user@host# set cau4-1/0/0:1 partition 1 interface-type ce1
To verify this configuration, use the show command at the [edit interfaces] hierarchy
level.
[edit interfaces]
user@host# show
cstm4-1/0/0 {
partition 1 oc-slice 1-3 interface-type cau4;
}
cau4-1/0/0:1 {
partition 1 interface-type ce1;
}
To configure CE1 channels down to a DS interface, include the partition statement at the
[edit interfaces ce1-mpc-slot/mic-slot/port:channel] hierarchy level.
[edit]
user@host# edit interfaces ce1-mpc-slot/mic-slot/port:channel
[edit]
user@host# edit interfaces ce1-1/0/0:1:1
2. Configure the partition and the time slots, and set the interface type as ds.
For example:
NOTE: You can assign multiple time slots on a CE1 interface. In the set
command, separate the time slots by commas and do not include spaces
between them. For example:
To verify this configuration, use the show command at the [edit interfaces ce1-1/0/0:1:1
hierarchy level.
The value of N is 1 through 31 when a DS0 interface is configured from a CE1 interface.
[edit]
user@host# edit interfaces ds-mpc-slot/mic-slot/port-number:channel:channel:channel
For example:
[edit]
user@host# edit interfaces ds-1/0/0:1:1:1
2. Configure CESoPSN as the encapsulation type and then set the logical interface for
the ds interface.
For example:
To verify this configuration, use the show command at the [edit interfaces ds-1/0/0:1:1:1]
hierarchy level.
This configuration applies to the mobile backhaul application shown in Mobile Backhaul
Application.
[edit]
user@host# edit interfaces ds-mpc-slot/mic-slot/port<:channel>
For example:
[edit]
user@host# edit interfaces ds-1/0/0:1:1:1
2. Configure CESoPSN as the encapsulation type and set the logical interface for the
DS interface.
For example:
To verify this configuration, use the show command at the [edit interfaces ds-1/0/0:1:1:1]
hierarchy level:
You do not need to configure any circuit cross-connect family because it is automatically
created for the CESoPSN encapsulation.
[edit]
user@host# edit interfaces ds-fpc-slot/pic-slot/port:channel
For example:
[edit]
user@host# edit interfaces ds-1/0/0:1:1:1
[edit]
user@host# edit cesopsn-options
3. At this hierarchy level, using the set command you can configure the following
CESoPSN options:
NOTE: This topic shows the configuration of only one CESoPSN option.
You can follow the same method to configure all the other CESoPSN
options.
For example:
To verify the configuration using the values shown in the examples, use the show
command at the [edit interfaces ds-1/0/0:1:1:1] hierarchy level:
[edit]
user@host# edit protocol l2circuit
2. Configure the IP address of the neighboring router or switch, the interface forming the
Layer 2 circuit, and the identifier for the Layer 2 circuit.
For example:
To verify this configuration, use the show command at the [edit protocols l2circuit]
hierarchy level.
After the customer edge (CE)-bound interfaces (for both PE routers) are configured with
proper encapsulation, packetization latency, and other parameters, the two PE routers
try to establish a pseudowire with Pseudowire Emulation Edge-to-Edge (PWE3) signaling
extensions. The following pseudowire interface configurations are disabled or ignored
for TDM pseudowires:
• ignore-encapsulation
• mtu
When the local interface parameters match the received parameters, and the pseudowire
type and control word bit are equal, the pseudowire is established.
For detailed information about configuring TDM pseudowire, see the Junos OS VPNs
Library for Routing Devices.
For detailed information about PICs, see the PIC Guide for your router.
You can configure a DS interface on a channelized E1 interface (CE1) and then apply
CESoPSN encapsulation for the pseudowire to function. An NxDS0 interface can be
configured from a channelized CE1 interface, where N represents the time slots on the
CE1 interface. The value of N is 1 through 31 when a DS0 interface is configured from a
CE1 interface.
To configure CE1 channels down to a DS interface, include the partition statement at the
[edit interfaces ce1-fpc/pic/port] hierarchy level, as shown in the following example:
[edit interfaces]
user@host# show
ce1-0/0/1 {
partition 1 timeslots 1-4 interface-type ds;
}
After you partition the DS interface, configure the CESoPSN options on it. See “Setting
the CESoPSN Options” on page 216.
[edit interfaces]
user@host# edit interfaces ce1-fpc/pic/port
For example:
[edit interfaces]
user@host# edit interface ce1-0/0/1
2. Configure the partition, the time slot, and the interface type.
For example:
NOTE: You can assign multiple time slots on a CE1 interface; in the
configuration, separate the time slots by comma without spaces. For
example:
For example:
For example:
When you are finished configuring CE1 channels down to a DS interface, enter the commit
command from configuration mode.
From configuration mode, confirm your configuration by entering the show command.
For example:
[edit interfaces]
user@host# show
ce1-0/0/1 {
partition 1 timeslots 1-4 interface-type ds;
}
ds-0/0/1:1 {
encapsulation cesopsn;
unit 0;
}
This configuration applies to the mobile backhaul application shown in Mobile Backhaul
Application.
After a MIC is brought online, interfaces are created for the MIC’s available ports on the
basis of the MIC type and the framing option used.
NOTE: If you set the framing option incorrectly for the MIC type, the commit
operation fails.
Bit error rate test (BERT) patterns with all binary 1s (ones) received by CT1/CE1
interfaces on Circuit Emulation MICs configured for CESoPSN do not result
in an alarm indication signal (AIS) defect. As a result, the CT1/CE1 interfaces
remain up.
[edit]
user@host# edit interfaces ct1-mpc-slot/mic-slot/port-number
For example:
[edit]
user@host# edit interfaces ct1-1/0/0
2. Configure the sublevel interface partition index and the time slots, and set the interface
type as ds.
For example:
NOTE: You can assign multiple time slots on a CT1 interface. In the set
command, separate the time slots by commas and do not include spaces
between them. For example:
To verify this configuration, use the show command at the [edit interfaces ct1-1/0/0]
hierarchy level.
An NxDS0 interface can be configured from a CT1 interface. Here N represents the number
of time slots on the CT1 interface. The value of N is:
After you partition the DS interface, configure CESoPSN options on it. See “Setting the
CESoPSN Options” on page 216.
[edit]
user@host# edit interfaces ds-mpc-slot/mic-slot/ port-number:channel
For example:
[edit]
user@host# edit interfaces ds-1/0/0:1
For example:
For example:
To verify this configuration, use the show command at the [edit interfaces ds-1/0/0:1]
hierarchy level.
Related • 16-Port Channelized E1/T1 Circuit Emulation MIC Overview on page 106
Documentation
• Configuring Hybrid Mode and ESMC Quality Level Mapping on ACX Series
Routers on page 292
• Example: Configuring Hybrid Mode and ESMC Quality Level Mapping on page 295
• Understanding Timing Defects and Event Management on ACX Series on page 301
• Understanding SNMP MIB for Timing on ACX Series on page 303
• Global Positioning System (GPS) and the ACX Series Routers on page 306
• Integrated Global Navigation Satellite System (GNSS) on ACX500 Series
Routers on page 307
• Assisted Partial Timing Support on ACX500 Routers Overview on page 308
Automatic clock selection is the selection of the best quality clock source by the clock
source selection algorithm based on the Ethernet Synchronization Message Channel
(ESMC) Synchronization Status Message (SSM) quality level, the configured quality
level, and the priority.
• Configuration changes. For example, the addition or deletion of a clock source, a change
to the QL mode, and so on.
When the router is configured with automatic clock selection, the system chooses up to
two best upstream clock sources. The system then uses the clock recovered from one
of the sources to lock the chassis clock. If an upstream clock with acceptable good quality
is not available or if the system is configured in free-run mode, the system uses the internal
oscillator.
• QL disabled— In this mode, the best clock is selected based on the configured ESMC
SSM QL. If the QL of the configured clocks are equal, the clock selection is based on
the configured priority. If both the configured QL and priority are equal, one of the
sources is randomly selected. Absence of the quality-mode-enable statement at the
[edit chassis synchronization] hierarchy level means that QL is disabled.
• QL enabled—In this mode, the best clock is selected based on the incoming ESMC
SSM QL as long as the incoming QL is at least as good as the source’s configured QL.
If the QLs are equal, the clock selection is based on the configured priority. If both the
received QL and the priority are equal, one of the sources is selected randomly.
Related • External Clock Synchronization Overview for ACX Series Routers on page 226
Documentation
• Configuring External Clock Synchronization for ACX Series Routers on page 228
Clock Sources
Clocking is an important feature on the ACX Series routers. The ACX Series routers can
be directly connected to different types of base stations (for example, base transceiver
station (BTS) in 2G, NodeB in 3G, and eNodeB in 4G networks) and different types of
routers that hand off time-division multiplexing (TDM, ATM, and Ethernet traffic to the
base station controller. ACX Series routers must extract the network clock from these
sources and pass on synchronization information to the base stations to help the routers
synchronize with the base station controller.
The ACX Series router timing hardware includes two external clock inputs (BITS and
GPS), T1 and E1 ports (FPC 0, PIC 0), Gigabit Ethernet ports (RJ45), Gigabit Ethernet
ports (SFP), and 10-Gigabit Ethernet ports.
NOTE: ACX500 routers do not support TDM, BITS, ATM, T1 or E1, SONET,
and 10-Gigabit Ethernet interfaces.
ACX Series router hardware and software support various clocking options:
• External clocking includes PPS, a choice of GPS-based clock recovery (10 MHz), or
BITS-T1 or E1 line synchronization (1.544 MHz and 2.048 MHz).
NOTE: ACX500 routers do not support 10 MHz in and out. ACX500 routers
supports GPS input through SubMiniature version A (SMA) connector.
• ACX500 routers contain integrated GPS receiver, pulse-per-second (PPS) in and out,
and Gigabit Ethernet ports (RJ45 and SFP).
• Synchronous Ethernet (SyncE) is supported based on the ITU G.8261, G.8262, and
G.8264 specifications with line timing for ge and xe ports.
Synchronous Ethernet is a key requirement for circuit (emulation) services and mobile
radio access technologies. Synchronous Ethernet supports sourcing and transfer of
frequency for synchronization purposes for both wireless and wireline services and is
primarily used for mobile backhaul and converged transport.
• The Precision Time Protocol (PTP) 1588v2—compliant ordinary slave clock estimates
the time offset from the PTP master clock and tries to align its own time and frequency
with that of the master. PTP supports sourcing, transfer of frequency, and phase
synchronization. Also, PTP can be used for mobile backhaul when phase synchronization
is required, such as in Long Term Evolution-Time Division Duplex (LTE-TDD)
infrastructures.
Related • Global Positioning System (GPS) and the ACX Series Routers on page 306
Documentation
• Understanding Interfaces on ACX Series Universal Access Routers on page 94
• Synchronous Ethernet Overview on the ACX Series Universal Access Routers on page 107
• IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
on page 237
The ACX Series Universal Access routers support external clock synchronization and
automatic clock selection for Synchronous Ethernet, T1 or E1 line timing sources, and
external inputs. Configuring external clock synchronization and automatic clock selection
requires making clock selection, quality level (QL), and priority considerations. The clock
source selection algorithm is used to pick the two best upstream clock sources from
among all the various sources, based on system configuration and execution criteria such
as QL, priority, and hardware restrictions.
NOTE: Automatic clock selection does not apply to the IEEE 1588v2 recovered
clock.
Automatic clock selection is supported on the ACX Series routers. Automatic clock
selection of the best quality clock source is based on the Ethernet Synchronization
Message Channel (ESMC) Synchronization Status Message (SSM) quality level, the
configured quality level, and the priority. To configure automatic clock selection, include
the auto-select option at the [edit chassis synchronization] hierarchy level. You can also
configure the chassis to lock to the free-running local oscillator, which is the Stratum 3E
oscillator, by including the free-run option at the [edit chassis synchronization] hierarchy
level. The auto-select option enables the clock source selection algorithm to run. The
clock source selection algorithm is triggered by the following events:
• Configuration changes. For example, the addition or deletion of a clock source, a change
to the QL mode, and so on.
Automatic clock selection supports two modes on the ACX Series router: QL enabled
and QL disabled. To configure QL mode, include the quality-mode-enable statement at
the [edit chassis synchronization] hierarchy level.
• QL enabled—In this mode, the best clock is selected based on the incoming ESMC
SSM QL as long as the incoming QL is at least as good as the source’s configured QL.
If the QLs are equal, the clock selection is based on the configured priority. If both the
received QL and the priority are equal, one of the sources is selected randomly.
The clock source selection algorithm uses the following logic and restrictions:
• For network-option option-1, QL must be configured for external clocks (gps or bits)
whether or not QL is enabled.
• In the case of network-option option-2, the default QL for the external clocks is QL_STU,
whether or not QL is enabled.
• Configuring priority is optional. When not specified, gps has a higher default priority
than bits, and bits has a higher default priority than Gigabit Ethernet, 10-Gigabit Ethernet,
and T1 or E1 clock, which have the lowest default priority.
• When QL is enabled, the received QL must be equal to or better than the configured
QL for that particular source or else that source will not be considered for clock
selection. This is so that a downstream client is guaranteed clock quality of a certain
level (that “certain level” being the configured QL).
• If QL is the same for two or more sources, then the source with the highest priority is
selected.
• If two or more sources have the same QL and priority, then the currently active source,
if any, among these sources is selected.
• If two or more sources have the same QL and priority, and none of these is currently
active, then any one of these may be selected.
• In order to receive or transmit ESMC messages out of an interface, at least one logical
interface should be configured on that interface. If the interface is currently not
configured with a logical interface, you may do so using the set interfaces interface-name
unit 0 statement at the edit hierarchy level.
Related • Configuring External Clock Synchronization for ACX Series Routers on page 228
Documentation
• Understanding Interfaces on ACX Series Universal Access Routers on page 94
The ACX Series Universal Access Routers support external clock synchronization for
Synchronous Ethernet, T1 or E1 line timing sources, and external inputs. Configuring
external clock synchronization requires making clock selection, quality level (QL), and
priority considerations. The clock source selection algorithm is used to pick the two best
upstream clock sources from among all the various sources, based on system
configuration and execution criteria such as QL, priority, and hardware restrictions.
The network type options set the frequency of the configured clock. When bits is
configured with option-1 on the ACX router, the Synchronous Ethernet equipment is
optimized for 2048 Kbps, the speed of an E1 interface. When bits is configured with
option-2 on the ACX router, the Synchronous Ethernet equipment is optimized for 1544
Kbps, the speed of a T1 interface. To set the clock type, use the following command:
The following output shows an example of the configuration of the network type with
option-1:
[edit]
user@host# show chassis
synchronization {
network-option option-1;
}
Clock mode sets the selection of the clock source from a free-running local oscillator or
from an external qualified clock. The default clock mode is auto-select, which uses the
best clock source. To set the clock mode, use the following command:
[edit]
user@host# show chassis
synchronization {
clock-mode free-run;
}
NOTE: Automatic clock selection does not apply to the IEEE 1588v2 recovered
clock.
Specify the expected quality of the incoming clock on this source. The default is disable.
To set the synchronization quality mode, use the following command:
[edit]
user@host# show chassis
synchronization {
quality-mode-enable;
}
The selection mode specifies whether the clock source selection algorithm should use
the configured or received ESMC SSM quality level for clock selection. In both selection
modes (configured-quality and received-quality), the interface qualifies for clock source
selection only when the received ESMC SSM quality level on the interface is equal to or
greater than the configured ESMC SSM quality level for the interface. To configure the
ESMC SSM quality-based clock source selection mode, use the following command:
[edit]
user@host# show chassis
synchronization {
selection-mode configured-quality;
quality-mode-enable;
}
For routers operating with Synchronous Ethernet , set the time interval to wait before the
router selects a new clock source. After a change in the configuration, the time to wait
is between 15 and 60 seconds. After a reboot (restart), the time to wait is from 60 to 180
seconds. After clock recovery (switchover), the time to wait is from 30 to 60 seconds.
The default switchover time is 30 seconds and cold boot time is 120 seconds. To set the
time interval before a new clock source is selected, use the following command:
[edit]
user@host# show chassis
synchronization {
hold-interval {
configuration-change 20;
}
}
The configured switching mode determines the clock source used. In revertive mode, the
system switches from a lower to a higher quality clock source whenever the higher clock
source becomes available. In non-revertive mode, the system continues to use the current
clock source as long as it is valid. The default mode is revertive. To set the synchronization
switchover mode, use the following command:
The following output shows the configuration of the switchover-mode statement with
the non-revertive option:
[edit]
user@host# show chassis
synchronization {
switchover-mode non-revertive;
}
The configured clock source is the candidate for selection by the clock selection algorithm.
The clock source can be the router’s BITS T1 or E1 interface, GPS, or an interface with an
upstream clock source. To set the clock source, use the following command:
[edit]
user@host# show chassis
synchronization {
network-option option-1;
source {
bits;
}
}
NOTE: For the source statement configuration to take effect, you must set
the network-option (option-1 | option-2) statement at the [edit chassis
synchronization] hierarchy level.
The ESMC transmit interface is the interface on which ESMC transmit messages are
permitted. To enable ESMC packet transmit, use the following command:
[edit]
user@host# show chassis
synchronization {
esmc-transmit {
interfaces ge-0/1/0;
}
}
You can also enable ESMC on all interfaces with the interfaces all statement at the
preceding hierarchy level.
Specify the expected quality of the incoming clock on this source. Specific quality-level
options are valid depending on the configured network-option; option-1 or option-2. Both
option-1 and option-2 SSM quality levels are supported. To set the synchronization source
quality level, use the following command:
[edit]
user@host# show chassis
synchronization {
source {
bits {
quality-level prc;
}
}
}
Specify a priority level between 1 and 5. When not specified, gps has a higher priority than
bits,and bits has a higher default priority than other Gigabit Ethernet or 10 Gigabit Ethernet
clock sources, which have the lowest priority. To set the synchronization source priority,
use the following command:
[edit]
user@host# show chassis
synchronization {
source {
bits {
priority 2;
}
}
}
A wait-to-restore time can be configured for each port. When a port’s signal transitions
out of the signal fail state, it must be fault free for the wait-to-restore time before it is
again considered by the selection process. The range is from 0 through 12 minutes. The
default time is 5 minutes.
To set the synchronization source wait-to-restore time, use the following command:
[edit]
user@host# show chassis
synchronization {
network-option option-1;
source {
interfaces ge-0/1/0 {
wait-to-restore 2;
}
}
}
A lockout may be configured for any source. When a lockout is configured for a source,
that source will not be considered by the selection process. To set the synchronization
source lockout, use the following command:
[edit]
user@host# show chassis
synchronization {
network-option option-1;
source {
bits {
request lockout;
}
}
}
Force a switch to the source provided that the source is enabled and not locked out. Only
one configured source may be force-switched. To set the forced switch, use the following
command:
[edit]
user@host# show chassis
synchronization {
network-option option-1;
source {
bits {
request force-switch;
}
}
}
Related • External Clock Synchronization Overview for ACX Series Routers on page 226
Documentation
• synchronization on page 1739
The IEEE 1588v2 standard defines the Precision Time Protocol (PTP), which is used to
synchronize clocks throughout a network. The standard describes the PTP boundary
clock’s hierarchical master/slave architecture for the distribution of time-of-day.
The boundary clock intercepts and processes all PTP messages and passes all other
traffic. The best master clock algorithm (BMCA) is used by the boundary clock to select
the best configured acceptable master clock that a boundary slave port can see. To
configure a boundary clock, include the boundary statement at the [edit protocols ptp
clock-mode] hierarchy level and at least one master with the master statement and at
least one slave with the slave statement at the [edit protocols ptp] hierarchy level.
Figure 21 on page 235 illustrates two boundary clocks in a network in which the clock flow
is from the upstream node (BC-1) to the downstream node (BC-2).
NOTE: This figure also applies to MX Series routers and QFX Series switches.
g017867
The first boundary clock—BC-1—has four ports. Each port is configured as follows:
• BC-1 P-1 and BC-1 P-4 are boundary slave ports connected to two grandmaster
clocks—OC-1 and OC-5. The grandmasters are included as the clock sources in the
slave port configurations. From the packets received on the slave ports, BC-1 selects
the best master, synchronizes its clock, and generates PTP packets, which are sent
over the master ports—BC-1 P-2 and BC-1 P-3—to the downstream clients.
• BC-1 P-2, a master port, is connected to OC-2, an ordinary remote slave. OC-2 is included
as a clock client in BC-1 P-2’s master configuration, and so receives PTP packets from
BC-1 P-2.
• BC-1 P-3, a master port, is connected to BC-2 P-1, a remote boundary slave port. In this
situation, the master port—BC-1 P-3—is included as a clock source in the configuration
of the boundary slave port—BC-2 P-1. In addition, the boundary slave port—BC-2 P-1—is
included as a clock client in the configuration of the master port—BC-1 P-3. With this
configuration, the boundary slave—BC-2 P1—receives PTP packets from BC-1 P3.
The second boundary clock—BC-2—has three ports. Each port is configured as follows:
• BC-2 P-1 is a boundary slave port connected to the upstream master port—BC-1 P3.
As described previously, BC-2 P-1 receives PTP packets from BC-1 P3. The master
ports—BC-2 P-2 and BC-2 P-3—synchronize their time from the packets received from
BC-2 P1.
• BC-2 P-2 and BC-2 P-3, boundary master ports, are connected to ordinary remote
slaves—OC-3 and OC-4. OC-3 and OC-4 are included as clock clients in the
configuration of the master ports—BC-2 P2 and BC-2 P-3. Both slaves receive PTP
packets from the master boundary port to which they are connected.
In this example, the boundary clock synchronizes its clock from the packets received on
its slave ports from the upstream master. The boundary clock then generates PTP packets,
which are sent over the master port to downstream clients. These packets are
timestamped by the boundary clock by using its own time, which is synchronized to the
selected upstream master.
Clock Clients
A clock client is the remote PTP host, which receives time from the PTP master and is in
a slave relationship to the master.
NOTE: The term slave is sometimes used to refer to the clock client.
An device acting as a master boundary clock supports the following types of downstream
clients:
• Manual client—A manual client is configured with the manual statement at the [edit
protocols ptp master interface interface-name unicast-mode clock-client ip-address
local-ip-address local-ip-address] hierarchy level. A manual client does not use unicast
negotiation to join the master clock. The manual statement overrides the unicast
negotiation statement configured at the [edit protocols ptp] hierarchy level. As soon
as you configure a manual client, it starts receiving announce and synchronization
packets.
• Secure client—A secure client is configured with an exact IP address of the remote PTP
host, after which it joins a master clock through unicast negotiation. To configure a
secure client, include the exact IP address in the clock-client ip-address statement at
the [edit protocols ptp master interface interface-name unicast-mode] hierarchy level.
NOTE: You can configure the maximum number of clients (512 ) in the
following combination:
17.3R1 Starting with Junos OS Release 17.3R1, IEEE 1588v2 boundary clock is
supported on QFX10002 switches.
Related • IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
Documentation on page 237
The IEEE 1588v2 standard defines the Precision Time Protocol (PTP), which is used to
synchronize clocks throughout a packet-switched network. This synchronization is
achieved through packets that are transmitted and received in a session between a
master clock and a slave clock or remote clock client. The clocks used for the distribution
of accurate time are in an hierarchical master/slave architecture, which includes boundary
clocks, ordinary clocks, and grandmaster clocks. A boundary clock is both a clock source
and a clock client. An ordinary clock is either a clock source or a clock client. However, a
grandmaster clock is always a clock source. An ordinary clock on a device is always a
clock client. In addition, User UDP over IPv4 and unicast mode are used to transport PTP
messages.
• Boundary clock—A boundary clock has multiple network connections and can act as
a source (master) and a destination (slave or clock client) for synchronization messages.
It synchronizes itself to a best master clock through a slave port and supports
synchronization of clients to it on master ports. Boundary clocks can improve the
accuracy of clock synchronization by reducing the number of 1588v2-unaware hops
between the master and the client. Boundary clocks can also be deployed to deliver
better scale because they reduce the number of sessions and the number of packets
per second on the master.
• Ordinary clock—The PTP ordinary clock has a single network connection and can act
as a source (master) or destination (slave or clock client) for synchronization messages.
On devices, the ordinary clock is a slave, which receives synchronization reference
messages from a master, either a grandmaster or a master boundary clock. You cannot
configure an ordinary master on a device. However, a boundary clock can provide time
to the ordinary slave.
• Clock source—A clock source is the PTP master clock to which the slave synchronizes.
The clock source is included in the configuration of the slave clock.
NOTE: The term master is sometimes used to refer to the clock source.
• Clock client—A clock client is the remote PTP host, which receives time from the PTP
master. The clock client is included in the configuration of the master clock.
NOTE: The term slave is sometimes used to refer to the clock client.
• PTP over UDP over IPv4—The IEEE1588v2 standard specifies different transport
protocols for carrying PTP packets. For example, PTP over Ethernet, PTP over UDP
over IPv4, and PTP over UDP over IPv6. ACX Series routers support PTP over UDP over
IPv4.
Precision Time Protocol (PTP) is supported over IEEE 802.3 or Ethernet links on ACX
Series routers. This functionality is supported in compliance with the IEEE 1588-2008
specification. PTP over Ethernet enables effective implementation of packet-based
technology that enables the operator to deliver synchronization services on packet-
based mobile backhaul networks that are configured in Ethernet rings. Deployment of
PTP at every hop in an Ethernet ring by using the Ethernet encapsulation method enables
robust, redundant, and high-performance topologies to be created that enables a highly
precise time and phase synchronization to be obtained.
The ACX Series routers can be directly connected to different types of base stations (for
example, base transceiver station (BTS) in 2G, NodeB in 3G, and eNodeB in 4G networks)
and different types of routers that hand off time- division multiplexing (TDM), ATM, and
Ethernet traffic to the base station controller. ACX Series routers must extract the network
clock from these sources and pass on synchronization information to the base stations
to help the routers synchronize with the base station controller.
Most of the network deployments that use Ethernet contain a minimum of two Ethernet
rings, while some of the network topologies might also contain up to three Ethernet rings.
Consider a scenario in which the first ring contains aggregation routers (MX Series routers)
and the second ring contains access routers (ACX Series routers). In such a network,
about 10 or 12 nodes of MX Series routers and ACX Series routers are present in the
aggregation and access Ethernet rings.
Some of the 4G base stations that are connected to ACX Series routers need to receive
the timing and synchronization information in a packet-based form. Such base station
vendors support only packet interfaces that use Ethernet encapsulation for PTP packets
for time and phase synchronization. Therefore, any node (an ACX Series router) that is
directly connected to a 4G base station must be able to use the Ethernet encapsulation
method for PTP on a master port to support a packet-based timing capability.
PTP over Ethernet encapsulation also facilitates an easier, optimal network deployment
model than PTP over IPv4. Using IPv4, the nodes (master and slave devices) participate
in unicast negotiation in which the slave node is provisioned with the IP address of the
master node and requests unicast messages to be sent to it from the master node. A
master node is the router that functions as the PTP server where the master clock is
located and a slave node is the router that functions as the PTP client where the slave
clock is located. Because PTP over Ethernet uses multicast addresses, the slave node
automatically learns about the master nodes in the network. Also, the slave node is able
to immediately receive the multicast messages from the master node and can begin
sending messages to the master node without the need for any provisioning configuration.
An interface on which the master clock is configured is called a master interface and an
interface on which the slave clock is configured is called a slave interface. A master
interface functions as the master port and a slave interface functions as the slave port.
For PTP over Ethernet, apart from configuring a port or a logical interface to operate as
a master clock or a slave clock, you can also configure a port or a logical interface to
function as both a master clock and a slave clock. This type of port is called a dynamic
port, stateful port, or a bidirectional port. Such a stateful port enables the network to more
efficiently adapt to the introduction and failure of timing sources by forming the shortest
synchronization trees from a particular source. This behavior is implemented as defined
by the best master clock algorithm (BMCA) in the ITU-T G.8265.1 Precision time protocol
telecom profile for frequency synchronization specification.
On both MX Series and ACX Series routers, you can achieve the highest quality
performance if you configure every node in a synchronization chain as a PTP boundary
clock. In Ethernet ring-based topologies, you can configure a port or a logical interface
to function either as a master port or as a slave port to enable redundancy when a node
or link failure occurs. This dynamic port or dual-port functionality is in accordance with
the IEEE 1588-2008 standard and enables the implementation of PTP in data center or
financial applications.
Apart from enabling every node to be available for configuration as a PTP boundary clock,
it is also necessary to enable a logical interface to be configured either as a master port
or a slave port. When you configure a logical interface or even a shared IP address to be
a master port or a slave port, a PTP protocol stack can represent dynamic ports and the
PTP application selects the correct state (master or slave) for any specific port in the
system based on the output of the default PTP BMCA and the states of other ports in
the system.
While an ACX Series router supports the PTP over Ethernet functionality, a Brilliant Grand
Master such as an MX Series router or a TCA Series Timing Client does not support PTP
over Ethernet. In such a scenario, the ACX Series router functions as a boundary clock
with a PTP slave port using IPv4 as the encapsulation mode and master ports using
Ethernet as the encapsulation mode for PTP traffic. For example, consider an ACX Series
router named ACX1 to have two potential slave interfaces, one that is fixed as a slave-only
port using IPv4 on the link toward an MX Series router named MX1, and a dynamic port
that functions as a slave port using PTP over Ethernet on the link toward another ACX
Series router named ACX2. In addition, ACX1 also contains a port that is a master-only
port using PTP over Ethernet and connects to the base station.
Because PTP over Ethernet uses multicast addresses, a slave port can automatically
start receiving the multicast announce messages transmitted by the master ports on a
network and can also start communication with the master node with minimal or no
configuration. Unlike PTP over IPv4 where IP addresses are used to identify the master
and slave ports, with PTP over Ethernet, multicast MAC addresses are used in the
forwarding of PTP traffic. The IEEE 1588 standard defines two types of multicast MAC
addresses 01-80-C2-00-00-0E (link local multicast) and 01-1B-19-00-00-00 (standard
Ethernet multicast) for PTP over Ethernet operations.
• Example: Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports on page 281
Keep the following points in mind when you configure PTP over Ethernet for multicast
mode of transmission of PTP traffic:
• You can configure a port or a logical interface to be a master clock for PTP over Ethernet
to provide packet-based synchronization to base stations that support time and phase
alignment; this configuration is compliant with Annexure F of the IEEE 1588-2008
specification.
• Two multicast MAC addresses are used for PTP over Ethernet: 01-1B-19-00-00-00
and 01-80-C2-00-00-0E. The first address is a more standard Ethernet MAC address
that is expected to be flooded by all types of Ethernet bridges and switches and also
by a large number of base station vendors. A node with this MAC address can be a
node that does not process PTP packets. The second address is a reserved address in
the IEEE 802.1Q standard for Ethernet encapsulation that is required to be filtered and
not forwarded. This MAC address is used to ensure complete end-to-end support of
PTP, instead of transmission of packets through any network element that does not
support PTP. This address is the default address for G.8275.1 (PTP Profile for time or
phase distribution) and a node with this MAC address is a node that supports processing
of PTP packets.
• PTP packets are sent with the unique MAC address assigned to each port as the MAC
source address. In the PTP packet, the Ethernet frame portion of the packet contains
the Destination MAC field. This field contains either of the two MAC addresses,
01-1B-19-00-00-00 or 01-80-C2-00-00-0E. Also, the Ethernet frame portion contains
the Source MAC field that contains the MAC address of the source port and the
Ethertype field that contains the PTP Ethertype value of 0x88F7. Apart from the
Ethernet frame, the PTP packet contains the PTP payload.
• When you configure a port for PTP over Ethernet to be a slave port, a master port, or
both by having a dynamic port that can be either a master port or a slave port depending
on the states of the other ports in the PTP application, it is possible to build an easily
provisioned, redundant PTP service in an Ethernet ring where every node is configured
as a boundary clock.
• A boundary clock can function as a slave clock to a device using IP (such as a TCA
Series Timing Client or an MX Series router) on one port and can also function as a
slave clock, a master clock, or both on other ports using Ethernet as the encapsulation
method. This behavior occurs within a single PTP domain number.
• Best Master Clock Algorithm (BMCA) and the port state machine are supported to
determine the states of all the ports in a system and the correct state (master or slave)
for a certain port to process PTP packets.
• PTP over Ethernet supports fully redundant and resilient ring-based configurations of
up to 10 nodes for a form of fourth-generation (4G) evolution known as Long-Term
Evolution-Time Division Duplex (LTE-TDD). ACX Series routers support a single node
or link failure and all nodes maintain a phase accuracy of plus or minus 1.5 microseconds
matching a common source.
• You can configure the asymmetry value between the master port and the slave port,
which indicates a value to be added to the path delay value to make the delay
symmetric and equal to the path from the master port to the slave port, on either a
dynamic-state port or a slave-only port.
• You cannot enable PTP over Ethernet on Ethernet interfaces that are configured with
802.1Q VLAN tags or contain a user-configured MAC address.
• While you can configure unique PTP slave interfaces or slave ports with different
encapsulation mechanisms (such as IPv4 and Ethernet), the boundary clock can use
only a single encapsulation method for all of the master ports. Therefore, you must
define either IPv4 or Ethernet encapsulation for all the ports or logical interfaces that
can possibly function as boundary clock masters. Master ports select the link-local
flag based on each port.
• The following limitations apply to the maximum number of ports that you can configure
when you use PTP over Ethernet:
• You can configure a maximum of four slave ports on a router. A slave port or logical
interface is defined as any slave-only port configured for IPv4 or Ethernet, or any
dynamic port configured for Ethernet.
• You can configure up to 29 master ports on a router. A master port or logical interface
is defined as any master-only port configured for IPv4 or Ethernet, or any dynamic
port configured for Ethernet.
• Any logical interface that you configure as a dynamic port is considered to be both
a slave port and a master port, even if it functions only as a slave port or a master
port in a network, when the total number of slave ports and master ports on a router
is computed.
• PTP over Ethernet is compatible with Junos OS releases earlier than Release 12.3X51.
When you perform an upgrade to Release 12.3X51 and later from a previous release on
an ACX Series router, you can modify the slave and master ports previously configured
for IPv4 to enable PTP over Ethernet based on your network needs.
• You cannot configure a fully redundant PTP ring using IP. A fully redundant PTP ring
is supported only when Ethernet encapsulation is used.
• Multiple PTP timing domains are not supported for PTP over Ethernet, similar to PTP
over IPv4. Although a single node can contain interfaces configured for PTP over IPv4
and PTP over Ethernet, both of these interfaces must be part of the same PTP domain.
• Although you can configure a slave port to use either IP or Ethernet simultaneously, a
single slave port is selected based on the announce messages it receives from the
master port and the PTP event packets are exchanged only with a single master port.
• The IPv4 unicast implementation of PTP enables you to limit the number of slave ports
that can be supported simultaneously in the system. With multicast Ethernet-based
implementation, in which the master port is not provisioned with the slave port
information, the master port cannot limit the number of slave ports that it services.
This control must be exercised with proper networking planning and design.
Related • PTP over Ethernet on ACX Series Routers Overview on page 238
Documentation
• Configuring PTP Multicast Master and Slave Ports for Ethernet Encapsulation on
page 274
• Example: Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports on page 281
In a distributed network, you can configure Precision Time Protocol (PTP) master and
slave clocks to help synchronize the timing across the network. The synchronization is
achieved through packets that are transmitted and received in a session between the
master clock and the slave clock or clock client.
[edit]
user@host# edit protocols ptp
2. Specify the clock as a boundary or ordinary clock. The boundary option signifies that
the clock can be both a master clock and a slave clock. The ordinary option signifies
that the clock is a slave clock.
4. (Optional) Configure the PTP domain with values from 0 through 127. The default
value is 0.
5. (Optional) Specify the DiffServ code point (DSCP) value (0 through 63) for all PTP
IPv4 packets originated by the router. The default value is 56.
For details about configuring the master clock parameters, see “Configuring a PTP
Master Boundary Clock” on page 244.
7. (Optional) Configure the priority value of the clock (0 through 255). This value is used
in selecting the best master clock. The priority1-value is advertised in the master clock’s
announce message to clock clients. The default value is 128.
8. (Optional) Configure the tie-breaker in selecting the best master clock (0 through
255). The priority2 value differentiates and prioritizes the master clock to avoid
confusion when the priority1-value is the same for different master clocks in a network.
The default value is 128.
For information about configuring the slave clock options, see “Configuring a PTP
Slave Clock” on page 254.
10. (Optional) Enable unicast negotiation. Unicast negotiation is a method by which the
announce, synchronization, and delay response packet rates are negotiated between
the master clock and the clock client before a PTP session is established.
NOTE: Unicast negotiation, when enabled, does not allow you to commit
packet rate–related configurations.
• Example: Configuring a PTP Boundary Clock With Unicast Negotiation on page 250
A Precision Time Protocol (PTP) master boundary clock sends PTP messages to the
clients (ordinary and boundary) so that they can establish their relative time offset from
this master’s clock or clock reference. You cannot configure an ordinary master clock on
a device. The master boundary clock synchronizes time through a boundary slave port.
To configure a master boundary clock, you must include the boundary statement at the
[edit protocols ptp clock-mode] hierarchy level and at least one master with the master
statement and at least one slave with the slave statement at the [edit protocols ptp]
hierarchy level.
NOTE: ACX5048 and ACX5096 routers do not support ordinary and boundary
clock.
4. Configure the interface on which to respond to downstream PTP clients and slaves.
For details about configuring the parameters for the master boundary clock interface,
see “Configuring a PTP Master Boundary Clock Interface” on page 246
8. (Optional) Specify the minimum log mean interval between announce messages—from
–0 through 4. The default value is 0.
10. (Optional) Specify the minimum log mean interval between synchronization
messages—from –7 through 4. The default value is –7.
11. (Optional) Specify the log mean interval between synchronization messages—from
–7 through 4. The default value is –6. This configuration is used for manual clock
clients. The master boundary clock sends synchronization messages to manual clock
clients as specified in the syn-interval-value statement.
After you have configured the PTP master boundary clock parameters, enter the commit
command from configuration mode. To complete the configuration of the master
boundary clock, complete “Configuring a PTP Master Boundary Clock Interface” on
page 246.
NOTE: For the configuration to work, the interface you specify must be
configured at the [edit interfaces interface-name] hierarchy level.
3. Configure the IP address of the remote PTP host, or configure a subnet mask so that
any host belonging to that subnet can join the master clock. You can configure up to
512 clients for each master boundary clock.
NOTE: You can configure the maximum number of clients (512 ) in the
following combination:
NOTE: When you toggle from a secure slave to an automatic slave or vice
versa in the PTP configuration of a boundary clock, you need to delete the
existing PTP configuration and issue the commit command, and then you
add a new PTP configuration and issue the commit command.
4. Configure the IP address of the interface acting as the local PTP master.
6. Specify the encapsulation type for PTP packet transport—IPv4. This statement is
mandatory.
After you have configured the PTP master clock interface, enter the commit command
from configuration mode.
This example shows how to configure a Precision Timing Protocol (PTP) boundary clock.
A boundary clock must include the configuration of at least one master and at least one
slave. The boundary master receives time from a remote master through the slave, and
in turn passes that time on to clock clients, which are in a slave relationship to the
boundary master. In this example, you configure a master, slave, clock source, and clock
client.
Requirements
This example uses the following hardware and software components:
NOTE: This example also applies to QFX Series switches. QFX Series switches
do not support Gigabit Ethernet interfaces. Instead, configure PTP boundary
clock parameters on 10-Gigabit Ethernet interfaces.
Overview
In this example, the slave clock or clock client immediately receives announce and
synchronization packets after completion of the configuration.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
6. Specify the IP address and subnet of the remote PTP host, and the IP address of
the local PTP master interface.
NOTE: For the configuration to work, the master interface you specify
must be configured with this IP address at the [edit interfaces
interface-name] hierarchy level.
Results From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
After you have configured the device, enter the commit command from configuration
mode.
• Example: Configuring a PTP Boundary Clock With Unicast Negotiation on page 250
This example shows how to configure a boundary clock with unicast negotiation turned
on and a mixture of manual, secure and automatic clock clients, which have a slave
relationship to the master boundary clock. The unicast negotiation applies to clock
sources, which are configured on the slave or clock client. Clock clients, configured on
the master, are not affected by unicast negotiation.
Requirements
This example uses the following hardware and software components:
NOTE: This example also applies to QFX Series switches. QFX Series switches
do not support Gigabit Ethernet interfaces. Instead, configure PTP boundary
clock parameters on 10-Gigabit Ethernet interfaces.
Overview
A PTP slave clock or clock client can join a master clock with and without unicast
negotiation. With unicast negotiation, the announce, synchronization, and delay response
packet rates are negotiated between the master and the slave or client before a PTP
session is established. Without unicast negotiation and after it is configured, the slave
or client immediately receives announce and synchronization packets.
A clock client is the remote PTP host, which receives time from the PTP master. The
following clock clients are configured in this example:
• Secure client—A secure client is configured with an exact IP address, after which, it
joins a master clock through unicast negotiation. In this example, the clock client
clock-client 117.117.117.117/32 local-ip-address 109.109.109.53 is a secure client, which
means that only this specific host from the subnet can join the master clock through
a unicast negotiation .
• Manual client—A manual client does not use unicast negotiation to join the master
clock. The manual statement overrides the unicast-negotiation statement configured
at the [edit protocols ptp] hierarchy level. As soon as you configure a manual client, it
starts receiving announce and synchronization packets. In this example, the clock client
clock-client 7.7.7.7 local-ip-address 7.7.7.53 manual is the manual client and is configured
on a second master clock interface.
Configuration
A boundary clock must include the configuration of at least one master and at least one
slave. The boundary master receives time from a remote master through the slave, and
in turn passes that time on to clock clients, which are in a slave relationship to the
boundary master. In this example, you configure a boundary slave, two Precision Time
Protocol (PTP) boundary masters with three different kinds of clock clients—automatic,
manual, and secure. Two of the clock clients are configured on the same boundary master.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
3. Configure the local slave interface from which the boundary master receives time
and passes it on to the configured clock clients.
6. Configure the PTP master parameters by specifying the IP address of the PTP
master clock and the IP address of the local interface.
8. On the first master interface, configure the downstream PTP clock clients.
9. On the first master interface, configure the encapsulation type for PTP packet
transport.
10. On the first master interface, configure the PTP master parameters by specifying
the exact IP address of the remote PTP host and the IP address of the local PTP
master interface.
11. On the first master interface, configure a second PTP master by specifying the IP
address and subnet of the second remote PTP host and the IP address of the local
PTP master interface.
12. Configure the second master interface with the following parameters: the
encapsulation type, the downstream PTP host, the IP address of the local PTP
master interface, and the manual statement so that this client does not use unicast
negotiation.
Results From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
After you have configured the device, enter the commit command from configuration
mode.
The slave port that you configure can be a Precision Time Protocol (PTP) boundary or
ordinary clock, depending on the configuration of the clock-mode statement at the [edit
protocols ptp] hierarchy level. An ordinary or boundary slave clock performs frequency
and phase recovery based on received and requested timestamps from a master clock—a
grandmaster or a boundary clock master.
3. (Optional) Specify the rate of announce messages that a PTP slave requests from
the master during a unicast-negotiation session—from 0 through 4. The default value
is 1.
5. (Optional) Override the default PTP clock class to Ethernet Synchronization Message
Channel (ESMC) mapping and specify the quality level for the PTP timing source.
6. (Optional) Enable retrieval of ESMC information from the PTP clock class.
7. (Optional) Specify the logarithmic mean interval in seconds between the delay request
messages sent by the slave to the master—from –6 through 3. The default value is
0.
8. (Optional) Specify the grant duration value. When unicast negotiation is enabled, the
local PTP slave requests announce, synchronization, and delay-response messages
from the master. In each request, the slave asks for the packets to be sent at a specified
rate and the slave provides a duration for which the rate is valid. The grant-duration
value is specified in seconds. The default grant duration is 300 seconds.
For details about configuring the slave interface, see “Configuring the PTP Slave Clock
Interface” on page 257.
10. (Optional) Configure the log mean interval between synchronization messages—from
–6 through -3. The default value is –6 or 64 synchronous interval messages sent per
second
After you have configured the PTP slave clock parameters, enter the commit command
from configuration mode. To complete the configuration of the slave clock, complete
“Configuring the PTP Slave Clock Interface” on page 257.
3. Configure the IP address of the master, which acts as a source of time for this slave.
NOTE: To configure additional master clock sources for the slave, include
the clock-source statement up to four times. However, synchronization is
to only one master clock.
4. Specify the IP address of the interface acting as the local PTP slave port.
NOTE: For the configuration to work, the interface you specify must be
configured with this IP address at the [edit interfaces interface-name]
hierarchy level.
5. Configure the encapsulation type for PTP packet transport. This statement is
mandatory.
After you have configured the PTP slave clock interface, enter the commit command
from configuration mode.
This example shows the base configuration of a Precision Time Protocol (PTP) ordinary
slave clock with unicast-negotiation on an ACX Series router.
Requirements
This example uses the following hardware and software components:
NOTE: This example also applies to QFX Series switches. QFX Series switches
do not support Gigabit Ethernet interfaces. Instead, configure PTP boundary
clock parameters on 10-Gigabit Ethernet interfaces.
Overview
In this configuration, the ordinary slave clock uses unicast-negotiation and compensates
for some network asymmetry.
NOTE: The values in this example are for illustration purposes only. You can
set the values for each parameter according to your requirements.
Configuration
To configure an ordinary slave clock with unicast-negotiation, perform these tasks:
See the output for the show command in the Results section.
Results
[edit protocols]
user@host# show
ptp {
clock-mode ordinary;
domain 110;
unicast-negotiation;
slave {
delay-request -6;
announce-timeout 2;
announce-interval 3;
sync-interval -5;
grant-duration 7200;
interface ge-0/1/0.0 {
unicast-mode {
transport ipv4;
clock-source 10.10.10.50 local-ip-address 10.10.10.75 {
asymmetry -4500;
}
}
}
}
}
Related • IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
Documentation on page 237
• slave
• unicast-mode
This example shows the base configuration of a Precision Time Protocol (PTP) ordinary
slave clock without unicast-negotiation on an ACX Series router.
Requirements
This example uses the following hardware and software components:
NOTE: This example also applies to QFX Series switches. QFX Series switches
do not support Gigabit Ethernet interfaces. Instead, configure PTP boundary
clock parameters on 10-Gigabit Ethernet interfaces.
Overview
In this configuration, unicast-negotiation is not configured, so the PTP slave has no control
over the rate of the negotiation. The PTP master (a Brilliant Grand Master or an MX Series
router) must be configured with the parameters of the PTP slave, such as announce,
synchronization, and delay-response packets to control the rate of the negotiation.
NOTE: The values in this example are for illustration purposes only. You can
set the values for each parameter according to your requirements.
Configuration
To configure an ordinary slave clock without unicast-negotiation, perform these tasks:
2. Configure the Differentiated Services code point (DSCP) value for all PTP IPv4
packets originated by the device:
See the output for the show command in the Results section.
Results
In this example, the PTP slave on the local interface ge-0/2/0 is assigned a local IP
address of 12.1.1.5. Unicast-negotiation is not configured so the PTP master must be
explicitly configured with the details of the PTP slave (12.1.1.5).
[edit protocols]
user@host# show
ptp {
clock-mode ordinary;
ipv4-dscp 46;
slave {
interface ge-0/2/0.0 {
unicast-mode {
transport ipv4;
clock-source 12.1.1.4 local-ip-address 12.1.1.5;
}
}
}
}
Related • IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
Documentation on page 237
• slave
• unicast-mode
Junos OS for ACX Series router supports configuring precision time protocol (PTP) over
integrated routing and bridging (IRB). You can configure a boundary clock node with PTP
(IPv4) over IRB in a master-only mode across single or multiple IRB logical interfaces.
1. Configure physical interfaces with Layer 2 encapsulation and create logical units with
VLANs.
[edit bridge-domains]
bd-615 {
vlan-id 615;
interface ge-0/1/2.615;
interface ge-0/2/0.615;
interface ge-0/2/1.615;
interface ge-0/0/3.615;
}
3. Configure a routing instance for the bridge domain where physical interfaces are
members of the bridge domain.
[edit bridge-domains]
bd-615 {
vlan-id 615;
interface ge-0/1/2.615;
interface ge-0/2/0.615;
interface ge-0/2/1.615;
interface ge-0/0/3.615;
routing-interface irb.615;
}
master {
interface ge-0/2/1.0 {
unicast-mode {
transport ipv4;
clock-client 122.25.1.7/32 local-ip-address 122.25.1.6;
}
}
interface irb.615 {
unicast-mode {
transport ipv4;
clock-client 10.255.210.128/27 local-ip-address 10.255.210.130;
}
}
}
You can use the following commands to monitor and troubleshoot the configuration:
• show ptp master detail—View the configured master and its status along with local
and remote client details.
• show bridge domain—View the configured bridge domain and the associated physical
interfaces and IRB routing instance details.
• Example: Configuring a PTP Boundary Clock With Unicast Negotiation on page 250
The Precision Time Protocol (PTP) standardized by IEEE 1588 improves the current
methods of synchronization used within a distributed network. You can use PTP across
packet-based networks including, but not limited to, Ethernet networks. Queuing and
buffering delays in the switch can cause variable delay to packets, which affects path
delay measurements. Queuing delays vary based on the network load and also depend
on the architecture of the switch or the router.
Transparent clocks measure and adjust for packet delay. The transparent clock computes
the variable delay as the PTP packets pass through the switch or the router. The switch
(QFX5100 or EX4600) or the router (ACX5048, or ACX5096 routers) acts as a transparent
clocks only and operates between the master and slave clocks in a distributed network.
Transparent clocks improve synchronization between the master and slave clocks and
ensure that the master and slave clocks are not impacted by the effects of packet delay
variation.
The transparent clock measures the residence time (the time that the packet spends
passing through the switch or the router), and adds the residence time into the correction
field of the PTP packet. The slave clock accounts for the packet delay by using both the
timestamp of when it started and the information in the correction field.
NOTE: ACX5048 and ACX5096 routers support only the one-step process,
which means that the timestamps are sent in one packet.
You can enable or disable a transparent clock globally for the switch or router. With a
global configuration, the same configuration is applied to each interface. If the transparent
clock is disabled, PTP packet correction fields are not updated. If the transparent clock
is enabled, the PTP packet correction fields are updated.
PTP over Ethernet, IPv4, IPv6, unicast, and multicast for transparent clocks are supported.
NOTE: ACX5048 and ACX5096 routers do not support PTP over IPv6 for
transparent clocks.
• Boundary clock
• Ordinary clock
NOTE: ACX Series routers do not support transparent clock over MPLS
switched path.
NOTE: You might notice higher latency when you use copper SFP ports
instead of fiber SFP ports. In this case, you must compensate the latency
introduced by the copper SFP ports for the accurate CF (correction factor)
measurement.
Related • Configuring Transparent Clock Mode for Precision Time Protocol on page 269
Documentation
• e2e-transparent on page 1505
In a distributed network, you can configure transparent clock for Precision Time Protocol
(PTP) for synchronizing the timing across the network. Junos OS supports the
e2e-transparent CLI statement at the [edit protocols ptp] hierarchy level to configure
transparent clock for Precision Time Protocol (PTP).
To configure the transparent clock mode for Precision Time Protocol (PTP):
[edit]
user@host# edit protocols ptp
ACX Series routers supports transparent clock functionality. A Precision Time Protocol
(PTP) Transparent clock measures the residence time of PTP packets as they pass
through router. This residence time is added to the Correction Field of the PTP packet.
The following points need to be considered while configuring a PTP transparent clock in
ACX routers:
NOTE: ACX routers do not support PTPoE over VLANs when it works in
ordinary clock or boundary clock mode.
The PHY timestamping refers to the timestamping of the IEEE 1588 event packets at the
1-Gigabit Ethernet and 10-Gigabit Ethernet PHY. Timestamping the packet in the PHY
results in higher stability of recovered clock. The PHY timestamping on ACX updates the
correction field of the packet. ACX supports PHY timestamping in ordinary clock and
boundary clock modes.
The following points need to be considered while configuring PHY timestamping in ACX
routers:
• PHY timestamping is enabled or disabled on all the PHYs. You cannot selectively
enable or disable PHY timestamping on a particular interface.
• When PHY timestamping is enabled, the transparent clock functionality is also enabled.
NOTE: The PHYs on ACX do not support transparent clock functionality for
PTP-over-MPLS. You should not enable transparent clock or PHY
timestamping if PTP is transported over MPLS.
3. Configure the interface for slave clock. For information on configuring PTP slave clock
interface, see “Configuring a PTP Slave Clock” on page 254.
3. Configure the interface for slave clock. For information on configuring PTP slave clock
interface, see “Configuring a PTP Slave Clock” on page 254.
4. Configure the interface for master clock. For information on configuring PTP master
boundary clock, see “Configuring a PTP Master Boundary Clock” on page 244.
3. Configure the interface for master clock. For information on configuring PTP master
boundary clock, see “Configuring a PTP Master Boundary Clock” on page 244.
The PHY timestamping refers to the timestamping of the IEEE 1588 event packets at the
1-Gigabit Ethernet and 10-Gigabit Ethernet PHY. Timestamping the packet in the PHY
results in higher stability of recovered clock. The PHY timestamping on ACX updates the
correction field of the packet. ACX2200 supports PHY timestamping in boundary clock
mode.
The following points need to be considered while configuring PHY timestamping in ACX
routers:
• PHY timestamping is enabled or disabled on all the PHYs. You cannot selectively
enable or disable PHY timestamping on a particular interface.
• When PHY timestamping is enabled, the transparent clock functionality is also enabled.
NOTE: The PHYs on ACX do not support transparent clock functionality for
PTP-over-MPLS. You should not enable transparent clock or PHY
timestamping if PTP is transported over MPLS.
To enable PHY timestamping on ACX2200 routers, configure boundary clock along with
e2e-transparent CLI statement at the [edit protocols ptp] hierarchy.
3. Configure the interface for slave clock. For information on configuring PTP slave clock
interface, see “Configuring a PTP Slave Clock” on page 254.
4. Configure the interface for master clock. For information on configuring PTP master
boundary clock, see “Configuring a PTP Master Boundary Clock” on page 244.
interfaces bits {
signal-type (2048khz | e1 | t1);
e1-options {
framing (g704 | g704-no-crc4);
}
t1-options {
framing (esf | sf);
}
}
}
Configuring PTP Multicast Master and Slave Ports for Ethernet Encapsulation
On an ACX Series router, you can configure a Precision Time Protocol (PTP) master
boundary clock with IEEE 802.3 or Ethernet encapsulation of PTP messages to the clients
(ordinary and boundary) so that they can establish their relative time offset from this
master's clock or clock reference. PTP over Ethernet uses multicast addresses for
communication of PTP messages between the slave clock and the master clock. The
slave clock automatically learns of master clocks in the network, is immediately able to
receive the multicast messages from the master clock, and can begin sending messages
to the master clock without any pre-provisioning. The master boundary clock synchronizes
time through a slave boundary port.
To configure PTP over Ethernet with multicast master and slave ports, you must include
the multicast-mode transport ieee-802.3 statement at the [edit protocols ptp master
interface interface-name] and [edit protocols ptp slave interface interface-name] hierarchy
levels, respectively.
To configure a PTP over Ethernet master boundary clock and slave boundary clock for
multicast transmission, complete the following tasks:
• Configuring the PTP over Ethernet Master Boundary Clock Parameters on page 275
• Configuring the PTP over Ethernet Master Boundary Clock Interface on page 277
• Configuring the PTP over Ethernet Slave Clock Parameters on page 277
• Configuring the PTP over Ethernet Slave Clock Interface on page 279
4. Configure the interface on which to respond to downstream PTP clients or slave ports.
For details about configuring the parameters for the master boundary clock interface,
see “Configuring the PTP over Ethernet Master Boundary Clock Interface” on page 277
8. (Optional) Specify the minimum log mean interval between announce messages—from
0 through 4. The default value is 0.
10. (Optional) Specify the minimum log mean interval between synchronization
messages—from –7 through 4. The default value is –7.
11. (Optional) Specify the log mean interval between synchronization messages—from
–7 through 4. The default value is –6. This configuration is used for manual clock
clients. The master boundary clock sends synchronization messages to manual clock
clients as specified in the syn-interval-value statement.
After you have configured the PTP master boundary clock parameters, enter the commit
command from configuration mode. To complete the configuration of the master
boundary clock, complete “Configuring the PTP over Ethernet Master Boundary Clock
Interface” on page 277.
1. Configure the interface on which to respond to downstream PTP slave ports or clients.
NOTE: For the configuration to work, the interface you specify must be
configured at the [edit interfaces interface-name] hierarchy level.
2. On this interface, configure multicast as the transmission mode of traffic for PTP
clients.
3. Specify the encapsulation type for PTP packet transport as Ethernet or IEEE 802.3.
This statement is mandatory.
Alternatively, specify the encapsulation type as Ethernet with the link-local multicast
address to be used in the sending of PTP messages. If you specify the link-local
attribute, the master clock chooses either of the two MAC addresses defined in the
IEEE 1588-2008 standard. When you configure this option, the system attempts to
use the 01 -80-C2-00-00-0E MAC address (link-local multicast MAC address) for
multicast transmission. If this MAC address is not available, the 01-1B-19-00-00-00
address (standard Ethernet multicast address) is used as the second priority. The
standard Ethernet multicast address is used by default. You need to explicitly configure
the link-local multicast address.
After you have configured the PTP over Ethernet master clock interface, enter the commit
command from configuration mode.
start receiving the multicast announce messages transmitted by the master ports on a
network and can also start communication with the master port with minimal or no
configuration. You can optionally configure these settings for a slave port that
communicates with the master ports using PTP over Ethernet.
4. (Optional) Specify the logarithmic mean interval in seconds between the delay request
messages sent by the slave port to the master port—from –6 through 3. The default
value is 0.
After you have configured the PTP slave clock parameters, enter the commit command
in configuration mode. To complete the configuration of the slave clock, complete
“Configuring the PTP over Ethernet Slave Clock Interface” on page 279
3. Specify the encapsulation type for PTP packet transport as Ethernet or IEEE 802.3.
This statement is mandatory.
Alternatively, specify the encapsulation type as Ethernet with the link-local multicast
address to be used in the sending of PTP messages. If you specify the link-local
attribute, the master clock chooses either of the two MAC addresses defined in the
IEEE 1588-2008 standard. When you configure this option, the system attempts to
use the 01 -80-C2-00-00-0E MAC address (link-local multicast MAC address) for
multicast transmission. If this MAC address is not available, the 01-1B-19-00-00-00
address (standard Ethernet multicast address) is used as the second priority. The
standard Ethernet multicast address is used by default. You need to explicitly configure
the link-local multicast address.
After you have configured the PTP over Ethernet slave clock interface, enter the commit
command in configuration mode.
Related • PTP over Ethernet on ACX Series Routers Overview on page 238
Documentation
• Guidelines for Configuring PTP over Ethernet on page 240
• Example: Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports on page 281
For PTP over Ethernet, you can also configure a port to function as both a slave port and
a master port. This type of port is called a dynamic port, a stateful port, or a bidirectional
port. Such a dynamic port enables the transfer of frequency for synchronization services,
in addition to time and phase alignment, when PTP functionality is not hop-by-hop and
you have provisioned master and slave roles or interfaces.
To configure PTP over Ethernet with dynamic or bidirectional ports for multicast mode
of transmission, you must include the multicast-mode statement at the [edit protocols
ptp stateful interface interface-name] hierarchy level.
To enable a node to function as both a master and a slave port in PTP over Ethernet
networks:
1. Configure the interface on which to respond to downstream PTP slave ports or clients.
NOTE: For the configuration to work, the interface you specify must be
configured at the [edit interfaces interface-name] hierarchy level.
3. Specify the encapsulation type for PTP packet transport as Ethernet or IEEE 802.3.
This statement is mandatory.
Alternatively, specify the encapsulation type as Ethernet with the link-local multicast
address to be used in the sending of PTP messages. If you specify the link-local
attribute, the master clock chooses either of the two MAC addresses defined in the
IEEE 1588-2008 standard. When you configure this option, the system attempts to
use the 01 -80-C2-00-00-0E MAC address (link-local multicast MAC address) for
multicast transmission. If this MAC address is not available, the 01-1B-19-00-00-00
address (standard Ethernet multicast address) is used as the second priority. The
standard Ethernet multicast address is used by default. You need to explicitly configure
the link-local multicast address.
After you have configured the PTP over Ethernet slave clock interface, enter the commit
command from configuration mode.
Related • PTP over Ethernet on ACX Series Routers Overview on page 238
Documentation
• Guidelines for Configuring PTP over Ethernet on page 240
• Configuring PTP Multicast Master and Slave Ports for Ethernet Encapsulation on
page 274
• Example: Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports on page 281
Example: Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports
In PTP over Ethernet networks, the master sends the announce, synchronization, and
delay-response packets using the multicast method. If any unicast delay-request message
is received, the master disregards the message and does not send delay-response
messages to the slave. A PTP slave receives the multicast announce packets from the
master or multiple masters and determines the best master using Best Master Clock
Algorithm (BMCA). A slave receives and processes the synchronization from the selected
master clock. The slave sends delay-request messages to this master using the multicast
method and processes the delay-response messages from the master to establish
synchronization.
Both the link-local MAC address and the standard 802.3 multicast MAC address can be
present in a system. However, a PTP interface supports only one of the following at a
point in time:
When you configure both IPv4 and Ethernet encapsulation, the unicast-negotiation
configuration applies only to IPv4 encapsulation. It is not effective for PTP over Ethernet
operation.
When you configure a logical interface by using the stateful statement at the [edit
protocols ptp] hierarchy level, each interface that you configure as a stateful or dynamic
port is considered to be both a master and a slave port. Although an ACX Series router
supports up to 32 master ports and 4 slave ports, you can configure only 4 unique logical
interfaces as potential PTP masters by using the stateful statement because the interface
is treated as both a slave and a master interface. You cannot configure the interface that
you specify to be a stateful or dynamic port with the master or slave statements.
This example shows how to configure a master port, slave port, and a dynamic port for
PTP over Ethernet and PTP over IPv4 encapsulation, and how to configure unicast and
multicast mode of transmission of PTP traffic among the master and slave nodes.
Requirements
This example uses the following hardware and software components:
Overview
While an ACX Series router supports the PTP over Ethernet functionality, a Brilliant Grand
Master such as an MX Series router or a TCA Series Timing Client does not support PTP
over Ethernet. Consider a sample deployment in which an ACX Series router named ACX1
functions as a boundary clock with a PTP slave port using IPv4 as the encapsulation
mode and master ports using Ethernet as the encapsulation mode for PTP traffic. ACX1
contains two potential slave interfaces, one that is fixed as a slave-only port using IPv4
on the link toward an MX Series router named MX2, and a dynamic port that functions
as a slave using PTP over Ethernet on the link toward another ACX Series router named
ACX2. In addition, ACX1 also contains a port that is a master-only port using PTP over
Ethernet and connects to the base station.
In this example, the router uses either interface ge-0/2/0.0 or ge-0/2/1.0 as the selected
slave interface based on the announce messages received from the master and the port
that was selected using the Best Master Clock Algorithm (BMCA). The interface ge-0/1/4.0
is always in the master state. According to the IEEE 1588 specification, if port ge-0/2/0.0
is selected as the slave interface, interface ge-0/2/1.0 transitions to the master state. If
interface ge-0/2/1.0is selected as the slave port, interface ge-0/2/0.0 transitions to the
listening state. You can also configure the interface ge-0/1/4.0 as a slave only interface
for PTP over Ethernet, if necessary, for completeness of the configuration.
Configuration
In this example, you configure a master port, a slave port, and a dynamic port for PTP
over Ethernet and PTP over IPv4 encapsulation. You can also configure unicast and
multicast modes of transmission of PTP traffic among the master and slave nodes.
• Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic
Ports on page 283
• Results on page 285
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Configuring PTP over Ethernet for Multicast Master, Slave, and Dynamic Ports
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure the master, slave, and dynamic interfaces, and a boundary clock with unicast
and multicast mode of transmission of PTP packets in PTP over IPv4 and PTP over
Ethernet topologies:
1. Configure the master interface, and enter edit mode for the interface.
[edit interfaces]
user@host#edit ge-0/1/4
5. Configure the slave interface, and enter edit mode for the interface.
[edit interfaces]
user@host#edit ge-0/2/0
9. Configure the stateful interface, and enter edit mode for the interface.
[edit interfaces]
user@host#edit ge-0/2/1
15. Configure the local slave interface from which the boundary master receives time
and passes it on to the configured clock clients.
16. Configure the upstream unicast PTP master clock source parameters.
18. Configure the PTP master parameters by specifying the IP address of the PTP
master clock and the IP address of the local interface.
20. On the master interface, configure multicast transmission for downstream PTP
clock clients.
21. On the master interface, configure the encapsulation type as Ethernet for PTP
packet transport.
23. On the dynamic interface, configure multicast transmission for downstream PTP
clock clients.
24. On the dynamic interface, configure the encapsulation type as Ethernet for PTP
packet transport and the link-local multicast address to be used.
Results
In configuration mode, confirm your configuration by entering the show command. If the
output does not display the intended configuration, repeat the configuration instructions
in this example to correct it.
unicast-mode {
transport ipv4;
clock-source 110.1.1.250 local-ip-address 110.1.1.2;
}
}
}
master {
interface ge-0/1/4.0 {
multicast-mode {
transport ieee-802.3;
}
}
}
stateful {
interface ge-0/2/1.0 {
multicast-mode {
transport ieee-802.3 link-local;
}
}
}
After you have configured the device, enter the commit command in configuration mode.
Verifying the PTP over Ethernet Multicast Dynamic, Master, and Slave Settings
Confirm that the configuration is working properly.
Action In operational mode, enter the run show ptp clock command to display comprehensive,
globally configured clock details.
Meaning The output displays the clock details, such as the encapsulation method used for
transmission of PTP traffic and the number of configured stateful or dynamic ports.
Although a dynamic port functions as either a slave or a master port, the value displayed
in the Stateful Ports field denotes the dynamic ports that you explicitly configured. The
number of dynamic ports is not computed and displayed in the fields that display the
explicitly configured master and slave ports. For more information about the run show
ptp clock operational command, see show ptp clock in the CLI Explorer.
Purpose Verify that the slave clock is aligned to the master clock by checking the lock status of
the slave.
Action In operational mode, enter the run show ptp lock-status command to display the lock
status of the slave.
Meaning The output displays information about the lock status of the slave. The output shows
whether the slave is aligned to the master clock or not, and the interface name configured
for PTP on the slave. The Master Source Port field displays the address of the master
clock when PTP over IPv4 is configured and the multicast MAC address of the source
when PTP over Ethernet is configured. For more information about the run show ptp
lock-status operational command, see show ptp lock-status in the CLI Explorer.
Purpose Verify the PTP options that are set on the slave and the current status of the master.
Action In operational mode, enter the run show ptp slave command to display the configured
slave.
Meaning The output displays information about the configured slave and the status of the slave.
For more information about the show ptp slave operational command, see show ptp slave
in the CLI Explorer.
Verifying the PTP Options and the Current Status of the Master
Purpose Verify the PTP options that are set for the master and its current status.
Action In operational mode, enter the run show ptp master command to display the configured
options for the master.
Meaning The output displays information about the configured master and the current status of
the master. For more information about the run show ptp master operational command,
see show ptp master in the CLI Explorer.
Purpose Verify the number of PTP ports and their current status.
Action In operational mode, enter the run show ptp port command to display the configured
ports.
Meaning The output displays information about the number of ports created according to the
configuration and their current status. The name of the interface configured for PTP and
the number of times a stateful port transitioned from the slave to the master state and
vice versa is displayed. For more information about the run show ptp port operational
command, see show ptp port in the CLI Explorer.
Action In operational mode, enter the run show ptp statistics command to display the statistical
information regarding the configured PTP clocks.
Meaning The output displays brief or detailed information about the operation of configured PTP
clocks. Statistical parameters include information such as the total number of PTP
packets transmitted or received by a master or slave interface and the number of various
messages (such as announce and synchronization messages) that are sent between a
master and a slave. For more information about the show ptp statistics operational
command, see show ptp statistics in the CLI Explorer.
Related • PTP over Ethernet on ACX Series Routers Overview on page 238
Documentation
• Guidelines for Configuring PTP over Ethernet on page 240
• Configuring PTP Multicast Master and Slave Ports for Ethernet Encapsulation on
page 274
The combined operation of Synchronous Ethernet and Precision Time Protocol (PTP) is
also known as hybrid mode. The following sections explain hybrid mode in detail:
Synchronous Ethernet and PTP provide frequency and phase synchronization; however,
the accuracy in the order of nanoseconds is difficult to achieve through PTP or
Synchronous Ethernet and they do not support a large number of network hops. Hybrid
mode resolves these issues by extending the number of network hops and also provides
clock synchronization accuracy in the order of tens of nanoseconds.
Hybrid mode is configured on the slave. On the slave, you can configure one or more
interfaces as Synchronous Ethernet source interfaces.
NOTE: Router clocks are categorized based on the role of the router in the
network. They are broadly categorized into ordinary clocks and boundary
clocks. The master clock and the slave clock are known as ordinary clocks.
The boundary clock can operate as either a master clock or a slave clock.
In hybrid mode, the following show commands display information regarding the hybrid
status configuration:
• The show ptp status details command displays the time and phase plane status.
• The show chassis synchronization extensive command displays the frequency plane
status.
• The show ptp hybrid status command displays the hybrid (combined status of frequency
and phase plane) status.
• In hybrid mode, the show ptp hybrid status and show ptp lock-status commands indicate
the lock status as Phase Aligned in the output.
For information about configuring hybrid mode, see Configuring Hybrid Mode and ESMC
Quality Level Mapping. You can use the show ptp hybrid status operational command to
find the current operating mode.
Supporting Platforms
Hybrid mode is supported on the Juniper Networks ACX Series Universal Access Routers.
The combined operation is possible only when the PTP client and the Synchronous
Ethernet source are on the same device and are traceable to the same primary reference
clock (also known as PRC).
When acting as PTP slaves, the ACX Series routers can accept any external Synchronous
Ethernet clock as reference and do not support building-integrated timing supply (BITS)
input as frequency source in hybrid mode of operation. Only Synchronous Ethernet sources
are allowed in hybrid mode. Note that when the selected Synchronous Ethernet reference
fails, the router continues to work in PTP mode.
Unified in-service software upgrade (unified ISSU) is not supported when clock
synchronization is configured for hybrid mode.
NOTE: To switch between PTP and Synchronous Ethernet modes, you must
first deactivate the configuration for the current mode and then commit the
configuration. Wait for 30 seconds, configure the new mode and its related
parameters, and then commit the configuration.
Related • Guidelines for Configuring Hybrid Mode on ACX Series Routers on page 290
Documentation
• Configuring Hybrid Mode and ESMC Quality Level Mapping on ACX Series Routers on
page 292
• Example: Configuring Hybrid Mode and ESMC Quality Level Mapping on page 295
Keep the following points in mind while configuring hybrid mode on ACX Series routers:
• In a Hybrid Operation, the Frequency Module derives frequency from the Synchronous
Ethernet or BITS (T1/E1) clock or 10 MHz clock and Phase from the IEEE-1588v2
(PTPv2). The current deployments are all LTE-TDD based and require a phase accuracy
of only 1.5us and it is expected that this performance can be achieved without requiring
frequency assist.
• Frequency Plane (Synchronous Ethernet, BITS (T1/E1), 10 MHz) is not impacted by the
phase or time plane. The frequency plane derives the frequency from Synchronous
Ethernet, BITS (T1/E1) and 10 MHz.
• Phase/Time Plane uses the Frequency which is derived locally from the equipment
(Synchronous Ethernet, BITS (T1/E1), 10 MHz). To achieve phase accuracy of less than
1.5us, both Frequency Input source and PTP sources traceable to a primary reference
source (PRS) or primary reference clock (PRC). Hybrid mode is supported in a ring
topology.
• You can configure the following frequency sources for hybrid node:
• BITS T1 Clock
• BITS E1 Clock
• 10 MHz Clock
• T1 Interface
• E1 Interface
• You can configure the following phase sources for hybrid node:
• By enabling the hybrid mode, the convergence time period is reduced and locking
happens quickly.
• You can configure the PTP Source as phase or time source for hybrid mode.
• You can configure Layer 2 rings for PTPoE with stateful ports and Synchronous Ethernet
with ESMC for Layer 2 ring topologies.
• When you enable hybrid mode, each node generates a phase error of or plus or minus
100 nanoseconds (without Phy Timestamping) or plus or minus 50 nanoseconds with
Phy timestamping feature. This phenomenon requires Frequency (SyncE/BITS/10
MHz) source and PTP source must be traceable to same PRC/PRS source.
• Fully redundant and resilient ring based configurations of up to 10 nodes are supported,
targeting the 1 microsecond phase requirement for a form of 4G known as Long-Term
Evolution-Time Division Duplex (LTE-TDD). A single node or link failure is
accommodated and all nodes are able to maintain phase accuracy to be +/- 1us
accurate to a common source.
• Dynamic switchover from Hybrid to PTP mode is not supported in ACX routers.
• BITS T1 Clock with SSM is not supported. BITS E1 Clock with SSM is not supported.
• Hybrid Mode: Time Of Day (TOD) as Phase and Frequency as SyncE/BITS/10 MHz is
not supported. Simultaneous PTP IPv4 Ring and SyncE Hybrid Mode are not supported.
• Hybrid Mode with Phy Timestamping feature is not supported only on ACX500 series
routers.
• When you configure hybrid mode, the following processes take place.
• The best of the configured PTP time sources is selected by the PTP Best Master
Clock Algoritm (BMCA).
• During the boot-up process, if valid sources are configured at the [edit chassis
synchronization] hierarchy level and chassis synchronization mode in free-running
mode, valid PTP source available case, system continues to operate in hybrid mode
( In this case, chassis synchronization is in free-run mode, whereas PTP is in locked
mode). When both primary and secondary frequency sources fail, system still works
under hybrid mode ( In this case, chassis synchronization is in hybrid mode and PTP
is in locked mode).
• Configuring Hybrid Mode and ESMC Quality Level Mapping on ACX Series Routers on
page 292
• Example: Configuring Hybrid Mode and ESMC Quality Level Mapping on page 295
Configuring Hybrid Mode and ESMC Quality Level Mapping on ACX Series Routers
You can configure hybrid mode (that is, the combined operation of Synchronous Ethernet
and Precision Time Protocol (PTP)) on ACX Series routers. The combined operation is
possible only when the PTP client and the Synchronous Ethernet source are on the same
device and are traceable to the same master. When acting as a PTP slave, the router can
accept any external Synchronous Ethernet clock as reference. Note that when the selected
Synchronous Ethernet reference fails, the router continues to work in PTP mode.
In hybrid mode, the synchronous Ethernet equipment clock (EEC) on the MPC derives
the frequency from Synchronous Ethernet and the phase and time of day from PTP.
The hybrid mode is configured on the slave. On the slave, one or more interfaces are
configured as Synchronous Ethernet source interfaces.
The ESMC quality level value is mapped to the clock class value either by mapping the
PTP clock class to the ESMC quality level or by configuring a user-defined mapping of
PTP clock class to ESMC quality level. The following procedures explain configuring
hybrid mode with either of the modes in detail.
• Configure the auto-select mode of operation. You can select the clock source either
from a free-run local oscillator or from an external qualified clock.
When the router is configured with the auto-select option, the router chooses up to
two best upstream clock sources. It then uses the clock recovered from one of the
sources to lock the chassis clock. If an upstream clock with acceptable quality is
not available or if the router is configured in free-run mode, the router uses the
internal oscillator.
• Configure one or more interfaces at the [edit chassis synchronization] hierarchy level
as Synchronous Ethernet sources as needed.
3. Configure hybrid mode options at the [edit protocols ptp slave] hierarchy level.
Configuring Hybrid Mode with Mapping of the PTP Clock Class to the ESMC Quality Level
To configure hybrid mode options with mapping of the PTP clock class to the ESMC
quality level, perform the following steps:
[edit]
user@host# edit protocols ptp slave
4. Configure the upstream unicast PTP master interface and IP address of the clock
source.
5. Configure one or more Synchronous Ethernet source interfaces for the slave as needed.
NOTE: You must first configure these interfaces at the [edit chassis
synchronization] hierarchy level as Synchronous Ethernet sources. For
information about configuring these interfaces, see synchronization (ACX
Series).
Configuring Hybrid Mode with a User-Defined Mapping of the PTP Clock Class to the ESMC
Quality Level
To configure hybrid mode options with a user-defined mapping of the PTP clock class
to the ESMC quality level, perform the following steps:
[edit]
b. Configure the clock-class option for the set quality level. The clock class value
ranges from 80 through 109.
4. Configure the upstream PTP master interface and the IP address of the clock source.
5. Configure one or more Synchronous Ethernet source interfaces for the slave as needed.
NOTE: You must first configure these interfaces at the [edit chassis
synchronization] hierarchy level as Synchronous Ethernet sources. For
information about configuring these interfaces, see synchronization (ACX
Series).
Related • Guidelines for Configuring Hybrid Mode on ACX Series Routers on page 290
Documentation
• Hybrid Mode on ACX Series Routers Overview on page 288
• Example: Configuring Hybrid Mode and ESMC Quality Level Mapping on page 295
This example shows the configuration of hybrid mode by mapping the PTP clock class
to the ESMC quality level and also by configuring a user-defined mapping of the PTP
clock class to the ESMC quality level on ACX Series Routers.
Overview
The combined operation of Synchronous Ethernet and Precision Time Protocol (PTP) is
also known as hybrid mode. In hybrid mode, the synchronous Ethernet equipment clock
(EEC) on the Modular Port Concentrator (MPC) derives the frequency from Synchronous
Ethernet and the phase and time of day from PTP.
You can configure hybrid mode on ACX Series routers. On these routers, the combined
operation is possible only when the PTP slave and the Synchronous Ethernet source are
on the same device and are traceable to the same master. When acting as a PTP slave,
the router can accept any external Synchronous Ethernet clock as reference. Note that
when the selected Synchronous Ethernet reference fails, the router continues to work in
PTP mode.
Hybrid mode is configured on the slave. On the slave, one or more interfaces are configured
as Synchronous Ethernet source interfaces.
NOTE: You can set the values for each parameter according to your
requirement. The values given in this example are for illustration purposes
only.
The ESMC quality level value is mapped to the clock class value either by
mapping the PTP clock class to the ESMC quality level or by configuring a
user-defined mapping of the PTP clock class to the ESMC quality level. The
following examples explain configuring hybrid mode with either of the modes
in detail.
• Configure the auto-select mode of operation. You can select the clock source either
from a free-run local oscillator or from an external qualified clock.
When the router is configured with the auto-select option, the router chooses up to
two best upstream clock sources. It then uses the clock recovered from one of the
sources to lock the chassis clock. If an upstream clock with acceptable quality is
not available or if the router is configured in free-run mode, the router uses the
internal oscillator.
• Configure one or more interfaces at the [edit chassis synchronization] hierarchy level
as Synchronous Ethernet sources as needed.
3. Configure hybrid mode options at the [edit protocols ptp slave] hierarchy level.
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
Configuration
• Hybrid Mode with Mapping of the PTP Clock Class to the ESMC Quality Level on page 296
• Hybrid Mode with a User-Defined Mapping of the PTP Clock Class to the ESMC Quality
Level on page 297
Hybrid Mode with Mapping of the PTP Clock Class to the ESMC Quality Level
CLI Quick To quickly configure hybrid mode on the ge-1/2/3.0 interface with the clock source IP
Configuration address as 2.2.2.2, copy the following commands, paste them in a text file, remove any
line breaks, and then copy and paste the commands into the CLI.
[edit]
Step-by-Step To configure hybrid mode on an ACX Series router with mapping of the PTP clock class
Procedure to the ESMC quality level, perform the following steps:
3. Configure the Synchronous Ethernet mapping option, IP address of the master clock
as 2.2.2.2, and the interface ge-1/2/3.0 for hybrid mode on the slave.
Results Display the results of the configuration of hybrid mode with the mapping of the PTP clock
class to the ESMC quality level:
Hybrid Mode with a User-Defined Mapping of the PTP Clock Class to the ESMC
Quality Level
CLI Quick To quickly configure hybrid mode on the interface ge-1/2/3.0, copy the following
Configuration commands, paste them in a text file, remove any line breaks, and then copy and paste
the commands into the CLI.
[edit]
Step-by-Step To configure hybrid mode with a user-defined mapping of the PTP clock class to the
Procedure ESMC quality level on an ACX Series router, perform the following steps:
3. Configure the IP address of the master clock as 2.2.2.2 , and the interface ge-1/2/3.0
for hybrid mode on the slave.
Results Display the results of the configuration of hybrid mode with a user-defined mapping of
the PTP clock class to the ESMC quality level:
Verification
• Verifying That the Router Is Operating in Hybrid Mode on page 298
• Verifying the Quality Level Change on the Transmit Side on page 299
• Verifying Global Information Parameters After Mapping of the PTP Clock Class to the
ESMC Quality Level in Hybrid Mode on page 299
• Verifying Global Information Parameters After Configuring User-Defined Mapping of
the PTP Clock Class to the ESMC Quality Level in Hybrid Mode on page 300
Action In operational mode, enter the run show ptp hybrid command to display the current
configuration and current mode of operation of the slave.
In operational mode, enter the run show ptp hybrid config command to display the PTP
source to Synchronous Ethernet interface mappings.
In operational mode, enter the run show ptp hybrid status command to display the current
hybrid mode operational status.
Meaning The output displays the current configuration and current mode of operation of the slave.
For information about the run show ptp hybrid operational command, see show ptp
hybrid.
Purpose Verify the quality level change on the transmit side of the router.
Action In operational mode, enter the run show synchronous-ethernet esmc transmit detail
command to display the ESMC transmit interface details.
Meaning The output displays the ESMC SSM quality level transmitted out of various Ethernet
interfaces. For information about the run show synchronous-ethernet esmc transmit detail
operational command, see show synchronous-ethernet esmc transmit.
Verifying Global Information Parameters After Mapping of the PTP Clock Class
to the ESMC Quality Level in Hybrid Mode
Purpose Verify the global information parameters after mapping of the PTP clock class to the
ESMC quality level in hybrid mode by enabling the convert-clock-class-to-quality-level
option.
Action In operational mode, enter the run show ptp global-information command to display the
following output:
In operational mode, enter the run show ptp quality-level-mapping command to display
the following output:
SSU-B 96
SEC 104
Meaning The output for run show ptp global-information displays the parameters set in Synchronous
Ethernet mode and the parameters set for the master and the slave.
The output of run show ptp quality-level-mapping displays the default mapping of the
clock class to the ESMC quality level.
Purpose Verify the global information parameters after configuring a user-defined mapping of
the PTP clock class to the ESMC quality level in hybrid mode by disabling the
convert-clock-class-to-quality-level option.
Action In operational mode, enter the run show ptp global-information command to display the
following output:
Meaning The output displays the parameters set in Synchronous Ethernet mode and the
parameters set for the master and the slave.
Related • Guidelines for Configuring Hybrid Mode on ACX Series Routers on page 290
Documentation
• Hybrid Mode on ACX Series Routers Overview on page 288
• Configuring Hybrid Mode and ESMC Quality Level Mapping on ACX Series Routers on
page 292
Junos OS for ACX Universal Access Routers supports defect and event management
capabilities for timing features. Defects and events are notified in the form of SNMP traps
and these SNMP traps are logged into the system log-file (var/log/snmpd). For each of
the SNMP traps (timing defects and timing events) that are generated, a message is
logged in the clksyncd file (var/log/clksyncd).
Table 34 on page 301 shows the list of SNMP trap notifications for timing defects and
events supported in ACX Universal Access Routers.
Table 34: SNMP trap notifications for timing defects and events
Notification
SNMP Trap Type Description
jnxTimingFaultPtpUniNegRateReject Defects When acting as master, this SNMP trap denotes failure or
rejects clients for signaling messages. When acting as a slave,
this SNMP trap denotes failure or client stops receiving
signaling messages
Table 34: SNMP trap notifications for timing defects and events (continued)
Notification
SNMP Trap Type Description
• INITIALIZING
• ACQUIRING (Master is elected and servo starts acquiring
lock)
• PHASE ALIGNED (Locked to Master)
• FREERUN (no PTP source available)
• HOLDOVER (Slave locked to PTP for more than 12 hours
and then loses all the PTP sources)
• INITIALIZING
• ACQUIRING (Master is elected and servo starts acquiring
lock)
• FREQUENCY LOCKED (Frequency locked but acquiring
phase)
• PHASE ALIGNED (Frequency and phase locked)
To configure and generate timing defects and events trap notifications, include the
timing-events statement at the [edit snmp trap-group trap-group-name categories]
hierarchy level as shown below:
[edit]
snmp {
trap-group <group-name> {
categories {
timing-events;
}
}
}
The following is a sample configuration for SNMP timing in ACX Series routers:
snmp {
trap-options {
source-address 10.216.66.139;
}
trap-group timingGroup {
version v2;
destination-port 8999;
categories {
timing-events;
}
targets {
192.168.120.129;
}
}
traceoptions {
flag all;
}
}
Junos OS for ACX Universal Access Routers supports SNMP get, get-next, and walk
management capabilities for timing features. These capabilities are enabled through the
PTP MIB, SyncE MIB and GPS MIB timing objects.
NOTE: The PTP MIB and SyncE MIB timing objects are grouped under the
jnxTimingNotfObjects SNMP MIB object.
Table 35 on page 304 shows the list of SNMP MIB objects supported for SNMP get, get-next,
and walk management on ACX Universal Access Routers.
Table 35: SNMP MIB Objects for get, get-next, and walk management
SNMP
MIB Object Description
• INITIALIZING
• ACQUIRING
• PHASE ALIGNED
• FREERUN
• HOLDOVER
• FREQUENCY LOCKED
• INITIALIZING
• ACQUIRING (Master is elected and servo starts acquiring lock)
• PHASE ALIGNED (Locked to Master)
• FREERUN (no PTP source available)
• HOLDOVER (Slave locked to PTP for more than 12 hours and then loses
all the PTP sources)
SyncE MIB jnxClksyncQualityCode Denotes the SSM/ESMC quality level of the locked source in decimal format.
jnxClksyncQualityCodeStr Denotes the SSM/ESMC quality level of the locked source in string format
jnxClksyncIfIndex Denotes the interface index of the locked source in decimal format.
jnxClksyncIntfName Denotes the interface name of the locked source in string format.
NOTE:
• The SNMP get and walk management are supported only for scalar objects.
You can use the show chassis synchronization extensive, show ptp lock-status detail, show
snmp mib get <MIB-timing-objects>, and show snmp mib walk jnxTimingNotfObjects show
commands for monitoring and troubleshooting purposes.
The following are the sample show command outputs for reference:
Configured sources:
Interface : ge-0/0/7
Status : Secondary Index : 136
Clock source state : Clk qualified Priority : Default(8)
Configured QL : SEC ESMC QL : PRC
Clock source type : ifd Clock Event : Clock qualified
Interface State : Up,sec,ESMC Rx(SSM 0x2),ESMC TX(QL SEC/SSM 0xb),
Interface : ge-0/1/1
Status : Primary Index : 138
Clock source state : Clk qualified Priority : Default(8)
Configured QL : PRC ESMC QL : PRC
Clock source type : ifd Clock Event : Clock locked
Interface State : Up,pri,ESMC Rx(SSM 0x2),ESMC TX(QL DNU/SSM 0xf)
Configured ports:
Name : auxiliary
Rx status : active
Rx message : TL000001433759011353
Current ToD : Mon Jun 8 10:23:31 2015
Last ToD update : Mon Jun 8 10:23:30 2015
GPS receiver status : Lost Sync
UTC Pending : FALSE
UTC Offset : 35
Configured sources:
Interface : gps
Status : Primary Index : 1
Clock source state : Clk failed Priority : Default(6)
Configured QL : PRC ESMC QL : DNU
Clock source type : extern Clock Event : Clock failed
Interface State : Up,pri
Lock Status:
jnxClksyncIfIndex.0 = 138
jnxClksyncIntfName.0 = ge-0/1/1
jnxClksyncQualityCode.0 = 2
jnxPtpServoState.0 = 1
jnxPtpClass.0 = 6
jnxPtpGmId.0 = 40:b4:f0:ff:fe:42:d5:00
jnxClksyncQualityCodeStr.0 = PRC
jnxPtpServoStateStr.0 = FREERUN
Global Positioning System (GPS) is a navigation aid system that uses signals from
satellites to calculate the actual position of a GPS-capable receiver. These signals are
not only used for determining the position of the receiver on Earth but also as a very
accurate time base. There are GPS receivers with 10-MHz clock frequency output
synchronized to a GPS satellite. The ACX Series router has a SubMiniature version B
(SMB) connector that can take 10-MHz sine-wave input from a GPS receiver. To configure
this 10-MHz clock from a GPS receiver as a candidate clock source for chassis
synchronization, include the gps statement and options at the [edit chassis synchronization
source] hierarchy level.
NOTE: ACX500 routers do not require an external GPS receiver because the
GPS receiver is integrated into the system.
Related • External Clock Synchronization Overview for ACX Series Routers on page 226
Documentation
• Configuring External Clock Synchronization for ACX Series Routers on page 228
Global Navigation Satellite System (GNSS) is a navigation aid system that uses signals
from satellites to calculate the actual position of a GPS-capable receiver. These signals
are not only used for determining the position of the receiver on Earth but also as a very
accurate time base.
The ACX500 series router has the GNSS receiver integrated into the system. This
eliminates the need to have an external GPS receiver. However, you will need a GPS
antenna. The ACX500 series routers support GNSS input through SubMiniature version
A (SMA) connector. You can configure the GNSS port and its associated parameters at
the [edit chassis synchronization] hierarchy level.
You can configure the GNSS port by including the constellation gps] CLI statement at
the [edit chassis synchronization port gnss] hierarchy level. If you do not specify a
constellation option, then the gps constellation option is considered by default.
The following is the [edit chassis synchronization port gnss] hierarchy level:
NOTE:
• The range for cable-length-compensation is from 0 to 50000000
nanoseconds.
• The integrated GNSS receiver in the ACX500 series routers do not support
10-MHz frequency input and output.
ACX500 series routers support grandmaster clock functionality with the integrated GNSS
receiver.
Use the show chassis synchronization gnss command to check the status of the GNSS
receiver. For more information, see show chassis synchronization.
The assisted partial timing support (APTS), which is a Global Navigation Satellite System
(GNSS) backed by Precision Time Protocol (PTP), delivers accurate timing and
synchronization in mobile backhaul networks.
On the ACX500 router, the APTS feature helps you to configure PTP slave ports on a
GNSS grandmaster serving as the PTP master.
APTS uses GNSS as the primary time reference at cell site locations, or at an aggregation
point close to the cell sites. APTS uses network-based timing distribution to assist and
maintain the timing during holdover periods when GNSS is unavailable.
To support this feature, you need an APTS node with GNSS source configured at the
[edit chassis synchronization] hierarchy level and PTP boundary clock configured at the
[edit protocols ptp] hierarchy level as shown below:
The priority of clock source would be GNSS first and then PTP.
You can use the show ptp lock-status detail, show chassis synchronization extensive, and
show chassis synchronization gnss extensive show commands to monitor and troubleshoot
the configurations.
You can enable a router to function as an extended Dynamic Host Configuration Protocol
(DHCP) local server and configure the extended DHCP local server options on the router.
The extended DHCP local server provides an IP address and other configuration
information in response to a client request.
The extended DHCP local server enhances traditional DHCP server operation by utilizing
centralized address-assignment pools. The address-assignment pools are managed
independently of the DHCP local server and can be shared by different client applications.
NOTE: You cannot configure the extended DHCP local server, DHCP client
and extended DHCP relay on the same interface.
To configure the extended DHCP local server on the router, you include the
dhcp-local-server statement at the [edit system services] hierarchy level.
To configure the extended DHCP local server in a routing instance, include the
dhcp-local-server statement at the [edit routing-instances routing-instance-name system
services] hierarchy level.
To configure the extended DHCPv6 server on the router, you include the dhcpv6 statement
at the [edit system services dhcp-local-server] hierarchy level.
To configure the extended DHCPv6 server in a routing instance, include the dhcpv6
statement at the [edit routing-instances routing-instance-name system services
dhcp-local-server] hierarchy level.
• Interaction Among the DHCP Client, Extended DHCP Local Server, and
Address-Assignment Pools on page 315
• Minimal Configuration for Clients on page 316
• DHCP Local Server and Address-Assignment Pools on page 316
Interaction Among the DHCP Client, Extended DHCP Local Server, and Address-Assignment
Pools
In a typical carrier edge network configuration, the DHCP client is on the subscriber’s
computer, and the DHCP local server is configured on the router. The following steps
provide a high-level description of the interaction among the extended DHCP local server,
DHCP client, and address-assignment pools:
1. The DHCP client sends a discover packet to one or more DHCP local servers in the
network to obtain configuration parameters and an IP address for the subscriber.
2. Each DHCP local server that receives the discover packet then searches its
address-assignment pool for the client address and configuration options. Each local
server creates an entry in its internal client table to keep track of the client state, then
sends a DHCP offer packet to the client.
3. On receipt of the offer packet, the DHCP client selects the DHCP local server from
which to obtain configuration information and sends a request packet indicating the
DHCP local server selected to grant the address and configuration information.
4. The selected DHCP local server sends an acknowledgment packet to the client that
contains the client address lease and configuration parameters. The server also installs
the host route and Address Resolution Protocol (ARP) entry, and then monitors the
lease state.
• router—A router located on the client’s subnet. This statement is the equivalent of
DHCP option 3.
• domain name—The name of the domain in which the client searches for a DHCP server
host. This is the default domain name that is appended to hostnames that are not fully
qualified. This is equivalent to DHCP option 15.
• domain name server—A Domain Name System (DNS) name server that is available to
the client to resolve hostname-to-client mappings. This is equivalent to DHCP option
6.
The extended DHCP local server also supports advanced pool matching and the use of
named address ranges. You can also configure the local server to use DHCP option 82
information in the client PDU to determine which named address range to use for a
particular client. The client configuration information, which is configured in the
address-assignment pool, includes user-defined options, such as boot server, grace
period, and lease time.
Configuring the DHCP environment that includes the extended DHCP local server requires
two independent configuration operations, which you can complete in any order. In one
operation, you configure the extended DHCP local server on the router and specify how
the extended DHCP local server determines which address-assignment pool to use. In
the other operation, you configure the address-assignment pools used by the extended
DHCP local server. The address-assignment pools contain the IP addresses, named
address ranges, and configuration information for DHCP clients. See Configuring
Address-Assignment Pools for details about creating and using address-assignment
pools.
NOTE: The extended DHCP local server and the address-assignment pools
used by the server must be configured in the same routing instance.
NOTE: You can apply DHCP configurations on Integrated Routing and Bridging
(IRB) interfaces.
Related • DHCP Local Server Handling of Client Information Request Messages on page 335
Documentation
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
You can configure named address ranges within an address-assignment pool. A named
range is a subset of the overall address range. A client application can use named ranges
to manage address assignment based on client-specific criteria. For example, for IPv4
address-assignment pools, you might create a named range that is based on a specific
DHCP option 82 value. Then, when a DHCP client request matches the specified option
82 value, an address from the specified range is assigned to the client.
You can link address-assignment pools together to provide backup pools for address
assignment. When the primary pool is fully allocated, the router or switch automatically
switches to the linked, or secondary, pool and begins allocating addresses from that
pool.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
1. Configure the address-assignment pool name and specify the addresses for the pool.
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
To configure an address-assignment pool, you must specify the name of the pool and
configure the addresses for the pool.
1. Configure the name of the pool and specify the IPv4 family.
[edit access]
user@host# edit address-assignment pool pool-name family inet
2. Configure the network address and the prefix length of the addresses in the pool.
1. Configure the name of the pool and specify the IPv6 family.
[edit access]
user@host# edit address-assignment pool pool-name family inet6
2. Configure the network address and the prefix length of the addresses in the pool.
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
You can optionally configure multiple named ranges, or subsets, of addresses within an
address-assignment pool. During dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range.
1. Specify the name of the address-assignment pool and the IPv4 family.
[edit access]
user@host# edit address-assignment pool isp_1 family inet
2. Configure the name of the range and the lower and upper boundaries of the addresses
in the range.
1. Specify the name of the address-assignment pool and the IPv6 family.
[edit access]
user@host# edit address-assignment pool isp_1 family inet6
2. Configure the name of the range and the lower and upper boundaries of the addresses
in the range.
You can optionally create a static IPv4 address binding by reserving a specific address
for a particular client. The address is removed from the address-assignment pool so that
it is not assigned to another client. When you reserve an address, you identify the client
host and create a binding between the client MAC address and the assigned IP address.
1. Specify the name of the IPv4 address-assignment pool containing the IP address you
want to reserve for the client.
[edit access]
user@host# edit address-assignment pool pool-name family inet
2. Specify the name of the client for the static binding, the client MAC address, and the
IP address to reserve for the client.
This configuration specifies that the client with MAC address 90:00:00:01:00:01 is
always assigned IP address 192.168.44.12.
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
Table 36 on page 321 describes the DHCP client attributes that you can use with the
dhcp-attributes statement when you configure address-assignment pools.
tftp-server Trivial File Transfer Protocol (TFTP) server that the client 150
uses to obtain the client configuration file.
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
You can specify the match order in which the extended DHCP local server uses the client
data to determine the address-assignment pool that provides the IP address and
configuration for a DHCP client. You use the pool-match-order statement to specify the
match order. If you do not specify the pool-match-order, the router uses the default
ip-address-first matching to select the address pool. After the DHCP local server
determines the address assignment pool to use, the server performs the matching based
on the criteria you specified in the pool configuration.
In the default ip-address-first matching, the server selects the address-assignment pool
to use by matching the IP address in the client DHCP request with the network address
of the address-assignment pool. If the client request contains the gateway IP address
(giaddr), the local server matches the giaddr to the address-assignment pool’s address.
If there is no giaddr in the request, then the DHCP local server matches the IP address of
the receiving interface to the address of the address-assignment pool.
For IPv4 address-assignment pools, you can optionally configure the extended DHCP
local server to match the DHCP relay agent information option (option 82) in the client
DHCP packets to a named range in the address-assignment pool used for the client.
Named ranges are subsets within the overall address-assignment pool address range,
which you can configure when you create the address-assignment pool.
NOTE: To use the DHCP local server option 82 matching feature with an IPv4
address-assignment pool, you must ensure that the option-82 statement is
included in the dhcp-attributes statement for the address-assignment pool.
You can optionally include the option-82-strict method in the pool-match-order statement
for matching the address-assignment pool. If you include the option-82-strict method,
the extended DHCP local server applies the ip-address-first matching method first and
then uses the option-82 method to select the address-assignment pool. The
ip-address-first method must be specified before the option-82-strict method in the
pool-match-order list.
To configure the matching order the extended DHCP local server uses to determine the
address-assignment pool used for a client:
2. Specify the pool matching methods in the order in which the router performs the
methods. You can specify the methods in any order. All methods are optional—the
router uses the ip-address-first method by default.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
Subscriber management enables you to specify that DHCP local server assign a particular
address to a client. For example, if a client is disconnected, you might use this capability
to assign the same address that the client was using prior to being disconnected. If the
requested address is available, DHCP assigns it to the client. If the address is unavailable,
the DHCP local server offers another address, based on the address allocation process.
DHCP local server supports the specific address request feature. DHCP local server uses
DHCP option 50 in DHCP DISCOVER messages to request a particular address.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
on page 338
You use the dhcp-attributes statement to configure DHCP client-specific attributes for
address-assignment pools. DHCP Attributes for Address-Assignment Pools describes the
supported attributes you can configure for IPv4 address-assignment pools.
[edit access]
user@host# edit address-assignment pool isp_1 family inet
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
You use the group feature to group together a set of interfaces and then apply a common
DHCP configuration to the named interface group. The extended DHCP local server
supports interface groups.
3. Specify the names of one or more interfaces on which the extended DHCP application
is enabled. You can repeat the interface interface-name statement to specify multiple
interfaces within the group, but you cannot use the same interface in more than one
group.
4. (Optional) You can use the upto option to specify a range of interfaces for a group.
5. (Optional) You can use the exclude option to exclude a specific interface or a specified
range of interfaces from the group. For example:
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
This topic describes guidelines to consider when configuring interface ranges for named
interface groups for a DHCP local server. The guidelines refer to the following configuration
statement:
• The start subunit, interface interface-name, serves as the key for the stanza. The
remaining configuration settings are considered attributes.
• If the subunit is not included, an implicit .0 subunit is enforced. The implicit subunit is
applied to all interfaces when autoconfiguration is enabled. For example, interface
ge-2/2/2 is treated as interface ge-2/2/2.0.
• Ranged entries contain the upto option, and the configuration applies to all interfaces
within the specified range. The start of a ranged entry must be less than the end of the
range. Discrete entries apply to a single interface, except in the case of
autoconfiguration, in which a 0 (zero) subunit acts as a wildcard.
• Interface stanzas defined within the same router context are dependent and can
constrain each other—both DHCP local server and DHCP relay are considered. Interface
stanzas defined across different router contexts are independent and do not constrain
one another.
• Each interface stanza, whether discrete or ranged, has a unique start subunit across a
given router context. For example, the following configuration is not allowed within
the same group because ge-1/0/0.10 is the start subunit for both.
• Two groups cannot share interface space. For example, the following configuration is
not allowed because the three stanzas share the same space and interfere with one
another—interface ge-1/0/0.26 is common to all three.
• Two ranges cannot overlap, either within a group or across groups. Overlapping occurs
when two interface ranges share common subunit space but neither range is a proper
subset of the other. The following ranges overlap:
• A range can contain multiple nested ranges. A nested range is a proper subset of
another range. When ranges are nested, the smallest matching range applies.
• Discrete interfaces take precedence over ranges. In the following example, interface
ge-1/0/0.20 takes precedence and enforces an interface client limit of 5.
You can include the interface and overrides statements at the [edit system services
dhcp-local-server group group-name] hierarchy level to set group-specific DHCP local
server configuration options, and at the [edit system services dhcp-local-server] hierarchy
level to set global DHCP local server configuration options. Statements configured at
the [edit system services dhcp-local-server group group-name] hierarchy level apply only
to the named group of interfaces, and override any global DHCP local server settings
configured with the same statements at the [edit system services dhcp-local-server]
hierarchy level.
In a routing instance, include the interface and overrides statement at the [edit
routing-instances <routing-instance-name> system services dhcp-local-server group
group-name] hierarchy level.
• interface—Specify one or more interfaces, or a range of interfaces, that are within the
specified group.
• overrides—Override the default configuration settings for the extended DHCP local
server. For information, see Overriding Default DHCP Local Server Configuration Settings.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
Subscriber management enables you to override certain default DHCP local server
configuration settings. You can override settings at the global level or in a routing instance
level, for a named group of interfaces, or for a specific interface within a named group.
• To override global default DHCP local server configuration options, include the overrides
statement and its subordinate statements at the [edit system services dhcp-local-server]
hierarchy level. In a routing instance, include the overrides statement and its subordinate
statements at the [edit routing-instances routing-instance-name system services
dhcp-local-server] hierarchy level.
• To override DHCP local server configuration options for a named group of interfaces,
include the statements at the [edit system services dhcp-local-server group group-name]
hierarchy level. In a routing instance, include the statements at the [edit
routing-instances <routing-instance-name> system services dhcp-local-server group
group-name] hierarchy level.
• To override DHCP local server configuration options for a specific interface within a
named group of interfaces, include the statements at the [edit system services
dhcp-local-server group group-name interface] hierarchy level. In a routing instance,
include the statements at the [edit routing-instances routing-instance-name system
services dhcp-local-server group group-name interface] hierarchy level.
Global override:
Per-interface override:
2. (Optional) Override the maximum number of DHCP clients allowed per interface.
See “Specifying the Maximum Number of DHCP Clients Per Interface” on page 331.
• Configuring a Named Address Range for Dynamic Address Assignment on page 320
• Specifying the Maximum Number of DHCP Clients Per Interface on page 331
You can delete override settings for DHCP local server globally or at a routing instance,
for a named group, or for a specific interface within a named group. You can delete a
specific override setting or all overrides.
To delete a specific DHCP override setting at a particular hierarchy level, include the
overrides statement with the appropriate subordinate statements. For example, to delete
the DHCP local server override no-arp setting for a group named marin20:
In a routing instance, you can delete a specific DHCP override setting at the [edit
routing-instances routing-instance-name system services dhcp-local-server] hierarchy
level.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Specifying the Maximum Number of DHCP Clients Per Interface on page 331
By default, there is no limit to the number of DHCP local server clients allowed on an
interface. However, you can override the default setting and specify the maximum number
of clients allowed per interface, in the range 1 through 500,000. When the number of
clients on the interface reaches the specified limit, no additional DHCP Discover PDUs
are accepted. When the number of clients subsequently drops below the limit, new clients
are again accepted.
In a routing instance, you can configure the maximum number of DHCP clients allowed
per interface at the [edit routing-instances routing-instance-name system services
dhcp-local-server overrides] hierarchy level.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
By default, DHCP populates the ARP table with the MAC address of a client when the
client binding is established. However, you might choose to use the DHCP no-arp
statement to hide the subscriber MAC address information, as it appears in ARP table
entries.
When running in a trusted environment (that is, when not using the no-arp statement),
DHCP populates the ARP table with unique MAC addresses contained within the DHCP
PDU for each DHCP client:
In distrusted environments, you can specify the no-arp statement to hide the MAC
addresses of clients. When you specify the no-arp statement, DHCP does not
automatically populate the ARP table with MAC address information from the DHCP
PDU for each client. Instead, the system performs an ARP to obtain the MAC address of
each client and obtains the MAC address of the immediately attached device (for example,
a DSLAM). DHCP populates the ARP table with the same interface MAC address (for
example, MAC X from a DSLAM interface) for each client:
In a routing instance, you can disable ARP table population at the [edit routing-instances
<routing-instance-name> system services dhcp-local-server overrides] hierarchy level.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
This topic provides an introduction to the optional Dynamic Host Configuration Protocol
(DHCP) auto logout feature and includes the following sections:
Auto logout is particularly useful when DHCP uses long lease times for IP address
assignments and to help avoid allocating duplicate IP addresses for a single client. For
example, you might have an environment that includes set-top boxes (STBs) that are
often upgraded or replaced. Each time an STB is changed, the new STB repeats the DHCP
discover process to obtain client configuration information and an IP address. DHCP
views the new STB as a completely new client and assigns a new IP address—the previous
IP address assigned to the client (the old STB) remains blocked and unavailable until
the lease expires. If auto logout is configured in this situation, DHCP recognizes that the
new STB is actually the same client and then immediately releases the original IP address.
To explicitly identify clients, auto logout uses a secondary identification method when
the primary identification method is unsuccessful—the primary method is considered
unsuccessful if the MAC address or client identifier does not match that of an existing
client. The secondary identification method is based on the DHCP option 60 and option
82 information in DHCP discover messages.
Both the primary and secondary identification methods use subnet information to
differentiate between clients. The primary identification method differentiates between
two clients with the same MAC address (or the same client identifier) if the clients are
on different subnets. Similarly, the secondary identification method considers two clients
as different if they have the same option 60 and option 82 information, but different
subnets.
The DHCP local server immediately releases the existing address when auto logout is
enabled and the secondary identification method identifies a duplicate client (that is,
the discover packet is from an existing client).
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
You can configure the extended DHCP local server to automatically log out DHCP clients.
Auto logout immediately releases an existing client when DHCP receives a discover
packet that has the same DHCP option 60 and DHCP option 82 information as the existing
client. DHCP then releases the existing client IP address without waiting for the normal
lease expiration.
NOTE: When the existing client is released, the new client undergoes the
normal discovery process. The new client might not receive the same IP
address as the original client.
In a routing instance, you can configure DHCP client auto logout at the [edit
routing-instances routing-instance-name system services dhcp-local-server overrides]
hierarchy level.
NOTE: If you change the auto logout configuration, existing clients continue
to use the auto logout setting that was configured when they logged in. New
clients use the new setting.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
Dynamic Host Configuration Protocol (DHCP) clients that already have externally provided
addresses might solicit further configuration information from a DHCP server by sending
a DHCP information request that indicates what information is desired. By default, DHCP
local servers ignore any DHCP information requests that they receive. You can override
this default behavior to enable processing of these messages. Include the process-inform
statement at the [edit system services dhcp-local-server overrides] hierarchy level.
The information requested by the clients has typically been configured with the
dhcp-attributes statement for an address pool defined by the address-assignment pool
pool-name statement at the [edit access] hierarchy level.
When you enable processing of DHCP information requests, you can optionally specify
the name of the pool from which the local server retrieves the requested configuration
information for the client.
DHCP local server responds to the client with a DHCP acknowledgment message that
includes the requested information—if it is available. No subscriber management is
applied as a result of the DHCP information request message.
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
By default, DHCP local server do not respond to information request messages from the
client. You can enable DHCP local server to process these messages and respond to
them with an acknowledgment (ack or reply message, respectively) and the requested
information.
See “Configuring DHCP Client-Specific Attributes” on page 325 for details about how to
configure the information sought by clients that send information request messages.
2. (Optional) Specify a pool name from which DHCP information is returned to the client.
In a routing instance, you can enable processing of DHCP client information request
messages at the [edit routing-instances routing-instance-name system services
dhcp-local-server overrides] hierarchy level.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
• Specifying the Maximum Number of DHCP Clients Per Interface on page 331
You can configure the router to maintain DHCP subscribers when an event occurs that
normally results in the router deleting the subscriber. For example, by default, the router
logs out DHCP subscribers when a Packet Forwarding Engine reboot or crash occurs.
However, if you configure the router to maintain subscribers, the router identifies each
subscriber that was on the deleted interface, and resumes normal packet processing for
the subscriber when the interface is restored.
NOTE: Subscribers are logged off as usual when their lease expires, even If
the router is configured to maintain subscribers and the subscriber is on a
deleted interface that has not yet been restored.
You configure the router to maintain subscribers on a global basis— the configuration
applies to DHCP local server in all routing instances. When you enable the maintain
subscribers feature, the router applies the feature to existing subscribers as well as
subscribers who later connect.
If the maintain subscribers feature is enabled on the router, you can explicitly delete a
subscriber binding and log out the subscriber by either specifying a lease expiration
timeout or by using the following command:
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
• Verifying and Managing the DHCP Maintain Subscribers Feature on page 339
Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
You can specify a configuration in which the router does not log out a subscriber when
the subscriber’s interface is deleted.
To configure the router to maintain DHCP subscribers when the subscriber interface is
deleted:
Related • Subscriber Binding Retention During Interface Delete Events on page 337
Documentation
• Understanding Dynamic Reconfiguration of Extended DHCP Local Server Clients on
page 341
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
• Verifying and Managing the DHCP Maintain Subscribers Feature on page 339
Purpose Display information related to the DHCP maintain-subscribers feature and explicitly log
out maintained clients.
Action • To display DHCP local server binding information for the DHCP maintain subscribers
feature:
• To explicitly log out a DHCP local server subscriber when the maintain subscriber
feature is enabled:
Related • Verifying and Managing DHCP Local Server Configuration on page 349
Documentation
When ACX series router functioning as a DHCP local server reboots, by default, all the
subscriber binding information is lost. You can configure ACX series router to preserve
the subscriber binding information to a file in /var/preserve and when the router reboots,
the DHCP local server reads the file and restores the subscriber binding information and
resumes normal packet processing for the subscriber.
The persistent-storage statement under the [edit system processes dhcp-service] hierarchy
level allows you to assign a name for the file. By default, the file is named as
jdhcpd_client_data. The persistent-storage statement under the [edit system processes
dhcp-service] hierarchy level allows you to configure the frequency (between 1 to 48
hours) to backup the file. By default, a new file is generated every 24 hours from the
commit time. On committing the persistent-storage statement, the existing file will be
renamed with a new file in the /var/preserve directory.
NOTE: A commit error will be shown if you try to configure the file with a
name that is already present in the /var/preserve directory.
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
• Verifying and Managing the DHCP Maintain Subscribers Feature on page 339
• Configuring DHCP Local Server to Preserve Subscriber Binding Information on page 340
You can configure a DHCP local server to preserve subscriber binding information so that
subscriber information is not lost upon router reboot. The configuration is a global setting
for each routing instance.
system services {
dhcp-local-server {
persistent-storage automatic
}
}
}
system processes {
dhcp-service {
persistent-storage {
file-name;
backup;
}
}
}
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
Dynamic reconfiguration of clients enables the extended DHCP local server to initiate a
client update without waiting for the client to initiate a request.
For example, suppose a service provider restructured its addressing scheme or changed
the server IP addresses that it provided to clients. Without dynamic reconfiguration, the
service provider typically clears the DHCP server binding table, but cannot inform the
DHCP clients that their bindings have been cleared. Consequently, the DHCP client
operates as though its IP address is still valid, but it is now unable to communicate over
the access network, resulting in an outage. The DHCP local server has to wait for the
client to send a message to renew its lease or rebind to the server. In response, the server
sends a NAK message to the client to force it to begin the DHCP connection process
again. Alternatively, the provider can wait for customers to make a service call about the
network failures and then instruct them to power cycle their customer premises equipment
to reinitiate the connection. Neither of these actions is timely or convenient for customers.
When the local server state machine starts the reconfiguration process on a bound client,
the client transitions to the reconfiguring state and the local server sends a forcerenew
message to the client. Because the client was in the bound state before entering the
reconfiguring state, all subscriber services, such as forwarding and statistics, continue
to work. Client statistics are not maintained in the interval between a successful
reconfiguration and the subsequent client binding. When the server responds to the client
renewal request with a NAK, the client entry is removed from the binding table and final
statistics are reported. New statistics are collected when the client sends a discover
message to establish a new session.
• To enable dynamic reconfiguration with default reconfiguration values for all DHCP
clients, include the reconfigure statement at the [edit system services dhcp-local-server]
hierarchy level for DHCPv4 clients. In a routing instance, include the reconfigure
• Alternatively, to enable dynamic reconfiguration for only the DHCP clients serviced by
a specified group of interfaces, include the reconfigure statement at the [edit system
services dhcp-local-server group group-name] hierarchy level for DHCPv4 clients. In a
routing instance, include the reconfigure statement at the [edit routing-instances
routing-instance-name system services dhcp-local-server group group-name] hierarchy
level
You can optionally modify the behavior of the reconfiguration process by including the
appropriate statements at the [edit system services dhcp-local-server reconfigure]
hierarchy level for all DHCPv4 clients. To override this global configuration for only the
DHCP clients serviced by a specified group of interfaces, you can include the statements
with different values at the [edit system services dhcp-local-server group group-name
reconfigure] hierarchy level for DHCPv4 clients.
In a routing instance, you can optionally modify the behavior of the reconfiguration process
by including the appropriate statements at the [edit routing-instances
<routing-instance-name> system services dhcp-local-server reconfigure] hierarchy level
for all DHCPv4 clients. To override this global configuration for only the DHCP clients
serviced by a specified group of interfaces, you can include the statements with different
values at the [edit routing-instances <routing-instance-name> system services
dhcp-local-server group group-name reconfigure] hierarchy level for DHCPv4 clients.
Include the attempts statement to specify how many times the local server sends the
forcerenew or reconfigure message to initiate client reconfiguration. Include the timeout
statement to set the interval between the first and second attempts. The interval between
each subsequent attempt doubles the previous value. For example, if the first value is 2,
the first retry is attempted 2 seconds after the first attempt fails. The second retry is
attempted 4 seconds after the first retry fails. The third retry is attempted 8 seconds
after the second retry fails, and so on.
By default, the DHCP client’s original configuration is restored if all of the reconfiguration
attempts fail. Include the clear-on-abort statement to delete the client instead.
You can force the local server to initiate the reconfiguration process for clients by issuing
the request dhcp server reconfigure command for DHCPv4 clients. Command options
determine whether reconfiguration is then attempted for all clients or specified clients.
Events that take place while a reconfiguration is in process take precedence over the
reconfiguration. Table 39 on page 343 lists the actions taken in response to several different
events.
Table 39: Action Taken for Events That Occur During a Reconfiguration
Event Action
Server receives a discover message from the client. Server drops packet and deletes client.
Server receives a request, renew, rebind, or init-reboot DHCPv4—Server sends NAK message and
message from the client. deletes client.
The clear dhcp server binding command is issued. Server deletes client.
Related • Configuring Dynamic Reconfiguration of DHCP Clients to Avoid Extended Outages Due
Documentation to Server Configuration Changes on page 344
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
The DHCP local server can initiate reconfiguration of its clients to avoid extended outages
because of server configuration changes. In addition to requesting that the DHCP local
server initiate reconfiguration, you can specify the reconfiguration behavior.
See “Configuring Dynamic Reconfiguration Attempts for DHCP Clients” on page 345.
In a routing instance, you can configure dynamic reconfiguration of DHCP clients at the
[edit routing-instances routing-instance-name system services dhcp-local-server] hierarchy
level.
Related • Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
Documentation on page 338
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
You can configure how many attempts the local server makes to initiate reconfiguration
of the DHCP client by sending forcerenew messages. You can also specify how long the
server waits between attempts. By default, eight attempts are made and the initial interval
is two seconds.
Each successive attempt doubles the interval between attempts. For example, if the first
value is 2, the first retry is attempted 2 seconds after the first attempt fails. The second
retry is attempted 4 seconds after the first retry fails. The third retry is attempted 8
seconds after the second retry fails, and so on. A group configuration takes precedence
over a DHCP local server configuration.
(Optional) To configure DHCP local server reconfiguration behavior for all DHCP clients:
To override the global configuration for a particular group of clients, include the
statements at the [edit system services dhcp-local-server group group-name reconfigure]
hierarchy level.
In a routing instance, you can configure reconfiguration attempts for all DHCP clients at
the [edit routing-instances <routing-instance-name> system services dhcp-local-server
reconfigure] hierarchy level.
Related • Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
Documentation on page 338
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
You can configure the local server to delete the client when the maximum number of
reconfiguration attempts has been made without success. By default, the client’s original
configuration is restored.
(Optional) To configure the DHCP local server to delete the client when reconfiguration
is not successful, for all clients:
To override the global configuration for a particular group of clients, include the statement
at the [edit system services dhcp-local-server group group-name reconfigure] hierarchy
level.
To override the configuration for a particular group of clients in a routing instance, include
the statement at the [edit routing-instances routing-instance-name system services
dhcp-local-server group group-name reconfigure] hierarchy level.
Related • Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
Documentation on page 338
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
You can request that the DHCP local server initiate reconfiguration of all of clients or only
specified clients.
You can use any of the following methods to request reconfiguration of specific clients:
• Specify a routing instance; reconfiguration is attempted for all clients or the specified
clients in this routing instance.
Related • Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
Documentation on page 338
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
This topic provides the procedure you use to display current DHCP bindings, clear selected
bindings, and verify that the specified bindings are successfully cleared.
Subscriber management enables you to clear DHCP bindings at several different levels
for DHCP local server. For example, you can clear the DHCP bindings on all interfaces, a
group of interfaces, or a specific interface. You can also clear DHCP bindings based on
IP address, MAC address, session-ID, port, or VLAN.
This topic includes examples to show several variations of the clear DHCP binding feature.
1. Display current bindings. Issue the appropriate variation of the show dhcp server binding
command.
To display the current bindings in a routing instance, issue the show dhcp server binding
routing-instance name
To clear current bindings in a routing instance, issue the clear dhcp server binding
routing-instance name
To verify the current bindings in a routing instance, issue the show dhcp server binding
routing-instance name
The following examples show variations of the clear DHCP binding feature. The examples
use the DHCP local server version of the commands.
To clear all bindings over an interface. This example uses the wildcard option.
To clear bindings on top of a specific VLAN. This example clears all bindings on top of
VLAN 100.
To clear all bindings on a port. This example uses the wildcard feature and clears all
DHCP bindings on FPC 1, PIC 0, port 0.
• Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events
on page 338
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
• Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings on page 347
Purpose View or clear information about client address bindings and statistics for the extended
DHCP local server.
NOTE: If you delete the DHCP server configuration, DHCP server bindings
might still remain. To ensure that DHCP bindings are removed, issue the clear
dhcp server binding command before you delete the DHCP server configuration.
Action • To display the address bindings in the client table on the extended DHCP local server:
• To clear the binding state of a DHCP client from the client table on the extended DHCP
local server:
To support source MAC address filtering for blocking unknown DHCP clients, specify the
list of MAC addresses in the source-address-filter statement:
source-address-filter {
mac-address;
}
If you want to enable source address filtering, use the source-filtering statement.
If you don’t want to enable source address filtering, use the no-source-filtering statement.
To check packets dropped due to source MAC filtering, use the run show interfaces
interface-name extensive show command.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
The Junos OS trace operations feature tracks general authentication service operations
and records events in a log file. By default, the tracing operation is inactive. To trace
general authentication service processes, you specify flags in the traceoptions statement
at the [edit system processes general-authentication-service] hierarchy level. The default
tracing behavior is the following:
• Important events are logged in a file located in the /var/log directory. By default, the
router uses the filename authd. You can specify a different filename, but you cannot
change the directory (/var/log) in which trace files are located.
• When the trace log file filename reaches 128 kilobytes (KB), it is compressed and
renamed filename.0.gz. Subsequent events are logged in a new file called filename,
until it reaches capacity again. At this point, filename.0.gz is renamed filename.1.gz and
filename is compressed and renamed filename.0.gz. This process repeats until the
number of archived files reaches the maximum file number. Then the oldest trace
file—the one with the highest number—is overwritten.
You can optionally specify the number of trace files to be from 2 through 1000. You
can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB). For
more information about how log files are created, see the System Log Explorer.
• By default, only the user who configures the tracing operation can access log files. You
can optionally configure read-only access for all users.
The general authentication service tracing operations are described in the following
sections:
• Specify the name of the file used for the trace output.
Configuring the Number and Size of General Authentication Service Processes Log Files
You can optionally specify the number of compressed, archived trace log files to be from
2 through 1000. You can also configure the maximum file size to be from 10 KB through
1 gigabyte (GB); the default size is 128 kilobytes (KB).
The archived files are differentiated by a suffix in the format .number.gz. The newest
archived file is .0.gz and the oldest archived file is .(maximum number)-1.gz. When the
current trace log file reaches the maximum size, it is compressed and renamed, and any
existing archived files are renamed. This process repeats until the maximum number of
archived files is reached, at which point the oldest file is overwritten.
For example, you can set the maximum file size to 2 MB, and the maximum number of
files to 20. When the file that receives the output of the tracing operation, filename,
reaches 2 MB, filename is compressed and renamed filename.0.gz, and a new file called
filename is created. When the new filename reaches 2 MB, filename.0.gz is renamed
filename.1.gz and filename is compressed and renamed filename.0.gz. This process repeats
until there are 20 trace files. Then the oldest file, filename.19.gz, is simply overwritten
when the next oldest file, filename.18.gz is compressed and renamed to filename.19.gz.
• Specify the name, number, and size of the file used for the trace output, by including
the files and size options with the traceoptions statement.
To explicitly set the default behavior, in which the log file can only be read by the user
who configured tracing:
Flag Description
The extended DHCP local server supports tracing operations. DHCP tracing operations
track extended DHCP operations and record them in a log file. The error descriptions
captured in the log file provide detailed information to help you solve problems.
You can configure DHCP trace operations at the global level and at the interface level.
Global DHCP tracing logs all DHCP-related events, whereas interface-level tracing logs
only interface-specific DHCP events. If you configure interface-level trace operations,
you can specify tracing for a range of interfaces or an individual interface. However, only
a single interface-level log file is supported. That is, you cannot specify different
interface-level log files for different interfaces or groups of interfaces.
By default, nothing is traced. When you enable the tracing operation, the default tracing
behavior is as follows:
• Important events for both global and per-interface tracing are logged in a file located
in the /var/log directory. By default, the router uses the filename, jdhcpd. You can
specify a different filename, but you cannot change the directory in which trace files
are located.
• When the trace log file filename reaches 128 kilobytes (KB), it is compressed and
renamed filename.0.gz. Subsequent events are logged in a new file called filename,
until it reaches capacity again. At this point, filename.0.gz is renamed filename.1.gz and
filename is compressed and renamed filename.0.gz. This process repeats until the
number of archived files reaches the maximum file number. Then the oldest trace
file—the one with the highest number—is overwritten.
You can optionally specify the number of trace files to be from 2 through 1000. You
can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB).
(For more information about how log files are created, see the System Log Explorer.)
• By default, only the user who configures the tracing operation can access log files. You
can optionally configure read-only access for all users.
The tracing configuration is applied globally to DHCP local server in every LS:RI.
Configuration of event tracing on a per-LS:RI basis is not supported. DHCP tracing is
configurable only in the default LS:RI. However, the DHCP local server do not have to be
configured in the default LS:RI.
For information about configuring per-interface tracing options, see “Tracing Extended
DHCP Operations for Specific Interfaces” on page 358.
The extended DHCP traceoptions operations are described in the following sections:
The archived files are differentiated by a suffix in the format .number.gz. The newest
archived file is .0.gz and the oldest archived file is .(maximum number)-1.gz. When the
current trace log file reaches the maximum size, it is compressed and renamed, and any
existing archived files are renamed. This process repeats until the maximum number of
archived files is reached, at which point the oldest file is overwritten.
For example, you can set the maximum file size to 2 MB, and the maximum number of
files to 20. When the file that receives the output of the tracing operation, filename,
reaches 2 MB, filename is compressed and renamed filename.0.gz, and a new file called
filename is created. When the new filename reaches 2 MB, filename.0.gz is renamed
filename.1.gz and filename is compressed and renamed filename.0.gz. This process repeats
until there are 20 trace files. Then the oldest file, filename.19.gz, is simply overwritten
when the next oldest file, filename.18.gz is compressed and renamed to filename.19.gz.
DHCP local server supports the files and size options for the traceoptions statement and
the interface-traceoptions statement. To configure the number and size of trace files:
• Specify the name, number, and size of the file used for the trace output for global
tracing operations.
• Specify the name, number, and size of the file used for the trace output for per-interface
tracing operations.
DHCP local server supports the world-readable option and the no-world-readable option
for the traceoptions statement and the interface-traceoptions statement. To specify that
all users can read the log file:
To explicitly set the default behavior, in which the log file can only be read by the user
who configured tracing:
DHCP local server supports the match option for the traceoptions statement and the
interface-traceoptions statement. To configure regular expressions to be matched:
DHCP local server supports the flag option for the traceoptions statement and the
interface-traceoptions statement. A smaller set of flags is supported for interface-level
tracing than for global tracing. To configure the flags for the events to be logged:
Configuring the Severity Level to Filter Which Extended DHCP Messages Are Logged
The messages associated with a logged event are categorized according to severity level.
You can use the severity level to determine which messages are logged for the event
type. A low severity level is less restrictive—filters out fewer messages—than a higher
level. When you configure a severity level, all messages at that level and all higher (more
restrictive) levels are logged.
The following list presents severity levels in order from lowest (least restrictive) to highest
(most restrictive). This order also represents the significance of the messages; for
example, error messages are of greater concern than info messages.
• verbose
• info
• notice
• warning
• error
The severity level that you configure depends on the issue that you are trying to resolve.
In some cases you might be interested in seeing all messages relevant to the logged
event, so you specify all. You can also specify verbose with the same result, because
verbose is the lowest (least restrictive) severity level; it has nothing to do with the
terseness or verbosity of the messages. Either choice generates a large amount of output.
You can specify a more restrictive severity level, such as notice or info to filter the
messages. By default, the trace operation output includes only messages with a severity
level of error.
DHCP local server supports the level option for the traceoptions statement and the
interface-traceoptions statement. To configure the flags for the events to be logged:
Configuring per-interface tracing is a two-step procedure. In the first step, you specify
the tracing options that you want to use, such as file information and flags. In the second
step, you enable the tracing operation on the specific interfaces.
• Configure the name for the file used for the trace output.
See “Configuring the Number and Size of Extended DHCP Log Files” on page 355.
See “Configuring Access to the Extended DHCP Log File” on page 355.
d. (Optional) Configure a severity level for messages to specify which event messages
are logged.
See “Configuring the Severity Level to Filter Which Extended DHCP Messages Are
Logged” on page 357.
A Dynamic Host Configuration Protocol (DHCP) client can obtain its TCP/IP settings and
the IP address from a DHCP local server. The DHCP server provides the configuration
parameters to requesting DHCP clients in the form of an address-lease offer.
For a router to operate as a DHCP client, you configure a logical interface on the router
to obtain an IP address from the DHCP server in the network. You can configure the
vendor class ID, lease time, DHCP server address, retransmission attempts, and retry
interval configuration attributes. You can also renew DHCP client releases.
An ACX Series router acting as a DHCP client obtains IP address and other configuration
parameters from a DHCP local server. Upon receiving an IP address from the DHCP server,
the DHCP client automatically adds an access internal default route. Unless specific
server is configured in client configuration, DHCP client accepts the PDUs from the first
DHCP server response.
In a routing instance, if there multiple interfaces acting as DHCP client, default route and
domain name server configured in the system will be the one created by last DHCP client.
DHCP client options and address pools are configured in a centralized address pool
server. For DHCP clients connected though Ethernet interfaces, the DHCP server
automatically adds an access internal host route once the DHCP client obtains an address,
specifying the interface as the outbound interface. The route is automatically removed
once the DHCP client lease time expires or when the DHCP client releases the address.
Typically, a DHCP server uses the client and option 82 information from DHCP PDUs to
assign IP addresses and send other client configuration information.
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client
}
}
}
2. Configure the DHCP client identifier prefix as the routing instance name.
5. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.
8. Propagate DHCP options received from an external DHCP server to a local DHCP
server. By default, this option is not turned on.
• To display the address bindings in the client table on the DHCP client:
• To clear the binding state of a DHCP client from the client table on the DHCP client:
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
In some network environments, client IDs and MAC addresses might not be unique,
resulting in duplicate clients. For example, two network adapters might be manufactured
with the same hardware address, resulting in a duplicate MAC address among the DHCP
clients attached to the router. A duplicate DHCP client occurs when a client attempts to
get a lease, and that client has the same client ID or the same MAC address as an existing
DHCP client.
When an extended DHCP local server receives a request from a new client that has a
duplicate ID or MAC address, the DHCP server terminates the address lease for the existing
client and returns the address to its original address pool. The DHCP server then assigns
a new address and lease to the new client.
By default, a DHCP local server uses the subnet information to differentiate between
duplicate clients. However, in some cases, this level of differentiation is not adequate.
For example, when multiple subinterfaces share the same underlying loopback interface
with the same preferred source address, the interfaces appear to be on the same subnet.
In this situation, the default configuration prevents duplicate clients.
You can provide greater differentiation between duplicate clients by configuring DHCP
to consider the client subinterface when duplicate clients occur. In this optional
configuration, DHCP uniquely identifies:
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
This topic describes the guidelines for configuring Dynamic Host Configuration Protocol
(DHCP) to include the client subinterface in order to distinguish between duplicate clients
(clients with the same MAC address or client ID) in a subscriber access environment.
When configuring DHCP duplicate client support, consider the following guidelines:
• The optional DHCP duplicate client support feature is used for DHCPv4 clients. For
DHCPv6, client identification is independent of MAC address.
• DHCP relay must be configured to insert option 82, regardless of whether or not the
incoming packet has option 82.
• The DHCP server must echo option 82 in the server’s reply. This is required because
of the following:
• The giaddr inserted by DHCP relay is the same for duplicate clients on different
subinterfaces. The DHCP local server uses option 82 when allocating the IP address.
• DHCP relay uses the echoed option 82 to learn the client subinterface and to
construct the client key.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Specifying the Maximum Number of DHCP Clients Per Interface on page 331
• Configuring Deletion of the Client When Dynamic Reconfiguration Fails on page 346
You can optionally configure a DHCP local server to include a client subinterface when
distinguishing between two clients that have the same MAC address or client ID. The
configuration is a global setting for each routing instance.
• DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 362
• Guidelines for Configuring Support for DHCP Duplicate Clients on page 363
You can configure extended DHCP relay options on the ACX Series router and enable
the router to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request
and reply packets between a DHCP client and a DHCP server. DHCP relay agents are
used to forward requests and replies between clients and servers that do not reside in
the same physical subnet. The forwarding of DHCP packets that the DHCP relay agent
performs differs from the normal forwarding of IP packets that a router performs. Unlike
IP forwarding in which IP datagrams are switched between networks in a slightly
transparent manner, a DHCP relay agent receives DHCP messages and generates a new
DHCP message to send out on another interface. The DHCP relay agent sets the gateway
address (giaddr field of the DHCP packet), adds the DHCP relay agent information option
(option 82) in the packet, if it is present, and forwards it to the DHCP server.
The DHCP relay agent information option (option 82) enables you to include additional
useful information in the client-originated DHCP packets that the DHCP relay forwards
to a DHCP server. When the DHCP relay agent information option is enabled, the DHCP
relay adds the option 82 information to packets it receives from clients, then forwards
the packets to the DHCP server. The DHCP server uses the option 82 information to
decide which IP address to assign to the client—the DHCP server might also use
information in the option 82 field for additional purposes, such as determining which
services to grant to the client. The DHCP server sends its reply back to the DHCP relay,
which removes the option 82 information field from the message, and then forwards the
packet to the client.
DHCP relay agents eliminate the need to configure a DHCP server in each physical network.
In mobile backhaul networks, most of the base station vendors might use DHCP as the
address assignment protocol for different types of base stations (for example, base
transceiver station (BTS) in 2G, NodeB in 3G, and eNodeB in 4G networks). In such
networks, you can configure ACX Series routers to operate as a DHCP relay agent to
forward DHCP requests and acknowledgements between the base station and the DHCP
server.
To configure the DHCP relay agent on the router for IPv4 packets, include the dhcp-relay
statement at the [edit forwarding-options] hierarchy level. You can also include the
dhcp-relay statement at the [edit routing-instances routing-instance-name
forwarding-options] hierarchy level.
To verify and manage DHCP relay agent settings: you can use the following operational
commands:
The following DHCP functionalities are not supported on ACX Series routers:
• DHCP snooping to enable the router differentiate between trusted and untrusted
interfaces.
• The DHCP relay agent does not add VPN identifiers to the incoming DHCP requests
before it relays them to the DHCP server. Therefore, transmission of DHCP packets
between different virtual routing and forwarding (VRF) instances is not supported.
• Overriding default DHCP relay agent configuration options by including the overrides
statement and its subordinate statements at the [edit forwarding-options dhcp-relay],
[edit forwarding-options dhcp-relay group group-name], and [edit forwarding-options
dhcp-relay group group-name interface] hierarchy levels.
The DHCP functionality supports the DHCP vendor class identifier option (option 60).
This support allows DHCP relay to compare option 60 strings in received DHCP client
packets against strings that you configure on the router. You can use the DHCP relay
option 60 feature when providing converged services in your network environment—option
60 support enables DHCP relay to direct client traffic to the specific DHCP server (the
vendor-option server) that provides the service that the client requires. Otherwise, as
another option, you can configure option 60 strings to direct traffic to the DHCP local
server in the current virtual router.
For example, you might have an environment in which some DHCP clients require only
Internet access, while other clients require IPTV service. The clients that need Internet
access get their addresses assigned by the DHCP local server on the router (in
equal-access mode). Clients requiring IPTV must be relayed to a specific DHCP server
that provides the service. To support both types of clients, you configure two option 60
strings on the DHCP relay. Now, when any DHCP client packets are received with option
60 strings configured, the strings are matched against all strings configured on the DHCP
relay. If the client string matches the first string you configured, that client is directed to
the DHCP local server and gains Internet access. Client traffic with an option 60 string
that matches your second string is relayed to the DHCP server that provides the IPTV
service. In addition, you can configure a default action, which DHCP relay performs when
a client option 60 string does not match any strings you have configured—for example,
you might specify that all clients with non-matching strings be dropped.
The DHCPv6 relay agent enhances the extended DHCP relay agent by providing DHCP
support in an IPv6 network. DHCPv6 relay agents eliminate the necessity of having a
DHCPv6 server on each physical network. An ACX Series router configured as a DHCPv6
relay agent passes messages between the DHCPv6 client and the DHCPv6 server, similar
to the way a DHCP relay agent supports an IPv4 network.
The DHCPv6 relay agent is compatible with the extended DHCP local server and the
extended DHCP relay agent, and can be enabled on the same interface as either the
extended DHCP local server or DHCP relay agent.
To configure a DHCPv6 relay agent on the ACX Series routers, include the dhcpv6
statement at the [edit forwarding-options dhcp-relay] hierarchy level. You can also include
the dhcpv6 statement at the [edit routing-instances routing-instance-name
forwarding-options] hierarchy level.
Use the following operational commands to verify and manage DHCPv6 relay agent
settings:
The following DHCPv6 functionalities are not supported on ACX Series routers:
• DHCP snooping
• DHCPv6 client
• Liveness detection
• Dynamic profiles
You can configure DHCPv6 relay agent to insert the DHCPv6 interface identifier, using
option 18, in the packets that the relay sends to a DHCPv6 server. You can configure the
option 18 support at either the DHCPv6 global level or the DHCPv6 group level.
When you configure option 18 support, you can optionally include the following additional
information:
• Prefix—Specify the prefix option to add a prefix to the interface identifier. The prefix
can be any combination of hostname and routing instance name.
NOTE: If you specify one of the optional configurations, and the specified
information does not exist (for example, if there is no interface description),
DHCPv6 relay ignores the optional configuration and inserts the default
interface identifier in the packets.
3. (Optional) Specify that option 18 use the textual description of the interface. You can
specify the device interface description.
You can include the following statements at the [edit forwarding-options dhcp-relay
group group-name] hierarchy level to set group-specific DHCP relay agent configuration
options. Group-specific statements apply only to the named group of interfaces, and
override any global DHCP relay agent settings for the same statement.
• authentication—Configure the parameters the router (or switch) sends to the external
AAA server.
• interface—Specify one or more interfaces, or a range of interfaces, that are within the
specified group.
• overrides—Override the default configuration settings for the extended DHCP relay
agent. For information, see “Overriding the Default DHCP Relay Configuration Settings”
on page 373.
You can override the default DHCP relay configuration settings at the global level, for a
named group of interfaces, or for a specific interface within a named group.
• To override global default DHCP relay agent configuration options, include the overrides
statement and its subordinate statements at the [edit forwarding-options dhcp-relay]
hierarchy level.
• To override DHCP relay configuration options for a named group of interfaces, include
the statements at the [edit forwarding-options dhcp-relay group group-name] hierarchy
level.
• To override DHCP relay configuration options for a specific interface within a named
group of interfaces, include the statements at the [edit forwarding-options dhcp-relay
group group-name interface interface-name] hierarchy level.
• To configure overrides for DHCPv6 relay at the global level, group level, or per-interface,
use the corresponding statements at the [edit forwarding-options dhcp-relay dhcpv6]
hierarchy level.
1. (DHCPv4 and DHCPv6) Specify that you want to configure override options.
• DHCPv4 overrides.
Global override:
Group-level override:
Per-interface override:
• DHCPv6 overrides.
Global override:
Group-level override:
Per-interface override:
3. (DHCPv4 only) Overwrite the giaddr in DHCP packets that the DHCP relay agent
forwards.
See “Changing the Gateway IP Address (giaddr) Field to the giaddr of the DHCP Relay
Agent” on page 376.
4. (DHCPv4 only) Replace the IP source address in DHCP relay request and release
packets with the gateway IP address (giaddr).
See “Replacing the DHCP Relay Request and Release Packet Source Address” on
page 376.
5. (DHCPv4 only) Override the DHCP relay agent information option (option 82) in DHCP
packets.
6. (DHCPv4 only) Override the setting of the broadcast bit in DHCP request packets and
use the Layer 2 unicast transmission method.
See “Using Layer 2 Unicast Transmission for DHCP Packets” on page 377.
7. (DHCPv4 only) Trust DHCP client packets that have a giaddr of 0 and that contain
option 82 information.
8. (DHCPv4 and DHCPv6) Override the maximum number of DHCP clients allowed per
interface.
See “Specifying the Maximum Number of DHCP Clients Per Interface” on page 378.
10. (DHCPv4 and DHCPv6) Enable or disable support for DHCP snooped clients on
interfaces.
See Enabling and Disabling DHCP Snooped Packets Support for DHCP Relay Agent.
11. (DHCPv4 and DHCPv6) Delay authentication of subscribers until the DHCP client
sends a Request packet.
12. (DHCPv4 and DHCPv6) Send release messages to the DHCP server when clients are
deleted.
See “Sending Release Messages When Clients Are Deleted” on page 381.
13. (Optional) Specify that when the DHCP or DHCPv6 relay agent receives a Discover
or Solicit message that has a client ID that matches the existing client entry, the relay
agent deletes the existing client entry.
14. (DHCPv6 only) Automatically log out existing client when new client solicits on same
interface.
15. (DHCPv4 only) Disable the DHCP relay agent on specific interfaces.
16. (DHCPv4 and DHCPv6) Disable automatic binding of stray DHCP requests.
17. (DHCPv4 and DHCPv6) Assign a single-session DHCP dual-stack group to a specified
group of subscribers. You must assign the group to both legs of the DHCP dual stack.
18. (Optional, DHCPv4 and DHCPv6l) Specify that a short lease be sent to the client.
Changing the Gateway IP Address (giaddr) Field to the giaddr of the DHCP Relay Agent
You can configure the DHCP relay agent to change the gateway IP address (giaddr) field
in packets that it forwards between a DHCP client and a DHCP server.
To overwrite the giaddr of every DHCP packet with the giaddr of the DHCP relay agent
before forwarding the packet to the DHCP server:
Replacing the DHCP Relay Request and Release Packet Source Address
You can configure the DHCP relay agent to replace request and release packets with the
gateway IP address (giaddr) before forwarding the packet to the DHCP server.
2. Specify that you want to replace the IP source address in DHCP relay request and
release packets with the gateway IP address (giaddr).
You can configure the DHCP relay agent to add or remove the DHCP relay agent
information option (option 82) in DHCP packets.
This feature causes the DHCP relay agent to perform one of the following actions,
depending on the configuration:
• If the DHCP relay agent is configured to add option 82 information to DHCP packets,
it clears the existing option 82 values from the DHCP packets and inserts the new
values before forwarding the packets to the DHCP server.
• If the DHCP relay agent is not configured to add option 82 information to DHCP packets,
it clears the existing option 82 values from the packets, but does not add any new
values before forwarding the packets to the DHCP server.
To override the default option 82 information in DHCP packets destined for a DHCP
server:
You can configure the DHCP relay agent to override the setting of the broadcast bit in
DHCP request packets. DHCP relay agent then instead uses the Layer 2 unicast
transmission method to send DHCP Offer reply packets and DHCP ACK reply packets
from the DHCP server to DHCP clients during the discovery process.
To override the default setting of the broadcast bit in DHCP request packets:
2. Specify that the DHCP relay agent uses the Layer 2 unicast transmission method.
By default, the DHCP relay agent treats client packets with a giaddr of 0 (zero) and
option 82 information as if the packets originated at an untrusted source, and drops them
without further processing. You can override this behavior and specify that the DHCP
relay agent process DHCP client packets that have a giaddr of 0 (zero) and contain
option 82 information.
2. Specify that the DHCP relay agent process DHCP client packets with a giaddr of 0
and that contain option 82 information.
By default, there is no limit to the number of DHCP local server or DHCP relay clients
allowed on an interface. However, you can override the default setting and specify the
maximum number of clients allowed per interface, in the range 1 through 500,000. When
the number of clients on the interface reaches the specified limit, no additional DHCP
Discover PDUs or DHCPv6 Solicit PDUs are accepted. When the number of clients
subsequently drops below the limit, new clients are again accepted.
NOTE: The maximum number of DHCP (and DHCPv6) local server clients
or DHCP (and DHCPv6) relay clients can also be specified by Juniper Networks
VSA 26-143 during client login. The VSA-specified value always takes
precedence if the interface-client-limit statement specifies a different number.
If the VSA-specified value differs with each client login, DHCP uses the largest
limit set by the VSA until there are no clients on the interface.
2. Configure the maximum number of clients allowed per interface. (DHCP local server,
DHCPv6 local server, DHCP relay agent and DHCPv6 relay agent all support the
interface-client-limit statement.)
NOTE: For DHCP local server and DHCP relay agent, you can use either the
interface-client-limit statement or the client-discover-match incoming-interface
statement to set a limit of one client per interface. The interface-client-limit
statement with a value of 1 retains the existing client and rejects any new
client connections. The client-discover-match incoming-interface statement
deletes the existing client and allows a new client to connect.
You can configure the extended DHCP local server and extended DHCP relay to
automatically log out DHCP clients. Auto logout immediately releases an existing client
when DHCP receives a discover packet from a client whose identity matches an existing
client. DHCP then releases the existing client IP address without waiting for the normal
lease expiration.
NOTE: When the existing client is released, the new client undergoes the
normal authentication process. The new client might not receive the same
IP address as the original client.
2. Enable auto logout and specify the secondary identification method you want to use
when the primary identification method is unsuccessful.
• For example, to configure DHCP local server to use the incoming interface method:
• For example, to configure DHCP relay agent to use the option 60 and option 82
method:
NOTE: If you change the auto logout configuration, existing clients continue
to use the auto logout setting that was configured when they logged in. New
clients use the new setting.
By default, when DHCP relay and relay proxy delete a client, they do not send a release
message to the DHCP server. You can override the default behavior and configure DHCP
relay and relay proxy to send a release message whenever they delete a client. The release
message sent by DHCP relay and relay proxy includes option 82 information.
You can use the [edit forwarding-options dhcp-relay dhcpv6] hierarchy level to override
the default behavior for DHCPv6 relay agent.
2. Specify that you want DHCP relay and relay proxy (or DHCPv6 relay agent) to send
a release message when clients are deleted.
DHCP requests that are received but have no entry in the database are known as stray
requests. By default, DHCP relay, DHCP relay proxy, and DHCPv6 relay agent attempt
to bind the requesting client by creating a database entry and forwarding the request to
the DHCP server. If the server responds with an ACK, the client is bound and the ACK is
forwarded to the client. If the server responds with a NAK, the database entry is deleted
and the NAK is forwarded to the client. This behavior occurs regardless of whether
authentication is configured.
You can override the default configuration at the global level, for a named group of
interfaces, or for a specific interface within a named group. Overriding the default causes
DHCP relay, DHCP relay proxy, and DHCPv6 relay agent to drop all stray requests instead
of attempting to bind the clients.
• To override the default behavior for DHCPv6 relay agent, configure the override at the
[edit forwarding-options dhcp-relay dhcpv6] hierarchy level.
The following two examples show a configuration that disables automatic binding of
stray requests for a group of interfaces and a configuration that disables automatic
binding on a specific interface.
Subscriber management enables you to configure the DHCP relay agent to include
additional option 82 information in the DHCP packets that the relay agent receives from
clients and forwards to a DHCP server. The DHCP server uses the additional information
to determine the IP address to assign to the client. The server might also use the
information for other purposes—for example, to determine which services to grant the
client, or to provide additional security against threats such as address spoofing. The
DHCP server sends its reply back to the DHCP relay agent, and the agent removes the
option 82 information from the message and forwards the packet to the client.
To configure support for the DHCP relay agent information option 82, you use the
relay-option-82 statement. You can configure the DHCP relay agent to include the
following suboptions in the packet the relay agent sends to the DHCP server:
• Agent Circuit ID (suboption 1)—An ASCII string that identifies the interface on which
the client DHCP packet is received.
• Agent Remote ID (suboption 2)—An ASCII string assigned by the DHCP relay agent
that securely identifies the client.
You can configure the option 82 support globally or for a named group of interfaces.
To restore the default behavior, in which option 82 information is not inserted into DHCP
packets, you use the delete relay-option-82 statement.
NOTE: The DHCPv6 relay agent provides similar Agent Circuit ID and Agent
Remote ID support for DHCPv6 clients. For DHCPv6, subscriber management
uses DHCPv6 option 18 to include the circuit ID in the packets that the relay
agent sends to a DHCPv6 server, and option 37 to include the remote ID in
the packets. See DHCPv6 Relay Agent Options.
The following sections describe the option 82 operations you can configure:
You can optionally configure DHCP relay agent to include a prefix or the interface
description as part of the suboption information. If you specify the circuit-id or remote-id
statement without including any of the optional prefix, use-interface-description,
use-vlan-id, include-irb-and-l2, or no-vlan-interface-name statements, the format of the
Agent Circuit ID or Agent Remote ID information for Fast Ethernet (fe), Gigabit Ethernet
(ge), and integrated routing and bridging (irb) interfaces is one of the following, depending
on your network configuration:
• For Fast Ethernet or Gigabit Ethernet interfaces that do not use VLANs, stacked VLANs
(S-VLANs), or bridge domains:
(fe | ge)-fpc/pic/port.subunit
(fe | ge)-fpc/pic/port:vlan-id
(fe | ge)-fpc/pic/port:svlan-id-vlan-id
In the case of an IRB interface, the format displays the Layer 2 interface instead of the
IRB interface along with the bridge domain name. For IRB interfaces (or other pseudo
devices) the default format is as follows:
• IRB interfaces that use bridge domains but do not use VLANs or S-VLANs:
(fe | ge)-fpc/pic/port.subunit:bridge-domain-name
(fe | ge)-fpc/pic/port.subunit:vlan-name
To include the IRB interface name with the Layer 2 interface name, configure the
include-irb-and-l2 statement. The format is as follows:
• IRB interfaces that use bridge domains but do not use VLANs or S-VLANs:
(fe | ge)-fpc/pic/port:bridge-domain-name+irb.subunit
(fe | ge)-fpc/pic/port:vlan-name+irb.subunit
To include only the IRB interface name without the Layer 2 interface and bridge domain
or VLAN, configure the no-vlan-interface-name statement. The format is as follows:
irb.subunit
2. Configure the DHCP relay agent to insert the Agent Circuit ID suboption, the Agent
Remote ID suboption, or both.
3. (Optional) Configure a prefix that is used in the option 82 information in the DHCP
packets.
4. (Optional) Configure the DHCP relay agent to include the interface’s textual description
instead of the interface identifier in the option 82 information.
The prefix is separated from the DHCP option information by a colon (:), and it can include
any combination of the host-name, logical-system-name, and routing-instance-name
options. The DHCP relay agent obtains the values for the host-name, logical-system-name,
and routing-instance-name as follows:
• If you include the host-name option, the DHCP relay agent uses the hostname of the
device configured with the host-name statement at the [edit system] hierarchy level.
• If you include the logical-system-name option, the DHCP relay agent uses the logical
system name configured with the logical-system statement at the [edit logical-system]
hierarchy level.
• If you include the routing-instance-name option, the DHCP relay agent uses the routing
instance name configured with the routing-instance statement at the [edit
routing-instances] hierarchy level or at the [edit logical-system logical-system-name
routing-instances] hierarchy level.
If you include the hostname and either or both of the logical system name and the routing
instance name in the prefix, the hostname is followed by a forward slash (/). If you include
both the logical system name and the routing instance name in the prefix, these values
are separated by a semicolon (;).
The following examples show several possible formats for the DHCP option information
when you specify the prefix statement for Fast Ethernet (fe) or Gigabit Ethernet (ge)
interfaces with S-VLANs.
• If you include only the hostname in the prefix for Fast Ethernet or Gigabit Ethernet
interfaces with S-VLANs:
hostname:(fe | ge)-fpc/pic/port:svlan-id-vlan-id
• If you include only the logical system name in the prefix for Fast Ethernet or Gigabit
Ethernet interfaces with S-VLANs:
logical-system-name:(fe | ge)-fpc/pic/port:svlan-id-vlan-id
• If you include only the routing instance name in the prefix for Fast Ethernet or Gigabit
Ethernet interfaces with S-VLANs:
routing-instance-name:(fe | ge)-fpc/pic/port:svlan-id-vlan-id
• If you include both the hostname and the logical system name in the prefix for Fast
Ethernet or Gigabit Ethernet interfaces with S-VLANs:
host-name/logical-system-name:(fe | ge)-fpc/pic/port:svlan-id-vlan-id
• If you include both the logical system name and the routing instance name in the prefix
for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:
logical-system-name;routing-instance-name:(fe | ge)-fpc/pic/port:svlan-id-vlan-id
• If you include the hostname, logical system name, and routing instance name in the
prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:
host-name/logical-system-name;routing-instance-name:(fe |
ge)-fpc/pic/port:svlan-id-vlan-id
For Fast Ethernet or Gigabit Ethernet interfaces that use VLANs but not S-VLANs, only
the vlan-id value appears in the DHCP option format.
2. Configure DHCP relay agent to insert the Agent Circuit ID, the Agent Remote ID, or
both.
3. Specify that the prefix be included in the option 82 information. In this example, the
prefix includes the hostname and logical system name.
2. Configure DHCPv6 relay agent to insert option 18 (Relay Agent Interface-ID), option
37 (Relay Agent Remote-ID), or both.
3. Specify that the prefix is included in the option information. In this example, the prefix
includes the hostname and logical system name
You can include the textual interface description in the following DHCP options:
The textual description is configured separately, using the description statement at the
[edit interfaces interface-name] hierarchy level. If you specify that the textual description
is used and no description is configured for the interface, DHCP relay defaults to using
the Layer 2 interface name.
In the case of integrated routing and bridging (IRB) interfaces, the textual description of
the Layer 2 interface is used instead of the textual description of the IRB interface. If there
is no description configured, the Layer 2 logical interface name is used.
NOTE: For IRB interfaces, the option 82 field must be able to uniquely identify
the incoming interface based on either the Agent Circuit ID or Agent Remote
ID . You can modify the information in the textual interface description to
match the raw IFD (physical interface without a subunit) name and configure
the option 82 field to use the interface description.
You can use the textual description with the following DHCP options:
(DHCPv4) To configure the DHCP relay option 82 suboption to include the textual
interface description:
2. Configure DHCP relay agent to insert the Agent Circuit ID, Agent Remote ID, or both.
3. Specify that the textual description is included in the option 82 information. In this
example, the option 82 information includes the description used for the device
interface.
(DHCPv6) To configure the DHCPv6 option 18 or option 37 to include the textual interface
description:
2. Configure DHCPv6 relay agent to insert option 18 (Relay Agent Interface-ID), option
37 (Relay Agent Remote-ID), or both.
3. Specify that the textual description is included in the option information. In the
following example, the option information includes the description used for the device
interface.
Starting in Junos OS Release 15.1, you can configure the DHCP relay agent to selectively
process client traffic. Selective processing uses DHCP or DHCPv6 option information to
identify, filter, and process client traffic. To configure DHCPv6 support you use the
procedure at the [edit forwarding-options dhcp-relay dhcpv6] hierarchy level.
To configure DHCP relay agent to use option information to selectively process DHCP
client traffic:
[edit forwarding-options]
user@host# edit dhcp-relay
2. Specify that you want to use the DHCP option feature to selectively process incoming
DHCP traffic.
3. Specify the DHCP or DHCPv6 option number DHCP relay uses to identify and process
the client traffic. You can specify options 60 and 77 for DHCP relay agent, and options
15 and 16 for DHCPv6 relay agent.
4. (Optional) Configure the default action that DHCP relay uses when the incoming
client traffic does not satisfy any configured match or partial match criteria.
5. (Optional) Configure an exact match condition that filters the client traffic and specifies
the associated action for DHCP relay agent to take.
For example, to select traffic that has an option 60 (configured in the previous step)
ASCII string of video25, and then forward that traffic to a named local server group:
6. (Optional) Configure a partial match condition that filters the client traffic and specifies
the associated action.
For example, to select traffic that has an option 60 hexadecimal string that starts
with 766964656F (left to right), and then forward that traffic without creating a new
session:
15.1 Starting in Junos OS Release 15.1, you can configure the DHCP relay agent
to selectively process client traffic.
• Example: Configuring DHCP and DHCPv6 Relay Agent Group-Level Selective Traffic
Processing
You can use DHCP option 82, also known as the DHCP relay agent information option,
to help protect Juniper Networks EX Series Ethernet Switches and MX Series 3D Universal
Edge Routers against attacks such as spoofing (forging) of IP addresses and MAC
addresses, and DHCP IP address starvation. Hosts on untrusted access interfaces on an
Ethernet LAN switching device send requests for IP addresses to access the Internet. The
switching device forwards or relays these requests to DHCP servers, and the servers send
offers for IP address leases in response. Attackers can use these messages to penetrate
the network by address spoofing.
Option 82 provides information about the network location of a DHCP client, and the
DHCP server uses this information to implement IP addresses or other parameters for
the client. The Junos OS implementation of DHCP option 82 supports RFC 3046, DHCP
Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
1. The switching device receives the request and inserts the option 82 information in the
packet header.
2. The switching device forwards (or relays) the request to the DHCP server.
3. The server uses the DHCP option 82 information to formulate its reply and sends a
response to the switching device. It does not alter the option 82 information.
4. The switching device strips the option 82 information from the response packet.
To use the DHCP option 82 feature, you must ensure that the DHCP server is configured
to accept option 82. If the DHCP server is not configured to accept option 82, then when
it receives requests containing option 82 information, it does not use the information for
setting parameters and it does not echo the information in its response message.
NOTE: If your switching device is an EX Series switch and uses Junos OS with
Enhanced Layer 2 Software (ELS) configuration style, you can enable DHCP
option 82 only for a specific VLAN. See Setting Up DHCP Option 82 on the
Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure).
If your switching device is an EX Series switch and does not use Junos OS
with Enhanced Layer 2 Software (ELS) configuration style, you can enable
DHCP option 82 either for a specific VLAN or for all VLANs. See Setting Up
DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP
Server (CLI Procedure).
• circuit ID—Identifies the circuit (interface or VLAN) on the switching device on which
the request was received. The circuit ID contains the interface name and VLAN name,
with the two elements separated by a colon—for example, ge-0/0/10:vlan1, where
ge-0/0/10 is the interface name and vlan1 is the VLAN name. If the request packet is
received on a Layer 3 interface, the circuit ID is just the interface name—for example,
ge-0/0/10.
Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix
option, the hostname for the switching device is used as the prefix; for example,
device1:ge-0/0/10:vlan1, where device1 is the hostname.
You can also specify that the interface description be used rather than the interface
name or that the VLAN ID be used rather than the VLAN name.
• vendor ID—Identifies the vendor of the host. If you specify the vendor-id option but do
not enter a value, the default value Juniper is used. To specify a value, you type a
character string.
• Switching Device, DHCP Clients, and the DHCP Server Are on the Same VLAN or Bridge
Domain on page 394
• Switching Device Acts as a Relay Agent on page 394
Switching Device, DHCP Clients, and the DHCP Server Are on the Same VLAN or
Bridge Domain
If the switching device, the DHCP clients, and the DHCP server are all on the same VLAN
or bridge domain, the switching device forwards the requests from the clients on untrusted
access interfaces to the server on a trusted interface. See Figure 22 on page 394.
Figure 22: DHCP Clients, Switching Device, and the DHCP Server Are All
on the Same VLAN or Bridge Domain
The switching device functions as a relay agent (extended relay server) when the DHCP
clients or the DHCP server is connected to the switching device through a Layer 3 interface.
On the switching device, these interfaces are configured as routed VLAN interfaces (RVIs).
Figure 23 on page 395 illustrates a scenario for the switching device acting as an extended
relay server; in this instance, the switching device relays requests to the server. This figure
shows the relay agent and server on the same network, but they can also be on different
networks–that is, the relay agent can be external.
DHCPv6 Options
DHCPv6 provides several options that can be used to insert information into the DHCPv6
request packets that are relayed to a server from a client. These options are equivalent
to the sub-options of DHCP option 82.
• Option 18—Identifies the interface on which the DHCP request packet was received
from the client. Option 18 is equivalent to the circuit-id sub-option of DHCP option 82.
• Option 16—Identifies the vendor of the hardware on which the client is hosted. Option
16 is equivalent to the vendor-id sub-option of DHCP option 82.
DHCPv6 options are not enabled automatically when DHCPv6 snooping is enabled on
a VLAN. They must be configured using the dhcpv6-options statement.
Related • Configuring DHCP Option 82 to Help Protect the Switching Devices Against Attacks
Documentation (CLI Procedure) on page 396
• Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and
DHCP Server (CLI Procedure)
Configuring DHCP Option 82 to Help Protect the Switching Devices Against Attacks
(CLI Procedure)
You can use DHCP option 82, also known as the DHCP relay agent information option,
to help protect the switching device against attacks such as spoofing (forging) of IP
addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides
information about the network location of a DHCP client, and the DHCP server uses this
information to implement IP addresses or other parameters for the client.
• The switching device, DHCP clients, and DHCP server are all on the same bridge domain.
The switching device forwards the clients' requests to the server and forwards the
server's responses to the clients. This topic describes this configuration.
• The switching device functions as a relay agent when the DHCP clients or the DHCP
server are connected to the switching device through a Layer 3 interface. On the
switching device, these interfaces are configured as integrated routing and bridging
(IRB) interfaces. The switching device relays the clients' requests to the server and
then forwards the server's responses to the clients.
Before you configure DHCP option 82 on the switching device, perform these tasks:
NOTE: Your DHCP server must be configured to accept DHCP option 82.
If the server is not configured for DHCP option 82, the server does not use
the DHCP option 82 information in the requests sent to it when it formulates
its reply messages.
• Configure a bridge domain on the switching device and associate the interfaces on
which the clients and the server connect, to the switch with that bridge domain.
1. Specify DHCP option 82 for the bridge domain that you configured:
NOTE: If you want to enable DHCP option 82 on all bridge domains, you
must configure it separately for each specific bridge domain.
2. Configure the prefix for the circuit ID suboption to include the hostname or the routing
instance name for the bridge domain:
3. Specify that the circuit ID suboption value contains the interface description rather
than the interface name (the default):
4. Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN
name (the default):
5. Specify that the remote ID suboption is included in the DHCP option 82 information:
NOTE: If you do not specify a keyword after remote-id, the default value
for the remote-id suboption is the interface name.
7. Specify that the remote ID suboption value contains the interface description:
• To use the default value (the default value is Juniper), do not type a character string
after the vendor-id option keyword:
Related • Understanding DHCP Option 82 for Protecting Switching Devices Against Attacks on
Documentation page 392
• Understanding DHCP Snooping for Monitoring DHCP Messages Received from Untrusted
Devices
You can configure a named group of DHCP servers for use by the extended DHCP relay
agent on the router or switch.
You specify the name of the DHCP server group and the IP addresses of one or more
DHCP servers that belong to this group. You can configure a maximum of five IP addresses
per named server group.
Configuring Active Server Groups to Apply a Common DHCP Relay Agent Configuration
to Named Server Groups
You can configure an active server group. Using an active server group enables you to
apply a common DHCP relay agent configuration to a named group of DHCP server
addresses.
Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support.
To create an active server group as a global DHCP relay agent configuration option,
include the active-server-group statement at the [edit forwarding-options dhcp-relay]
hierarchy level. To have the group apply only to a named group of interfaces, include the
active-server-group statement at the [edit forwarding-options dhcp-relay group
group-name] hierarchy level.
On ACX Series routers in a Layer 2 environment, you can configure various spanning-tree
protocol versions to create a loop-free topology in Layer 2 networks.
A spanning-tree protocol is a Layer 2 control protocol (L2CP) that calculates the best
path through a switched network containing redundant paths. A spanning-tree protocol
uses bridge protocol data unit (BPDU) data frames to exchange information with other
switches. A spanning-tree protocol uses the information provided by the BPDUs to elect
a root bridge, identify root ports for each switch, identify designated ports for each physical
LAN segment, and prune specific redundant links to create a loop-free tree topology.
The resulting tree topology provides a single active Layer 2 data path between any two
end stations.
The ACX Series Universal Access Routers support Spanning-Tree Protocol (STP), Rapid
Spanning-Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN
Spanning-Tree Protocol (VSTP).
• The original STP is defined in the IEEE 802.1D 1998 specification. A newer version called
RSTP was originally defined in the IEEE 802.1w draft specification and later incorporated
into the IEEE 802.1D-2004 specification. A recent version called MSTP was originally
defined in the IEEE 802.1s draft specification and later incorporated into the
IEEE 802.1Q-2003 specification. The VSTP is compatible with the Per-VLAN Spanning
Tree Plus (PVST+) and Rapid-PVST+ protocols supported on Cisco Systems routers
and switches.
• RSTP provides faster reconvergence time than the original STP by identifying certain
links as point to point and by using protocol handshake messages rather than fixed
timeouts. When a point-to-point link fails, the alternate link can transition to the
forwarding state without waiting for any protocol timers to expire.
• MSTP provides the capability to logically divide a Layer 2 network into regions. Every
region has a unique identifier and can contain multiple instances of spanning trees. All
regions are bound together using a Common Instance Spanning Tree (CIST), which is
responsible for creating a loop-free topology across regions, whereas the Multiple
Spanning-Tree Instance (MSTI) controls topology within regions. MSTP uses RSTP as
a converging algorithm and is fully interoperable with earlier versions of STP.
• VSTP maintains a separate spanning-tree instance for each VLAN. Different VLANs
can use different spanning-tree paths. When different VLANs use different
spanning-tree paths, the CPU processing resources being consumed increase as more
VLANs are configured. VSTP BPDU packets are tagged with the corresponding VLAN
identifier and are transmitted to the multicast destination media access control (MAC)
address 01-00-0c-cc-cc-cd with a protocol type of 0x010b. VSTP BPDUs are tunneled
by pure IEEE 802.1q bridges.
ACX Series routers can support up to 128 STP instances, which includes all instances of
VSTP, MSTP, RSTP and STP.
The ACX Series routers supports enabling Spanning-Tree Protocol (STP), Rapid
Spanning-Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN
Spanning-Tree Protocol (VSTP) on aggregated Ethernet interface .
For more information about the various versions of spanning-tree protocols, see the
appropriate IEEE specification.
• Bridge Priority for Election of Root Bridge and Designated Bridge on page 406
Use the bridge priority to control which bridge is elected as the root bridge and also to
control which bridge is elected the root bridge when the initial root bridge fails.
The root bridge for each spanning-tree protocol instance is determined by the bridge ID.
The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.
The bridge with the lowest bridge ID is elected as the root bridge. If the bridge priorities
are equal or if the bridge priority is not configured, the bridge with the lowest MAC address
is elected the root bridge.
The bridge priority can also be used to determine which bridge becomes the designated
bridge for a LAN segment. If two bridges have the same path cost to the root bridge, the
bridge with the lowest bridge ID becomes the designated bridge.
• bridge-priority
The maximum age timer specifies the maximum expected arrival time of hello BPDUs.
If the maximum age timer expires, the bridge detects that the link to the root bridge has
failed and initiates a topology reconvergence. The maximum age timer should be longer
than the configured hello timer.
• max-age
The hello timer specifies the time interval at which the root bridge transmits configuration
BPDUs.
• hello-time
The forwarding delay timer specifies the length of time a spanning-tree protocol bridge
port remains in the listening and learning states before transitioning to the forwarding
state. Setting the interval too short could cause unnecessary spanning-tree reconvergence.
Before changing this parameter, you should have a thorough understanding of
spanning-tree protocols.
• forward-delay
STP and RSTP are limited to a single instance on any physical interface. Use the interface
statement to configure which interfaces participate in the STP or RSTP instance.
MSTP supports multiple instances on a single physical interface. Use the interface
statement to configure which logical interfaces participate in MSTP.
For VSTP, interfaces can be configured at the global level or at the VLAN level. Interfaces
configured at the global VSTP level will be enabled for all the configured VLANs. If an
interface is configured at both the global and VLAN levels, the configuration at the VLAN
level overrides the global configuration.
• cost
• edge
• mode
• priority
The root port is the interface on the nonroot bridge with the lowest path cost to the root
bridge. When multiple interfaces have the same path cost to the root bridge, the interface
with the lowest interface priority is selected as the root port.
If the interface priority is not configured and multiple interfaces have the same path cost
to the root bridge, the interface with the lowest interface identifier is selected as the root
port.
If the interface priority is configured under the MSTP protocol, this becomes the default
value for all interfaces. If the interface priority is configured under the MSTI interface, the
value overrides the default for that interface.
If the interface priority is configured at both the VSTP global and VLAN levels, the
configuration at the VLAN level overrides the global configuration.
• priority
The path cost used to calculate the root path cost from any given LAN segment is
determined by the total cost of each link in the path. By default, the link cost is determined
by the speed of the link. The interface cost can be configured to override the default cost
and control which bridge is the designated bridge and which port is the designated port.
In MSTP the CIST external path cost is determined by the link speed and the number of
hops.
If the interface cost is not configured, the cost is determined by the speed of the interface.
For example, a 100-Mbps link has a default path cost of 19, a 1000-Mbps link has a default
path cost of 4, and a 10-Gbps link has a default path cost of 2.
If the interface cost is configured under MSTP, this becomes the default value for all
interfaces. If the interface cost is configured under the MSTI interface, the value overrides
the default for that interface.
If the interface cost is configured at both the VSTP global and VLAN levels, the
configuration at the VLAN level overrides the global configuration.
The interface cost should be set the same for all interfaces connected to the same LAN
segment.
• cost
The interface mode allows RSTP, MSTP, and VSTP to converge faster than the original
STP on point-to-point links. The protocol does not need to wait for timers on
point-to-point links. Configure interfaces that have a point-to-point link to another Layer 2
bridge as p2p. This parameter is ignored if the STP is configured to run the original
spanning-tree version.
If the interface mode is configured at both the VSTP global and VLAN levels, the
configuration at the VLAN level overrides the global configuration.
• mode
RSTP, MSTP, and VSTP instance interfaces configured as edge ports enable the protocol
to converge faster than the original IEEE 802.1D STP version. Edge ports transition directly
to the forwarding state, and so the protocol does not need to wait for BPDUs to be
received on edge ports.
The Junos OS supports automatic detection of edge ports as described in the RSTP
standard. Layer 2 bridges do not expect to receive BPDUs for edge ports. If a BPDU is
received for an edge port, the port becomes a non-edge port.
Keep the following guidelines in mind when configuring spanning-tree instance interfaces
as edge ports:
• if the spanning-tree protocol is configured to run the original IEEE 802.1D spanning-tree
version, the edge-port option (if configured) is ignored.
• If edge ports are configured at both the VSTP global and VLAN levels, the configuration
at the VLAN level overrides the global configuration.
Related • Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations
Documentation
• Configuring Rapid Spanning Tree Protocol
• edge
• Configuring MSTP
For general information about tracing and global tracing options, see the statement
summary for the global traceoptions statement in the Junos OS Routing Protocols Library.
You can configure Rapid Spanning-Tree Protocol (RSTP) under the following hierarchy
level:
• [edit protocols]
[edit]
user@host@ edit ... protocols rstp
c. (Optional) By default, the interface link cost is determined by the link speed. You
can configure the interface link cost to control which bridge is the designated bridge
and which port is the designated port:
Edge ports do not expect to receive bridge protocol data unit (BPDU) packets. If
a BPDU packet is received for an edge port, the port becomes a nonedge port
For more information, see “Bridge Priority for Election of Root Bridge and Designated
Bridge” on page 406.
b. Configure the time interval at which the root bridge transmits configuration BPDUs:
5. (Optional) By default, the bridge port remains in the listening and learning states for
15 seconds before transitioning to the forwarding state. You can specify a delay from
4 through 20 seconds instead:
[edit]
protocols {
rstp {
force-version stp; # Optional.
bpdu-destination-mac-address provider-bridge-group; # Optional
extended-system-id identifier; # Optional.
interface interface-name {
priority interface-priority;
cost interface-link-cost; # Optional.
mode (p2p | shared);
edge; # Optional.
}
bridge-priority bridge-priority;
max-age seconds;
hello-time seconds;
forward-delay seconds; # Optional.
}
}
}
You can configure the Multiple Spanning-Tree Protocol (MSTP) under the following
hierarchy level:
• [edit protocols]
[edit]
user@host@ edit ... protocols mstp
c. (Optional) By default, the interface link cost is determined by the link speed. You
can configure the interface link cost to control which bridge is the designated bridge
and which port is the designated port:
For more information, see “Bridge Priority for Election of Root Bridge and Designated
Bridge” on page 406.
b. Configure the time interval at which the root bridge transmits configuration BPDUs:
5. (Optional) By default, the bridge port remains in the listening and learning states for
15 seconds before transitioning to the forwarding state. You can specify a delay from
4 through 20 seconds instead:
c. Configure the maximum number of hops a BPDU can be forwarded in the MSTP
region:
[edit]
protocols {
mstp {
bpdu-destination-mac-address provider-bridge-group; # Optional
interface interface-name {
priority interface-priority;
cost interface-link-cost; # Optional.
mode (p2p | shared);
edge; # Optional.
}
bridge-priority bridge-priority;
max-age seconds;
hello-time seconds;
forward-delay seconds; # Optional.
configuration-name configuration-name; # MST region configuration name.
revision-level revision-level; # MST revision number.
max-hops hops; # MST maximum hops.
}
}
}
You can configure a Multiple Spanning-Tree Instance (MSTI) under the following hierarchy
levels:
Before you begin, configure Multiple Spanning-Tree Protocol. For configuration details,
see “Configuring MSTP” on page 413.
[edit]
user@host# edit ... protocols mstp msti msti-id
For more information, see “Bridge Priority for Election of Root Bridge and Designated
Bridge” on page 406.
4. (Optional) An MSTI can map to a range of VLANs just as a logical port can map to a
range of VLANs. The MSTP VLAN specifies the VLAN or VLAN range to which this
MSTI is mapped. The vlan-id is configured under the logical interface. Configure the
VLAN or VLAN range of the MSTI instance:
[edit]
user@host# set vlan (vlan-id | vlan-id-range)
[edit]
protocols {
mstp {
...basic-mstp-configuration...
msti msti-id { # Instance identifier 1 – 64.
bridge-priority priority;
vlan vlan-id; # Optional
interface interface-name {
cost cost;
edge;
priority interface-priority;
}
}
}
}
NOTE: All STP ports on a bridge domain must belong to the same MST
(multiple spanning tree) instance.
Disabling MSTP
• Include the disable statement. You can include this statement at the following hierarchy
levels:
You can configure the VLAN Spanning-Tree Protocol (VSTP) under the following hierarchy
level:
• [edit protocols]
[edit]
user@host@ edit ... protocols vstp
2. (Optional) For compatibility with older bridges that do not support VSTP, you can run
force VSTP to run as the original IEEE 802.1D Spanning-Tree Protocol (STP) version:
NOTE: If VSTP has been forced to run as the original STP version, you can
revert back to VSTP by first removing the force-version statement from
the configuration and then entering the clear spanning-tree
protocol-migration configuration mode command.
For more information, see “Bridge Priority for Election of Root Bridge and Designated
Bridge” on page 406.
b. Configure the time interval at which the root bridge transmits configuration BPDUs:
7. (Optional) By default, the bridge port remains in the listening and learning states for
15 seconds before transitioning to the forwarding state. You can specify a delay from
4 through 20 seconds instead:
[edit]
protocols {
vstp {
force-version stp; # Optional.
interface interface-name {
priority interface-priority;
cost interface-link-cost; # Optional.
mode (p2p | shared);
edge; # Optional.
}
vlan vlan-id {
bridge-priority bridge-priority;
max-age seconds;
hello-time seconds;
forward-delay seconds; # Optional.
interface interface-name {
priority interface-priority;
cost interface-link-cost; # Optional.
mode (p2p | shared);
edge; # Optional.
}
}
}
}
}
In a Layer 2 environment, you can force the configured Rapid Spanning-Tree Protocol
(RSTP) or VLAN Spanning-Tree Protocol (VSTP) to run as the original IEEE 802.1D
Spanning-Tree Protocol (STP) version. Configure this option for compatibility with older
bridges that do not support RSTP or VSTP.
To configure RSTP or VSTP to run as IEEE 802.1D STP, you need to add force-version
statement to the RSTP or VSTP configuration:
Keep the following limitations in mind when RSTP or VSTP are run as the original STP
version:
• If you configure point-to-point link mode for an instance interface, the configuration
statement is ignored.
• Reverting RSTP or VSTP from Forced IEEE 802.1D STP on page 420
• force-version
To revert from the forced instance of the original IEEE 802.1D STP version to the configured
RSTP or VSTP version:
2. Revert the forced IEEE 802.1D STP to run as the configured RSTP or VSTP:
To revert the STP protocol for the specified interface only, specify the
interface interface-name option.
To revert the STP protocol for a particular routing instance only, specify the
routing-instance routing-instance-name option.
• force-version
You can enable global routing protocol tracing options at the [edit routing-options]
Hierarchy Level. For general information about tracing and global tracing options, see the
statement summary for the global traceoptions statement in the Junos OS Routing
Protocols Library.
In addition, you can enable STP-specific trace options at the following hierarchy levels:
[edit]
user@host# edit ... protocols (mstp | rstp | vstp)
NOTE: Use the trace flag all with caution. This flag may cause the CPU
to become very busy.
[edit]
...
routing-options {
traceoptions {
...global-trace-options-configuration...
}
}
}
protocols {
(mstp | rstp | vstp) {
traceoptions { # Spanning-tree protocol-specific.
file filename <files number> <size bytes> <world-readable | no-world-readable>;
flag flag <flag-modifier> <disable>;
}
}
}
...
By default, if a bridge protocol data unit (BPDU) data frame is received on a blocked
interface, the system will disable the interface and stop forwarding frames out the
interface until the interface is explicitly cleared.
The Spanning Tree Protocol (STP) family is designed to break possible loops in a Layer 2
bridged network. Loop prevention avoids damaging broadcast storms that can potentially
render the network useless. STP processes on bridges exchange BPDUs to determine
the LAN topology, decide the root bridge, stop forwarding on some ports, and so on.
However, a misbehaving user application or device can interfere with the operation of
the STP protocols and cause network problems.
On the ACX Series routers, MX Series routers, and EX Series switches only, you can
configure BPDU protection to ignore BPDUs received on interfaces where none should
be expected (for example, a LAN interface on a network edge with no other bridges
present). If a BPDU is received on a blocked interface, the interface is disabled and stops
forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.
You can configure BPDU protection on interfaces with the following encapsulation types:
• ethernet-bridge
• ethernet-vpls
• extended-vlan-bridge
• vlan-vpls
• vlan-bridge
• extended-vlan-vpls
You can configure BPDU protection on individual interfaces or on all the edge ports of
the bridge.
Related • Configuring BPDU Protection for Spanning-Tree Instance Interfaces on page 424
Documentation
• Configuring BPDU Protection on All Edge Ports on page 425
On the ACX Series routers, MX Series routers, and EX Series switches, you can configure
BPDU protection to ignore BPDU received on interfaces where none should be expected.
If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding
frames. By default, all BPDUs are accepted and processed on all interfaces.
[edit]
user@host# edit protocols layer2-control bpdu-block
user@host# set interface interface (aex | (ge-fpc/pic/port | xe-fpc/pic/port)
If a BPDU is received on the interface, the system will disable the interface and stop
forwarding frames out the interface until the bridging process is restarted.
2. (Optional) Configure the amount of time the system waits before automatically
unblocking this interface after it has received a BPDU:
The range of the seconds option value is from 10 through 3600 seconds (one hour).
A seconds option value of 0 is allowed, but this results in the default behavior (the
interface is blocked until the interface is cleared).
[edit]
interfaces {
ge-fpc/pic/port { # VLAN encapsulation on a Gigabit Ethernet.
encapsulation (ethernet-bridge | ethernett-vpls | extended-vlan-bridge |
extended-vlan-vpls | vlan-bridge| vlan-vpls);
}
xe-fpc/pic/port { # VLAN encapsulation on 10-Gigabit Ethernet.
encapsulation (ethernet-bridge | ethernett-vpls | extended-vlan-bridge |
extended-vlan-vpls | vlan-bridge| vlan-vpls);
}
On ACX Series routers, MX Series routers, and EX Series switches, you can configure
BPDU protection to ignore BPDU received on interfaces where none should be expected.
If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding
frames. By default, all BPDUs are accepted and processed on all interfaces.
To configure BPDU protection for all edge ports for a particular spanning-tree protocol:
[edit]
user@host# set protocols (STP Type) (mstp | rstp | vstp) bpdu-block-on-edge
[edit]
protocols (STP Type) {
(mstp | rstp | vstp) {
bpdu-block-on-edge;
}
}
Spanning-tree protocol loop protection enhances the normal checks that spanning-tree
protocols perform on interfaces. Loop protection performs a specified action when BPDUs
are not received on a nondesignated port interface. You can choose to block the interface
or issue an alarm when bridge protocol data units (BPDUs) are not received on the port.
The spanning-tree protocol family is responsible for breaking loops in a network of bridges
with redundant links. However, hardware failures can create forwarding loops (STP
loops) and cause major network outages. Spanning-tree protocols break loops by blocking
ports (interfaces). However, errors occur when a blocked port transitions erroneously to
a forwarding state.
By default, a spanning-tree protocol interface that stops receiving bridge protocol data
unit (BPDU) data frames will transition to the designated port (forwarding) state, creating
a potential loop. To prevent a spanning-tree instance interface from interpreting a lack
of received BPDUs as a “false positive” condition for assuming the designated port role,
you can configure one of the following loop protection options:
• Configure the router to raise an alarm condition if the spanning-tree instance interface
has not received BPDUs during the timeout interval.
• Configure the router to block the spanning-tree instance interface if the interface has
not received BPDUs during the timeout interval.
You can configure spanning-tree protocol loop protection to improve the stability of
Layer 2 networks. We recommend you configure loop protection only on non-designated
interfaces such as the root or alternate interfaces. Otherwise, if you configure loop
protection on both sides of a designated link, then certain STP configuration events (such
as setting the root bridge priority to an inferior value in a topology with many loops) can
cause both interfaces to transition to blocking mode.
You configure spanning-tree protocol loop protection to prevent selected interfaces from
interpreting the lack of received BPDUs as a “false positive” condition for making the
interface the designated port.
Related • Configuring Loop Protection for a Spanning-Tree Instance Interface on page 428
Documentation
• Example: Enabling Loop Protection for Spanning-Tree Protocols on page 429
By default, a spanning-tree protocol interface that stops receiving Bridge Protocol Data
Unit (BPDU) data frames will transition to the designated port (forwarding) state, creating
a potential loop. To prevent a spanning-tree instance interface from interpreting a lack
of received BPDUs as a “false positive” condition for assuming the designated port role,
you can configure one of the following loop protection options:
• Configure the router to raise an alarm condition if the spanning-tree instance interface
has not received BPDUs during the timeout interval.
• Configure the router to block the spanning-tree instance interface if the interface has
not received BPDUs during the timeout interval.
Related • Understanding Loop Protection for Spanning-Tree Instance Interfaces on page 426
Documentation
• Configuring Loop Protection for a Spanning-Tree Instance Interface on page 428
Before you begin, you must fully configure the spanning-tree protocol, including instance
interfaces. You can configure RSTP, MSTP, or VSTP at the following hierarchy levels:
• [edit protocols]
1. Include the bpdu-timeout-action statement with either the block or log option for the
spanning-tree protocol interface.
[edit]
protocols {
rstp {
interface interface-name {
bpdu-timeout-action (log | block);
}
}
}
[edit]
protocols {
mstp {
interface interface-name {
bpdu-timeout-action (log | block);
}
}
}
• For all VSTP instances on a physical interface configured at the global level or a
the VLAN level:
[edit]
protocols {
vstp {
interface interface-name {
bpdu-timeout-action (log | block);
}
vlan vlan-id {
interface interface-name {
bpdu-timeout-action (log | block);
}
}
}
}
Related • Understanding Loop Protection for Spanning-Tree Instance Interfaces on page 426
Documentation
• Loop Protection for a Spanning-Tree Instance Interface on page 427
This example blocks and logs the non-designated RSTP port ge-1/2/0 after the BPDU
timeout interval expires:
[edit]
protocols {
rstp {
interface ge-1/2/0 {
bpdu-timeout-action block;
}
}
}
NOTE: This is not a complete configuration. You must also fully configure
RSTP, including the ge-1/2/0 interface.
Root protect helps to enforce the root bridge placement in a Layer 2 switched network.
Enable root protect on interfaces that should not receive superior bridge protocol data
units (BPDUs) from the root bridge. Typically, these ports are spanning tree
protocol-designated ports on an administrative boundary. Enabling root protect ensures
the port remains a spanning-tree designated port.
When root protect is enabled on an interface, it is enabled for all spanning-tree protocol
instances on that interface. The interface is blocked only for those instances that receive
superior BPDUs.
If the bridge receives superior BPDUs on a port that has root protect enabled, that port
transitions to a root-prevented STP state and the interface is blocked. This prevents a
bridge that should not be the root bridge from being elected the root bridge.
After the bridge stops receiving superior BPDUs on the port with root protect enabled
and the received BPDUs time out, that port transitions back to the STP-designated port
state.
When root protect is enabled on an interface, it is enabled for all spanning-tree protocol
instances on that interface. The interface is blocked only for those instances that receive
superior BPDUs.
[edit]
user@host# edit protocols (mstp | rstp | vstp <vlan vlan-id>)
[edit ... protocols (mstp | rstp | vstp <vlan vlan-id>) interface interface-name]
user@host# set no-root-port
4. Verify the configuration of root protect for the spanning-tree instance interface:
[edit ... protocols (mstp | rstp | vstp <vlan vlan-id>) interface interface-name]
user@host# top
user@host# show ... protocols
...
(mstp | rstp | vstp <vlan vlan-id>) {
interface interface-name {
no-root-port;
}
LLDP Overview
LLDP allows network devices that operate at the lower layers of a protocol stack (such
as Layer 2 bridges and switches) to learn some of the capabilities and characteristics of
LAN devices available to higher layer protocols, such as IP addresses. The information
gathered through LLDP operation is stored in a network device and is queried with SNMP.
Topology information can also be gathered from this database.
Some of the information that can be gathered by LLDP (only minimal information is
mandatory) is:
• Power information
LLDP frames are sent at fixed intervals on each port that runs LLDP. LLDP protocol data
units (LLDP PDUs) are sent inside Ethernet frames and identified by their destination
Media Access Control (MAC) address (01:80:C2:00:00:0E) and Ethertype (0x88CC).
Mandatory information supplied by LLDP is chassis ID, port ID, and a time-to-live value
for this information.
LLDP is a powerful way to allow Layer 2 devices to gather details about other
network-attached devices.
You configure LLDP by including the lldp statement and associated parameters at the
[edit protocols] hierarchy level. The complete set of LLDP statements follows:
lldp {
advertisement-interval seconds;
disable;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
lldp-configuration-notification-interval seconds;
port-id-subtype {
interface-name;
locally-assigned;
}
ptopo-configuration-maximum-hold-time seconds;
ptopo-configuration-trap-interval seconds;
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>;
flag flag <flag-modifier> <disable>;
}
transmit-delay seconds
}
To disable LLDP on all or a particular interface, include the interfaces statement at the
[edit protocols lldp] hierarchy level:
To disable LLDP on all interfaces, use the all option. To disable LLDP on a particular
interface, include the disable statement with the interface name.
The advertisement interval determines the frequency that an LLDP interface sends LLDP
advertisement frames. The default value is 30 seconds. The allowable range is from 5
through 32768 seconds. You adjust this parameter by including the advertisement-interval
statement at the [edit protocols lldp] hierarchy level.
The hold multiplier determines the multiplier to apply to the advertisement interval. The
resulting value in seconds is used to cache learned LLDP information before discard. The
default value is 4. When used with the default advertisement interval value of 30 seconds,
this makes the default cache lifetime 120 seconds. The allowable range of the hold
multiplier is from 2 through 10. You adjust this parameter by including the hold-multiplier
statement at the [edit protocols lldp] hierarchy level.
The transmit delay determines the delay between any two consecutive LLDP
advertisement frames. The default value is 2 seconds. The allowable range is from 1
through 8192 seconds. You adjust this parameter by including the transmit-delay
statement at the [edit protocols lldp] hierarchy level.
The physical topology configuration maximum hold time determines the time interval
for which an agent device maintains physical topology database entries. The default
value is 300 seconds. The allowable range is from 1 through 2147483647 seconds. You
adjust this parameter by including the ptopo-configuration-maximum-hold-time statement
at the [edit protocols lldp] hierarchy level.
The LLDP configuration notification interval determines the period for which trap
notifications are sent to the SNMP Master Agent when changes occur in the database
of LLDP information. This capability is disabled by default. The allowable range is from 0
(disabled) through 3600 seconds. You adjust this parameter by including the
lldp-configuration-notification-interval statement at the [edit protocols lldp] hierarchy
level.
The physical topology configuration trap interval determines the period for which trap
notifications are sent to the SNMP Master Agent when changes occur in the global
physical topology statistics. This capability is disabled by default. The allowable range
is from 0 (disabled) through 3600 seconds. The LLDP agent sends traps to the SNMP
Master Agent if this interval has a value greater than 0 and there is any change during
the lldp-configuration-notification-interval trap interval. You adjust this parameter by
including the ptopo-configuration-trap-interval statement at the [edit protocols lldp]
hierarchy level.
By default, LLDP generates the SNMP index of the interface for the port ID Type, Length,
and Value (TLV). Starting with Junos OS Release 12.3R1, you can generate the interface
name as the port ID TLV by including the interface-name statement at the [edit protocols
lldp port-id-subtype] hierarchy level. When configure the interface-name, statement on
the remote LLDP neighbor, the show lldp neighbors command displays the interface
name in the Port ID field rather than the SNMP index of the interface, which is displayed
by default. If you change the default behavior of generating the SNMP index of the
interface as the Port ID TLV, you can reenable the default behavior by including the
locally-assigned statement at the [edit protocols lldp port-id-subtype hierarchy level.
Table 40 on page 434 summarizes the command-line interface (CLI) commands you can
use to monitor and troubleshoot the Link Layer Discovery Protocol (LLDP) protocol.
Commands are listed in alphabetical order.
• Configuring LLDP
Layer 2 protocol tunneling (L2PT) allows Layer 2 protocol data units (PDUs) to be
tunneled through a network.
L2PT on ACX Series routers supports tunneling the following Layer 2 PDUs:
• Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Tree Protocol (MSTP)
When a Layer 2 control PDU is received on a service provider edge port configured for
L2PT, the multicast destination MAC address is rewritten with the predefined multicast
tunnel MAC address of 01:00:0c:cd:cd:d0. The packet is transported across the provider
network transparently to the other end of the tunnel and the original multicast destination
MAC address is restored when the packet is transmitted.
If a packet is received on a tunnel interface that already has a destination multicast MAC
address of 01:00:0c:cd:cd:d0, the port enters an error state and is shut down. To clear
the error condition, the administrator must enter the clear error mac-rewrite
interface interface-name command.
L2PT can be configured on the customer edge aggregated Ethernet interface using
mac-rewrite CLI command at the [edit protocols layer2-control] hierarchy level.
The destination MAC address used by different protocols is listed in Table 41 on page 438:
Spanning Tree Protocol (STP), Rapid Spanning Tree LLC (0x424203) 01:80:C2:00:00:00
Protocol (RSTP), and Multiple Spanning Tree
Protocol (MSTP)
• Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
on page 442
To enable L2PT, include the mac-rewrite statement at the [edit protocols layer2-control]
hierarchy level.
For configuring MAC address rewriting for Layer 2 protocol tunneling, the following
guidelines apply:
• You can enable Layer 2 protocol tunneling for single VLAN tagged ports. If a logical
port is tagged, then native VLAN ID must be configured to enable Layer 2 protocol
tunneling on that logical port.
You cannot enable Layer 2 protocol tunneling for double identifier tagged interfaces.
• Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
on page 442
To configure the interface where Layer 2 protocol tunneling is enabled, include the
interface ge-fpc/pic/port statement at the [edit protocols layer2-control] hierarchy level.
Keep the following guidelines in mind when configuring Layer 2 protocol tunneling:
• Layer 2 protocol tunneling must be configured on the interfaces at each end of the
tunnel.
• You can enable Layer 2 protocol tunneling for untagged interfaces and single VLAN
tagged interfaces only.
• For single VLAN tagged interfaces, configure a logical interface with the native VLAN
identifier. This configuration associates the untagged control packets with a logical
interface.
• You cannot enable Layer 2 protocol tunneling for double identifier tagged interfaces.
You can configure L2PT only on Layer 2 ports. To configure L2PT, you must specify any
of the following protocols that is to be tunneled:
To specify the protocol that will be tunneled by the Layer 2 protocol tunneling, you can
include the protocol (cdp | stp | vtp | ieee802.1x | ieee802.3ah | elmi | lacp | lldp | mmrp |
mvrp) statement at the [edit protocols layer2-control mac-rewrite interface ge-fpc/pic/port]
hierarchy level.
NOTE: When CDP, STP, VTP, IEEE 802.1x, IEEE 802.3ah, E-LMI, LACP, LLDP,
MMRP, or MVRP is configured for tunneling on a customer-facing port in a
provider bridge, the corresponding protocol should not be enabled for
operation on that interface.
• Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
on page 442
[edit]
user@host# edit protocols layer2-control mac-rewrite
• Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
on page 442
Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
• If the value in the Physical interface includes Enabled, Physical link is Up and the
value of the MAC-REWRITE Error field is None, the interface is enabled
• If the value in the Physical interface field is Enabled, Physical link is Down and the
value in the MAC-REWRITE Error field is Detected, the interface is blocked.
If a packet is received on a tunnel interface that already has a destination multicast MAC
address of 01:00:0c:cd:cd:d0, the port enters an error state and is shut down. To clear
the error condition, the administrator must enter the clear error mac-rewrite interface
interface-name command.
• Checking for a MAC Rewrite Error Condition Blocking Layer 2 Interface in ACX Series
on page 442
Understanding IGMP
The Internet Group Management Protocol (IGMP) manages the membership of hosts
and routing devices in multicast groups. IP hosts use IGMP to report their multicast group
memberships to any immediately neighboring multicast routing devices. Multicast routing
devices use IGMP to learn, for each of their attached physical networks, which groups
have members.
IGMP is also used as the transport for several related multicast protocols (for example,
Distance Vector Multicast Routing Protocol [DVMRP] and Protocol Independent Multicast
version 1 [PIMv1]).
A routing device receives explicit join and prune messages from those neighboring routing
devices that have downstream group members. When PIM is the multicast protocol in
use, IGMP begins the process as follows:
1. To join a multicast group, G, a host conveys its membership information through IGMP.
2. The routing device then forwards data packets addressed to a multicast group G to
only those interfaces on which explicit join messages have been received.
3. A designated router (DR) sends periodic join and prune messages toward a
group-specific rendezvous point (RP) for each group for which it has active members.
One or more routing devices are automatically or statically designated as the RP, and
all routing devices must explicitly join through the RP.
4. Each routing device along the path toward the RP builds a wildcard (any-source)
state for the group and sends join and prune messages toward the RP.
The term route entry is used to refer to the state maintained in a routing device to
represent the distribution tree.
• source address
• group address
• timers
• flag bits
The wildcard route entry's incoming interface points toward the RP.
The outgoing interfaces point to the neighboring downstream routing devices that
have sent join and prune messages toward the RP as well as the directly connected
hosts that have requested membership to group G.
5. This state creates a shared, RP-centered, distribution tree that reaches all group
members.
IGMP is also used as the transport for several related multicast protocols (for example,
Distance Vector Multicast Routing Protocol [DVMRP] and Protocol Independent Multicast
version 1 [PIMv1]).
IGMP is an integral part of IP and must be enabled on all routing devices and hosts that
need to receive IP multicast traffic.
For each attached network, a multicast routing device can be either a querier or a
nonquerier. The querier routing device periodically sends general query messages to
solicit group membership information. Hosts on the network that are members of a
multicast group send report messages. When a host leaves a group, it sends a leave
group message.
IGMP version 3 (IGMPv3) supports inclusion and exclusion lists. Inclusion lists enable
you to specify which sources can send to a multicast group. This type of multicast group
is called a source-specific multicast (SSM) group, and its multicast address is 232/8.
IGMPv3 provides support for source filtering. For example, a routing device can specify
particular routing devices from which it accepts or rejects traffic. With IGMPv3, a multicast
routing device can learn which sources are of interest to neighboring routing devices.
Exclusion mode works the opposite of an inclusion list. It allows any source but the ones
listed to send to the SSM group.
IGMPv3 interoperates with versions 1 and 2 of the protocol. However, to remain compatible
with older IGMP hosts and routing devices, IGMPv3 routing devices must also implement
versions 1 and 2 of the protocol. IGMPv3 supports the following membership-report record
types: mode is allowed, allow new sources, and block old sources.
• Configuring IGMP
Enabling IGMP
If IGMP is not running on an interface—either because PIM and DVMRP are not configured
on the interface or because IGMP is explicitly disabled on the interface—you can explicitly
enable IGMP.
1. If PIM and DVMRP are not running on the interface, explicitly enable IGMP by including
the interface name.
2. See if IGMP is disabled on any interfaces. In the following example, IGMP is disabled
on a Gigabit Ethernet interface.
5. Verify the operation of IGMP on the interfaces by checking the output of the show
igmp interface command.
Configuring IGMP
1. Determine whether the router is directly attached to any multicast sources. Receivers
must be able to locate these sources.
2. Determine whether the router is directly attached to any multicast group receivers. If
receivers are present, IGMP is needed.
5. Determine whether to locate the RP with the static configuration, BSR, or auto-RP
method.
6. Determine whether to configure multicast to use its own RPF routing table when
configuring PIM in sparse, dense, or sparse-dense mode.
7. Configure the SAP and SDP protocols to listen for multicast session announcements.
See Configuring the Session Announcement Protocol.
To configure the Internet Group Management Protocol (IGMP), include the igmp
statement:
igmp {
accounting;
interface interface-name {
disable;
(accounting | no-accounting);
group-policy [ policy-names ];
immediate-leave;
oif-map map-name;
promiscuous-mode;
ssm-map ssm-map-name;
static {
group multicast-group-address {
exclude;
group-count number;
group-increment increment;
source ip-address {
source-count number;
source-increment increment;
}
}
}
version version;
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>;
flag flag <flag-modifier> <disable>;
}
}
• [edit protocols]
By default, IGMP is enabled on all interfaces on which you configure Protocol Independent
Multicast (PIM), and on all broadcast interfaces on which you configure the Distance
Vector Multicast Routing Protocol (DVMRP).
NOTE: You can configure IGMP on an interface without configuring PIM. PIM
is generally not needed on IGMP downstream interfaces. Therefore, only one
“pseudo PIM interface” is created to represent all IGMP downstream
(IGMP-only) interfaces on the router. This reduces the amount of router
resources, such as memory, that are consumed. You must configure PIM on
upstream IGMP interfaces to enable multicast routing, perform reverse-path
forwarding for multicast data packets, populate the multicast forwarding
table for upstream interfaces, and in the case of bidirectional PIM and PIM
sparse mode, to distribute IGMP group memberships into the multicast routing
domain.
Disabling IGMP
disable;
The objective of IGMP is to keep routers up to date with group membership of the entire
subnet. Routers need not know who all the members are, only that members exist. Each
host keeps track of which multicast groups are subscribed to. On each link, one router is
elected the querier. The IGMP querier router periodically sends general host-query
messages on each attached network to solicit membership information. The messages
are sent to the all-systems multicast group address, 224.0.0.1.
The query interval, the response interval, and the robustness variable are related in that
they are all variables that are used to calculate the group membership timeout. The
group membership timeout is the number of seconds that must pass before a multicast
router determines that no more members of a host group exist on a subnet. The group
membership timeout is calculated as the (robustness variable x query-interval) +
(query-response-interval). If no reports are received for a particular group before the
group membership timeout has expired, the routing device stops forwarding
remotely-originated multicast packets for that group onto the attached network.
By default, host-query messages are sent every 125 seconds. You can change this interval
to change the number of IGMP messages sent on the subnet.
2. Verify the configuration by checking the IGMP Query Interval field in the output of the
show igmp interface command.
3. Verify the operation of the query interval by checking the Membership Query field in
the output of the show igmp statistics command.
The query response interval is the maximum amount of time that can elapse between
when the querier router sends a host-query message and when it receives a response
from a host. Configuring this interval allows you to adjust the burst peaks of IGMP
messages on the subnet. Set a larger interval to make the traffic less bursty. Bursty traffic
refers to an uneven pattern of data transmission: sometimes a very high data transmission
rate, whereas at other times a very low data transmission rate.
The query response interval, the host-query interval, and the robustness variable are
related in that they are all variables that are used to calculate the group membership
timeout. The group membership timeout is the number of seconds that must pass before
a multicast router determines that no more members of a host group exist on a subnet.
The group membership timeout is calculated as the (robustness variable x query-interval)
+ (query-response-interval). If no reports are received for a particular group before the
group membership timeout has expired, the routing device stops forwarding remotely
originated multicast packets for that group onto the attached network.
The default query response interval is 10 seconds. You can configure a subsecond interval
up to one digit to the right of the decimal point. The configurable range is 0.1 through 0.9,
then in 1-second intervals 1 through 999,999.
2. Verify the configuration by checking the IGMP Query Response Interval field in the
output of the show igmp interface command.
3. Verify the operation of the query interval by checking the Membership Query field in
the output of the show igmp statistics command.
The immediate leave setting is useful for minimizing the leave latency of IGMP
memberships. When this setting is enabled, the routing device leaves the multicast group
immediately after the last host leaves the multicast group.
The immediate-leave setting enables host tracking, meaning that the device keeps track
of the hosts that send join messages. This allows IGMP to determine when the last host
sends a leave message for the multicast group.
When the immediate leave setting is enabled, the device removes an interface from the
forwarding-table entry without first sending IGMP group-specific queries to the interface.
The interface is pruned from the multicast tree for the multicast group specified in the
IGMP leave message. The immediate leave setting ensures optimal bandwidth
management for hosts on a switched network, even when multiple multicast groups are
being used simultaneously.
When immediate leave is disabled and one host sends a leave group message, the routing
device first sends a group query to determine if another receiver responds. If no receiver
responds, the routing device removes all hosts on the interface from the multicast group.
Immediate leave is disabled by default for both IGMP version 2 and IGMP version 3.
NOTE: Although host tracking is enabled for IGMPv2 and MLDv1 when you
enable immediate leave, use immediate leave with these versions only when
there is one host on the interface. The reason is that IGMPv2 and MLDv1 use
a report suppression mechanism whereby only one host on an interface sends
a group join report in response to a membership query. The other interested
hosts suppress their reports. The purpose of this mechanism is to avoid a
flood of reports for the same group. But it also interferes with host tracking,
because the router only knows about the one interested host and does not
know about the others.
2. Verify the configuration by checking the Immediate Leave field in the output of the
show igmp interface command.
Suppose you need to limit the subnets that can join a certain multicast group. The
group-policy statement enables you to filter unwanted IGMP reports at the interface
level. When this statement is enabled on a router running IGMP version 2 (IGMPv2) or
version 3 (IGMPv3), after the router receives an IGMP report, the router compares the
group against the specified group policy and performs the action configured in that policy
(for example, rejects the report if the policy matches the defined address or network).
You define the policy to match only IGMP group addresses (for IGMPv2) by using the
policy's route-filter statement to match the group address. You define the policy to match
IGMP (source, group) addresses (for IGMPv3) by using the policy's route-filter statement
to match the group address and the policy's source-address-filter statement to match
the source address.
3. Apply the policies to the IGMP interfaces on which you prefer not to receive specific
group or (source, group) reports. In this example, ge-0/0/0.1 is running IGMPv2, and
ge-0/1/1.0 is running IGMPv3.
4. Verify the operation of the filter by checking the Rejected Report field in the output
of the show igmp statistics command.
By default, IGMP interfaces accept IGMP messages only from the same subnet. Including
the promiscuous-mode statement enables the routing device to accept IGMP messages
from indirectly connected subnets.
2. Verify the configuration by checking the Promiscuous Mode field in the output of the
show igmp interface command.
3. Verify the operation of the filter by checking the Rx non-local field in the output of the
show igmp statistics command.
The last-member query interval is the maximum amount of time between group-specific
query messages, including those sent in response to leave-group messages. You can
configure this interval to change the amount of time it takes a routing device to detect
the loss of the last member of a group.
When the routing device that is serving as the querier receives a leave-group message
from a host, the routing device sends multiple group-specific queries to the group being
left. The querier sends a specific number of these queries at a specific interval. The number
of queries sent is called the last-member query count. The interval at which the queries
are sent is called the last-member query interval. Because both settings are configurable,
you can adjust the leave latency. The IGMP leave latency is the time between a request
to leave a multicast group and the receipt of the last byte of data for the multicast group.
The last-member query count x (times) the last-member query interval = (equals) the
amount of time it takes a routing device to determine that the last member of a group
has left the group and to stop forwarding group traffic.
The default last-member query interval is 1 second. You can configure a subsecond
interval up to one digit to the right of the decimal point. The configurable range is 0.1
through 0.9, then in 1-second intervals 1 through 999,999.
1. Configure the time (in seconds) that the routing device waits for a report in response
to a group-specific query.
2. Verify the configuration by checking the IGMP Last Member Query Interval field in the
output of the show igmp interfaces command.
NOTE: You can configure the last-member query count by configuring the
robustness variable. The two are always equal.
Fine-tune the IGMP robustness variable to allow for expected packet loss on a subnet.
The robust count automatically changes certain IGMP message intervals for IGMPv2 and
IGMPv3. Increasing the robust count allows for more packet loss but increases the leave
latency of the subnetwork.
When the query router receives an IGMP leave message on a shared network running
IGMPv2, the query router must send an IGMP group query message a specified number
of times. The number of IGMP group query messages sent is determined by the robust
count.
The value of the robustness variable is also used in calculating the following IGMP
message intervals:
• Group member interval—Amount of time that must pass before a multicast router
determines that there are no more members of a group on a network. This interval is
calculated as follows: (robustness variable x query-interval) + (1 x
query-response-interval).
• Other querier present interval—The robust count is used to calculate the amount of
time that must pass before a multicast router determines that there is no longer another
multicast router that is the querier. This interval is calculated as follows: (robustness
variable x query-interval) + (0.5 x query-response-interval).
By default, the robustness variable is set to 2. You might want to increase this value if
you expect a subnet to lose packets.
When you set the robust count, you are in effect configuring the number of times the
querier retries queries on the connected subnets.
2. Verify the configuration by checking the IGMP Robustness Count field in the output
of the show igmp interfaces command.
This section describes how to change the limit for the maximum number of IGMP packets
transmitted in 1 second by the router.
Increasing the maximum number of IGMP packets transmitted per second might be
useful on a router with a large number of interfaces participating in IGMP.
To change the limit for the maximum number of IGMP packets the router can transmit
in 1 second, include the maximum-transmit-rate statement and specify the maximum
number of packets per second to be transmitted.
By default, the routing device runs IGMPv2. Routing devices running different versions of
IGMP determine the lowest common version of IGMP that is supported by hosts on their
subnet and operate in that version.
If a static multicast group is configured with the source address defined, and the IGMP
version is configured to be version 2, the source is ignored and only the group is added.
In this case, the join is treated as an IGMPv2 group join.
BEST PRACTICE: If you configure the IGMP version setting at the individual
interface hierarchy level, it overrides the interface all statement. That is, the
new interface does not inherit the version number that you specified with the
interface all statement. By default, that new interface is enabled with version
2. You must explicitly specify a version number when adding a new interface.
For example, if you specified version 3 with interface all, you would need to
configure the version 3 statement for the new interface. Additionally, if you
configure an interface for a multicast group at the [edit interface interface-name
static group multicast-group-address] hierarchy level, you must specify a version
number as well as the other group parameters. Otherwise, the interface is
enabled with the default version 2.
If you have already configured the routing device to use IGMP version 1 (IGMPv1) and then
configure it to use IGMPv2, the routing device continues to use IGMPv1 for up to 6 minutes
and then uses IGMPv2.
2. Verify the configuration by checking the version field in the output of the show igmp
interfaces command. The show igmp statistics command has version-specific output
fields, such as V1 Membership Report, V2 Membership Report, and V3 Membership
Report.
You can create IGMP static group membership to test multicast forwarding without a
receiver host. When you enable IGMP static group membership, data is forwarded to an
interface without that interface receiving membership reports from downstream hosts.
The router on which you enable static IGMP group membership must be the designated
router (DR) for the subnet. Otherwise, traffic does not flow downstream.
When enabling IGMP static group membership, you cannot configure multiple groups
using the group-count, group-increment, source-count, and source-increment statements
if the all option is specified as the IGMP interface.
Class-of-service (CoS) adjustment is not supported with IGMP static group membership.
1. On the DR, configure the static groups to be created by including the static statement
and group statement and specifying which IP multicast address of the group to be
created. When creating groups individually, you must specify a unique address for
each group.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
static {
group 233.252.0.1 ;
}
}
3. After you have committed the configuration and the source is sending traffic, use the
show igmp group command to verify that static group 233.252.0.1 has been created.
NOTE: When you configure static IGMP group entries on point-to-point links
that connect routing devices to a rendezvous point (RP), the static IGMP
group entries do not generate join messages toward the RP.
When you create IGMP static group membership to test multicast forwarding on an
interface on which you want to receive multicast traffic, you can specify that a number
of static groups be automatically created. This is useful when you want to test forwarding
to multiple receivers without having to configure each receiver separately.
1. On the DR, configure the number of static groups to be created by including the
group-count statement and specifying the number of groups to be created.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
static {
group 233.252.0.1 {
group-count 3;
}
}
}
3. After you have committed the configuration and after the source is sending traffic,
use the show igmp group command to verify that static groups 233.252.0.1, 233.252.0.2,
and 233.252.0.3 have been created.
When you create IGMP static group membership to test multicast forwarding on an
interface on which you want to receive multicast traffic, you can also configure the group
address to be automatically incremented for each group created. This is useful when
you want to test forwarding to multiple receivers without having to configure each receiver
separately and when you do not want the group addresses to be sequential.
In this example, you create three groups and increase the group address by an increment
of two for each group.
1. On the DR, configure the group address increment by including the group-increment
statement and specifying the number by which the address should be incremented
for each group. The increment is specified in dotted decimal notation similar to an
IPv4 address.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
version 3;
static {
group 233.252.0.1 {
group-increment 0.0.0.2;
group-count 3;
}
}
}
3. After you have committed the configuration and after the source is sending traffic,
use the show igmp group command to verify that static groups 233.252.0.1, 233.252.0.3,
and 233.252.0.5 have been created.
When you create IGMP static group membership to test multicast forwarding on an
interface on which you want to receive multicast traffic, and your network is operating
in source-specific multicast (SSM) mode, you can also specify that the multicast source
address be accepted. This is useful when you want to test forwarding to multicast
receivers from a specific multicast source.
If you specify a group address in the SSM range, you must also specify a source.
If a source address is specified in a multicast group that is statically configured, the IGMP
version on the interface must be set to IGMPv3. IGMPv2 is the default value.
In this example, you create group 233.252.0.1 and accept IP address 10.0.0.2 as the only
source.
1. On the DR, configure the source address by including the source statement and
specifying the IPv4 address of the source host.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
version 3;
static {
group 233.252.0.1 {
source 10.0.0.2;
}
}
}
3. After you have committed the configuration and the source is sending traffic, use the
show igmp group command to verify that static group 233.252.0.1 has been created
and that source 10.0.0.2 has been accepted.
When you create IGMP static group membership to test multicast forwarding on an
interface on which you want to receive multicast traffic, you can specify that a number
of multicast sources be automatically accepted. This is useful when you want to test
forwarding to multicast receivers from more than one specified multicast source.
In this example, you create group 233.252.0.1 and accept addresses 10.0.0.2, 10.0.0.3,
and 10.0.0.4 as the sources.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
version 3;
static {
group 233.252.0.1 {
source 10.0.0.2 {
source-count 3;
}
}
}
}
3. After you have committed the configuration and the source is sending traffic, use the
show igmp group command to verify that static group 233.252.0.1 has been created
and that sources 10.0.0.2, 10.0.0.3, and 10.0.0.4 have been accepted.
When you configure static groups on an interface on which you want to receive multicast
traffic, and specify that a number of multicast sources be automatically accepted, you
can also specify the number by which the address should be incremented for each source
accepted. This is useful when you want to test forwarding to multiple receivers without
having to configure each receiver separately and you do not want the source addresses
to be sequential.
In this example, you create group 233.252.0.1 and accept addresses 10.0.0.2, 10.0.0.4,
and 10.0.0.6 as the sources.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
version 3;
static {
group 233.252.0.1 {
source 10.0.0.2 {
source-count 3;
source-increment 0.0.0.2;
}
}
}
}
3. After you have committed the configuration and after the source is sending traffic,
use the show igmp group command to verify that static group 233.252.0.1 has been
created and that sources 10.0.0.2, 10.0.0.4, and 10.0.0.6 have been accepted.
When you configure static groups on an interface on which you want to receive multicast
traffic and your network is operating in source-specific multicast (SSM) mode, you can
specify that certain multicast source addresses be excluded.
By default the multicast source address configured in a static group operates in include
mode. In include mode the multicast traffic for the group is accepted from the source
address configured. You can also configure the static group to operate in exclude mode.
In exclude mode the multicast traffic for the group is accepted from any address other
than the source address configured.
If a source address is specified in a multicast group that is statically configured, the IGMP
version on the interface must be set to IGMPv3. IGMPv2 is the default value.
In this example, you exclude address 10.0.0.2 as a source for group 233.252.0.1.
1. On the DR, configure a multicast static group to operate in exclude mode by including
the exclude statement and specifying which IPv4 source address to exclude.
2. After you commit the configuration, use the show configuration protocol igmp command
to verify the IGMP protocol configuration.
interface fe-0/1/2.0 {
version 3;
static {
group 233.252.0.1 {
exclude;
source 10.0.0.2;
}
}
}
3. After you have committed the configuration and the source is sending traffic, use the
show igmp group detail command to verify that static group 233.252.0.1 has been
created and that the static group is operating in exclude mode.
To determine whether IGMP tuning is needed in a network, you can configure the routing
device to record IGMP join and leave events. You can record events globally for the routing
device or for individual interfaces.
1. Enable accounting globally or on an IGMP interface. This example shows both options.
2. Configure the events to be recorded and filter the events to a system log file with a
descriptive filename, such as igmp-events.
This example rotates the file size when it reaches 100 KB and keeps three files.
4. You can monitor the system log file as entries are added to the file by running the
monitor start and monitor stop commands.
The group-limit statement enables you to limit the number of IGMP multicast group joins
for logical interfaces. When this statement is enabled on a router running IGMP version 2
(IGMPv2) or version 3 (IGMPv3), the limit is applied upon receipt of the group report.
Once the group limit is reached, subsequent join requests are rejected.
When configuring limits for IGMP multicast groups, keep the following in mind:
• Each any-source group (*,G) counts as one group toward the limit.
• Each source-specific group (S,G) counts as one group toward the limit.
• Multiple source-specific groups count individually toward the group limit, even if they
are for the same group. For example, (S1, G1) and (S2, G1) would count as two groups
toward the configured limit.
• Configuring and committing a group limit on a network that is lower than what already
exists on the network results in the removal of all groups from the configuration. The
groups must then request to rejoin the network (up to the newly configured group
limit).
• You can dynamically limit multicast groups on IGMP logical interfaces using dynamic
profiles.
Starting in Junos OS Release 12.2, you can optionally configure a system log warning
threshold for IGMP multicast group joins received on the logical interface. It is helpful to
review the system log messages for troubleshooting purposes and to detect if an excessive
amount of IGMP multicast group joins have been received on the interface. These log
messages convey when the configured group limit has been exceeded, when the
configured threshold has been exceeded, and when the number of groups drop below
the configured threshold.
The group-threshold statement enables you to configure the threshold at which a warning
message is logged. The range is 1 through 100 percent. The warning threshold is a
percentage of the group limit, so you must configure the group-limit statement to configure
a warning threshold. For instance, when the number of groups exceed the configured
warning threshold, but remain below the configured group limit, multicast groups continue
to be accepted, and the device logs the warning message. In addition, the device logs a
warning message after the number of groups drop below the configured warning threshold.
You can further specify the amount of time (in seconds) between the log messages by
configuring the log-interval statement. The range is 6 through 32,767 seconds.
You might consider throttling log messages because every entry added after the
configured threshold and every entry rejected after the configured limit causes a warning
message to be logged. By configuring a log interval, you can throttle the amount of system
log warning messages generated for IGMP multicast group joins.
[edit]
user@host# edit protocols igmp interface interface-name
To confirm your configuration, use the show protocols igmp command. To verify the
operation of IGMP on the interface, including the configured group limit and the optional
warning threshold and interval between log messages, use the show igmp interface
command.
12.2 Starting in Junos OS Release 12.2, you can optionally configure a system log
warning threshold for IGMP multicast group joins received on the logical
interface.
Tracing operations record detailed messages about the operation of routing protocols,
such as the various types of routing protocol packets sent and received, and routing policy
actions. You can specify which trace operations are logged by including specific tracing
flags. The following table describes the flags that you can include.
Flag Description
Flag Description
In the following example, tracing is enabled for all routing protocol packets. Then tracing
is narrowed to focus only on IGMP packets of a particular type. To configure tracing
operations for IGMP:
1. (Optional) Configure tracing at the routing options level to trace all protocol packets.
6. Configure tracing flags. Suppose you are troubleshooting issues with a particular
multicast group. The following example shows how to flag all events for packets
associated with the group IP address.
• mtrace
Disabling IGMP
disable;
Snooping is a general way for Layer 2 devices, such as Juniper Networks MX Series Ethernet
Services Routers, to implement a series of procedures to “snoop” at the Layer 3 packet
content to determine which actions are to be taken to process or forward a frame. More
specific forms of snooping, such as Internet Group Membership Protocol (IGMP ) snooping
or Protocol Independent Multicast (PIM) snooping, are used with multicast.
Layer 2 devices (LAN switches or bridges) handle multicast packets and the frames that
contain them much in the same way the Layer 3 devices (routers) handle broadcasts.
So, a Layer 2 switch processes an arriving frame having a multicast destination media
access control (MAC) address by forwarding a copy of the packet (frame) onto each of
the other network interfaces of the switch that are in a forwarding state.
However, this approach (sending multicast frames everywhere the device can) is not the
most efficient use of network bandwidth, particularly for IPTV applications. IGMP snooping
functions by “snooping” at the IGMP packets received by the switch interfaces and building
a multicast database similar to that a multicast router builds in a Layer 3 network. Using
this database, the switch can forward multicast traffic only onto downstream interfaces
with interested receivers, and this technique allows more efficient use of network
bandwidth.
You configure IGMP snooping for each bridge on the router. A bridge instance without
qualified learning has just one learning domain. For a bridge instance with qualified
learning, snooping will function separately within each learning domain in the bridge.
That is, IGMP snooping and multicast forwarding will proceed independently in each
learning domain in the bridge.
This discussion focuses on bridge instances without qualified learning (those forming
one learning domain on the device). Therefore, all the interfaces mentioned are logical
interfaces of the bridge or VPLS instance.
NOTE: When integrated routing and bridging (IRB) is used, if the router is an
IGMP querier, any leave message received on any Layer 2 interface will cause
a group-specific query on all Layer 2 interfaces (as a result of this practice,
some corresponding reports might be received on all Layer 2 interfaces).
However, if some of the Layer 2 interfaces are also router (Layer 3) interfaces,
reports and leaves from other Layer 2 interfaces will not be forwarded on
those interfaces.
If no snooping is configured, the IRB output interface list is expanded to all Layer 2
interfaces in the bridge.
The Junos OS does not support IGMP snooping in a VPLS configuration on a virtual switch.
This configuration is disallowed in the CLI.
IGMP snooping divides the device interfaces into multicast-router interfaces and host-side
interfaces. A multicast-router interface is an interface in the direction of a multicasting
router. An interface on the bridge is considered a multicast-router interface if it meets at
least one of the following criteria:
All other interfaces that are not multicast-router interfaces are considered host-side
interfaces.
Any multicast traffic received on a bridge interface with IGMP snooping configured will
be forwarded according to following rules:
• Any IGMP packet is sent to the Routing Engine for snooping processing.
• Other multicast traffic with destination address 224.0.0/24 is flooded onto all other
interfaces of the bridge.
• Other multicast traffic is sent to all the multicast-router interfaces but only to those
host-side interfaces that have hosts interested in receiving that multicast group.
Without a proxy arrangement, IGMP snooping does not generate or introduce queries
and reports. It will only “snoop” reports received from all of its interfaces (including
multicast-router interfaces) to build its state and group (S,G) database.
• Report—IGMP reports received on any interface of the bridge are forwarded toward
other multicast-router interfaces. The receiving interface is added as an interface for
that group if a multicast routing entry exists for this group. Also, a group timer is set for
the group on that interface. If this timer expires (that is, there was no report for this
group during the IGMP group timer period), then the interface is removed as an interface
for that group.
• Leave—Any IGMP leave message received on any interface of the bridge. The Leave
Group message reduces the time it takes for the multicast router to stop forwarding
multicast traffic when there are no longer any members in the host group.
Proxy snooping reduces the number of IGMP reports sent toward an IGMP router.
NOTE: With proxy snooping configured, an IGMP router is not able to perform
host tracking.
As proxy for its host-side interfaces, IGMP snooping in proxy mode replies to the queries
it receives from an IGMP router on a multicast-router interface. On the host-side interfaces,
IGMP snooping in proxy mode behaves as an IGMP router and sends general and
group-specific queries on those interfaces.
All the queries generated by IGMP snooping are sent using 0.0.0.0 as the source address.
Also, all reports generated by IGMP snooping are sent with 0.0.0.0 as the source address
unless there is a configured source address to use.
Besides replying to queries, IGMP snooping in proxy mode forwards all queries, reports,
and leaves received on a multicast-router interface to other multicast-router interfaces.
IGMP snooping keeps the membership information learned on this interface but does
not send a group-specific query for leave messages received on this interface. It simply
times out the groups learned on this interface if there are no reports for the same group
within the timer duration.
NOTE: For the hosts on all the multicast-router interfaces, it is the IGMP
router, not the IGMP snooping proxy, that generates general and
group-specific queries.
No reports are sent on host-side interfaces by IGMP snooping in proxy mode. IGMP
snooping processes reports received on these interfaces and sends group-specific queries
onto host-side interfaces when it receives a leave message on the interface. Host-side
interfaces do not generate periodic general queries, but forwards or floods general queries
received from multicast-router interfaces.
If a group is removed from a host-side interface and this was the last host-side interface
for that group, a leave is sent to the multicast-router interfaces. If a group report is received
on a host-side interface and this was the first host-side interface for that group, a report
is sent to all multicast-router interfaces.
IGMP snooping on a VLAN is only allowed for the legacy vlan-id all case. In other cases,
there is a specific bridge domain configuration that determines the VLAN-specific
configuration for IGMP snooping.
igmp-snooping {
immediate-leave;
interface interface-name {
group-limit limit;
host-only-interface;
immediate-leave;
multicast-router-interface;
static {
group ip-address {
source ip-address;
}
}
}
proxy {
source-address ip-address;
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
vlan vlan-id {
immediate-leave;
interface interface-name {
group-limit limit;
host-only-interface;
immediate-leave;
multicast-router-interface;
static {
group ip-address {
source ip-address;
}
}
}
proxy {
source-address ip-address;
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
By default, IGMP snooping is not enabled. Statements configured at the VLAN level apply
only to that particular VLAN.
All of the IGMP snooping statements configured with the igmp-snooping statement, with
the exception of the traceoptions statement, can be qualified with the same statement
at the VLAN level. To configure IGMP snooping parameters at the VLAN level, include
the vlan statement:
vlan vlan-id;
immediate-leave;
interface interface-name {
group-limit limit;
host-only-interface;
multicast-router-interface;
static {
group ip-address {
source ip-address;
}
}
}
proxy {
source-address ip-address;
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
This example shows how to configure IGMP snooping. IGMP snooping can reduce
unnecessary traffic from IP multicast applications.
Requirements
This example uses the following hardware components:
• Configure the interfaces. See the Interfaces Feature Guide for Security Devices.
• Configure an interior gateway protocol. See the Junos OS Routing Protocols Library.
• Configure a multicast protocol. This feature works with the following multicast
protocols:
• DVMRP
• PIM-DM
• PIM-SM
• PIM-SSM
• proxy—Enables the Layer 2 device to actively filter IGMP packets to reduce load on the
multicast router. Joins and leaves heading upstream to the multicast router are filtered
so that the multicast router has a single entry for the group, regardless of how many
active listeners have joined the group. When a listener leaves a group but other listeners
remain in the group, the leave message is filtered because the multicast router does
not need this information. The status of the group remains the same from the router's
point of view.
When you configure this feature on IGMPv2 interfaces, ensure that the IGMP interface
has only one IGMP host connected. If more than one IGMPv2 host is connected to a
LAN through the same interface, and one host sends a leave message, the router
removes all hosts on the interface from the multicast group. The router loses contact
with the hosts that properly remain in the multicast group until they send join requests
in response to the next general multicast listener query from the router.
When IGMP snooping is enabled on a router running IGMP version 3 (IGMPv3) snooping,
after the router receives a report with the type BLOCK_OLD_SOURCES, the router
suppresses the sending of group-and-source queries but relies on the Junos OS
host-tracking mechanism to determine whether or not it removes a particular source
group membership from the interface.
By default, the query interval is 125 seconds. You can configure any value in the range
1 through 1024 seconds.
The last-member query interval is the maximum amount of time between group-specific
query messages, including those sent in response to leave-group messages.
By default, the last-member query interval is 1 second. You can configure any value in
the range 0.1 through 0.9 seconds, and then 1-second intervals from 1 through 1024
seconds.
By default, the query response interval is 10 seconds. You can configure any value in
the range 1 through 1024 seconds. This interval should be less than the interval set in
the query-interval statement.
By default, the robust count is 2. You can configure any value in the range 2 through 10
intervals.
• group-limit—Configures a limit for the number of multicast groups (or [S,G] channels
in IGMPv3) that can join an interface. After this limit is reached, new reports are ignored
and all related flows are discarded, not flooded.
By default, there is no limit to the number of groups that can join an interface. You can
configure a limit in the range 0 through a 32-bit number.
By default, the router learns about multicast groups on the interface dynamically.
Figure 24 on page 482 shows networks without IGMP snooping. Suppose host A is an IP
multicast sender and hosts B and C are multicast receivers. The router forwards IP
multicast traffic only to those segments with registered receivers (hosts B and C).
However, the Layer 2 devices flood the traffic to all hosts on all interfaces.
g040612
Figure 25 on page 483 shows the same networks with IGMP snooping configured. The
Layer 2 devices forward multicast traffic to registered receivers only.
g040613
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
3. Configure the limit for the number of multicast groups allowed on the ge-0/0/1.1
interface to 50.
user@host# commit
Verification
To verify the configuration, run the following commands:
Tracing operations record detailed messages about the operation of routing protocols,
such as the various types of routing protocol packets sent and received, and routing policy
actions. You can specify which trace operations are logged by including specific tracing
flags. The following table describes the flags that you can include.
Flag Description
You can configure tracing operations for IGMP snooping globally or in a routing instance.
The following example shows the global configuration.
5. Configure tracing flags. Suppose you are troubleshooting issues with a policy related
to received packets on a particular logical interface with an IP address of 192.168.0.1.
The following example shows how to flag all policy events for received packets
associated with the IP address.
Junos OS substantially supports the following RFCs, which define standards for
Point-to-Point Protocol (PPP) interfaces.
For interfaces with PPP, PPP CCC, or PPP TCC encapsulation, you can configure
compression of the Data Link Layer address and control fields, as defined in RFC 1661,
The Point-to-Point Protocol (PPP). By default, the address and control fields are not
compressed. This means PPP-encapsulated packets are transmitted with two 1-byte
fields (0xff and 0x03). If you configure address and control field compression (ACFC)
and ACFC is successfully negotiated with the local router's peer, the local router transmits
packets without these 2 bytes. ACFC allows you to conserve bandwidth by transmitting
less data.
On M320, M120, and T Series routers, ACFC is not supported for any ISO family protocols.
Do not include the acfc statement at the [edit interfaces interface-name ppp-options
compression] hierarchy level when you include the family iso statement at the [edit
interfaces interface-name unit logical-unit-number] hierarchy level.
NOTE: The address and control fields cannot be compressed in Link Control
Protocol (LCP) packets.
The PPP session restarts when you configure or modify compression options.
To configure ACFC:
[edit ]
user@host# edit interfaces interface-name ppp-options
This configuration causes the local router to try to negotiate ACFC with its peer. If ACFC
is successfully negotiated, the local router sends packets with compressed address and
control fields. When you include the compression acfc statement in the configuration,
the PPP session restarts, and the local router sends the ACFC option in the LCP
Configure-Request packet. The ACFC option informs the local router's peer that the local
router can receive packets with compression. If the peer indicates that it, too, can receive
packets with compression, then ACFC is negotiated. If ACFC is successfully negotiated,
the local router can receive packets with or without the address and control bytes included.
• acfc
You can configure a restart timer for the Link Control Protocol (LCP) and Network Control
Protocol (NCP) components of a PPP session. You can configure the LCP restart timer
on interfaces with PPP, PPP TCC, PPP over Ethernet, PPP over ATM, and PPP over Frame
Relay encapsulations. You can configure the NCP restart timer on interfaces with PPP
and PPP TCC encapsulations and on multilink PPP bundle interfaces.
To configure the restart timer for the NCP component of a PPP session, include the
ncp-restart-timer statement, and specify the number of milliseconds.
To configure the restart timer for the LCP component of a PPP session, include the
lcp-restart-timer statement, and specify the number of milliseconds:
lcp-restart-timer milliseconds;
ncp-restart-timer milliseconds;
For interfaces with PPP encapsulation, you can configure interfaces to support the PPP
Challenge Handshake Authentication Protocol (CHAP), as defined in RFC 1994,
PPP Challenge Handshake Authentication Protocol (CHAP). When you enable CHAP on
an interface, the interface can authenticate its peer and can be authenticated by its peer.
For information about configuring CHAP, see “Configuring the PPP Challenge Handshake
Authentication Protocol” on page 493.
When a Point-to-Point Protocol (PPP) session detects a loop, the loop detected flag is
set. If the flag is not cleared by the protocol after the loopback is cleared, the clear loop
detected timer clears the flag after the specified time has elapsed.
To configure the clear loop detected timer for the LCP component of a PPP session,
include the loopback-clear-timer statement, and specify the number of seconds.
loopback-clear-timer seconds;
To monitor the configuration, issue the show interfaces interface-name extensive command.
A dynamic profile acts as a template that enables you to create, update, or remove a
configuration that includes attributes for client access (for example, interface or protocol)
or service (for example, IGMP). Using these profiles you can consolidate all of the common
attributes of a client (and eventually a group of clients) and apply the attributes
simultaneously.
After they are created, the profiles reside in a profile library on the router. You can then
use the dynamic-profile statement to attach profiles to interfaces. To assign a dynamic
profile to a PPP interface, you can include the dynamic-profile statement at the [edit
interfaces interface-name unit logical-unit-number ppp-options] hierarchy level:
For information about dynamic profiles, see Dynamic Profiles Overview in the Junos
Subscriber Access Configuration Guide.
For information about creating dynamic profiles, see Configuring a Basic Dynamic Profile
in the Junos Subscriber Access Configuration Guide.
For information about assigning a dynamic profile to a PPP interface, see Attaching
Dynamic Profiles to Static PPP Subscriber Interfaces in the Junos Subscriber Access
Configuration Guide.
NOTE: Dynamic profiles for PPP subscribers are supported only on PPPoE
interfaces for this release.
no CHAP challenges and denies all incoming CHAP challenges. To enable CHAP, you
must create an access profile, and you must configure the interfaces to use CHAP.
To enable CHAP, you must create an access profile, and you must configure the interfaces
to use PAP. For more information on how to configure access profile, see Configuring
Access Profiles for L2TP or PPP Parameters.
NOTE: You must include the access-profile statement when you configure
the CHAP authentication method. If an interface receives a CHAP challenge
or response from a peer that is not in the applied access profile, the link
is immediately dropped unless a default CHAP secret has been configured.
2. The default CHAP secret is used when no matching CHAP access profile exists, or if
the CHAP name changes during PPP link negotiation. To configure a default CHAP
secret for an interface, include the default-chap-secret statement at the [edit interfaces
interface-name ppp-options chap] hierarchy level.
3. To configure the name the interface uses in CHAP challenge and response packets,
include the local-name statement at the [edit interfaces interface-name ppp-options
chap] hierarchy level:
NOTE:
• The local name is any string from 1 through 32 characters in length,
4. You can configure the interface not to challenge its peer, and only respond when
challenged. To configure the interface not to challenge its peer, include the passive
statement at the [edit interfaces interface-name ppp-options chap] hierarchy level:
Purpose To display the configured PPP CHAP at the [edit access] and [edit interfaces] hierarchy
levels.
• Access profile—pe-A-ppp-clients
• Interface—so-1/1/2
Action • Run the show command at the [edit access] hierarchy level.
profile pe-A-ppp-clients;
client cpe-1 chap-secret "$ABC123";
# SECRET-DATA
[edit interfaces so-1/2/0]
encapsulation ppp;
ppp-options {
chap {
access-profile pe-A-ppp-clients;
default-chap-secret "$ABC123";
local-name "pe-A-so-1/1/1";
}
}
• Run the show command at the [edit interfaces s0-1/1/2] hierarchy level.
ppp-options {
chap {
access-profile pe-A-ppp-clients;
default-chap-secret "$ABC123";
local-name “pe-A-so-1/1/2";
}
}
Meaning The configured CHAP and its associated set options are displayed as expected.
During authentication, the PPP link sends a PAP authentication-request packet to the
peer with an ID and password. The authentication-request packet is sent every 2 seconds,
similar to the CHAP challenge, until a response is received (acknowledgment packet,
nonacknowledgment packet). If an acknowledgment packet is received, the PPP link
transitions to the next state, the network phase. If a nonacknowledgment packet is
received, an LCP terminate request is sent, and the PPP link goes back to the link
establishment phase. If no response is received, and an optional retry counter is set to
true, a new request acknowledgment packet is resent. If the retry counter expires, the
PPP link transitions to the LCP negotiate phrase.
You can configure the PPP link with PAP in passive mode. By default, when PAP is enabled
on an interface, the interface expects authenticate-request packets from the peer.
However, the interface can be configured to send authentication request packets to the
peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface
sends the authenticate-request packets to the peer only if the interface receives the PAP
option from the peer during LCP negotiation—in passive mode, the interface does not
authenticate the peer.
To enable PAP, you must create an access profile, and you must configure the interfaces
to use PAP. For more information on how to configure access profile, see Configuring
Access Profiles for L2TP or PPP Parameters.
To configure the PPP password authentication protocol, on each physical interface with
PPP encapsulation, perform the following steps.
2. To configure the name the interface uses in PAP request and response packets, include
the local-name statement at the [edit interfaces interface-name ppp-options pap]
hierarchy level:
3. You need to configure the password to be used for authentication. To configure the
host password for sending PAP requests, include the local-password statement at
the [edit interfaces interface-name ppp-options pap] hierarchy level:
4. To configure the interface to authenticate with PAP in passive mode, include the
passive statement at the [edit interfaces interface-name ppp-options pap] hierarchy
level:
To configure the PPP password authentication protocol, on each logical interface with
PPP encapsulation, perform the following steps.
1. To configure the default PAP password, include the pap-password statement at the
[edit interfaces interface-name unit logical-unit-number ppp-options pap] hierarchy
level:
2. To configure the name the interface uses in PAP request and response packets, include
the local-name statement at the [edit interfaces interface-name unit logical-unt-number
ppp-options pap] hierarchy level:
3. You need to configure the password to be used for authentication. To configure the
host password for sending PAP requests, include the local-password statement at
the [edit interfaces interface-name ppp-options pap] hierarchy level:
4. To configure the interface to authenticate with PAP in passive mode, include the
passive statement at the [edit interfaces interface-name unit
logical-unt-numberppp-options pap] hierarchy level:
Each end of the link identifies itself to its peer by including its name in the CHAP challenge
and response packets it sends to the peer. This name defaults to the local hostname, or
you can explicitly set it using the local-name option. When a host receives a CHAP
challenge or CHAP response packet on a particular interface, it uses the peer identity to
look up the CHAP secret key to use.
To configure CHAP, include the profile statement at the [edit access] hierarchy level:
[edit access]
profile profile-name {
client client-name chap-secret chap-secret;
}
Then reference the CHAP profile name at the [edit interfaces] hierarchy level.
You can configure multiple CHAP profiles, and configure multiple clients for each profile.
Definitions:
• profile is the mapping between peer identifiers and CHAP secret keys. The identity of
the peer contained in the CHAP challenge or response queries the profile for the secret
key to use.
• On ACX2000, ACX2100, ACX2200, and ACX4000 routers with 16-port built-in T1/E1
TDM MICs.
Starting with Release 12.3X54, you can configure Point-to-Point Protocol (PPP)
encapsulation on physical interfaces on Channelized OC3/STM1 (Multi-Rate) Circuit
Emulation MIC with SFP on ACX4000 Series routers
On ACX Series routers, E1, T1, and NxDS0 interfaces support PPP encapsulation.
PPP is the default encapsulation type for physical interfaces. You need not configure
encapsulation for any physical interfaces that support PPP encapsulation. If you do not
configure encapsulation, PPP is used by default. For physical interfaces that do not
support PPP encapsulation, you must configure an encapsulation to use for packets
transmitted on the interface.
IP class of service (CoS) is not supported on PPP interfaces. All the traffic is sent to the
best effort queue (queue 0) and CoS code points are not processed. Also, fixed classifiers
are not supported. Circuit cross-connect (CCC) version of PPP (ppp-ccc option) and
translational cross-connect (TCC) version of PPP (ppp-tcc option) are not supported
for configuration with the encapsulation statement.
PPP is supported only for IPv4 networks. If you configure PPP encapsulation, you can
configure an INET family by including the family inet statement at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level. MPLS family is not supported
on logical interfaces if you configured PPP encapsulation. On interfaces with PPP
encapsulation, configure PPP-specific interface properties by including the ppp-options
statement at the [edit interfaces interface-name] hierarchy level. For interfaces with PPP
encapsulation, you can configure interfaces to support the PPP Challenge Handshake
Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).
For full T1/E1 interfaces on which PPP encapsulation needs to be enabled, create the
T1/E1 interfaces out of channelized T1/E1 interfaces (CT1/CE1) by including the framing
statement at the [edit chassis fpc fpc-slot pic pic-slot] hierarchy level:
Configure a CT1 port down to a T1 channel. On the CT1 interface, set the no-partition
option and then set the interface type as T1.
Configure a CE1 port down to an E1 channel. On the CE1 interface, set the no-partition
option and then set the interface type as E1.
For NxDS0 interfaces on which PPP encapsulation needs to be enabled, partition the
CE1 and CT1 interfaces by including the ce1-x/y/z partition partition-number timeslots
timeslots interface-type ds and ct1-x/y/z partition partition-number timeslots timeslots
interface-type ds statements at the [edit interfaces interface-name] hierarchy level.
The following operational mode commands can be used to view PPP configuration
settings and statistical details:
• The show ppp address-pool command is used to display PPP address pool information.
• The show ppp interface command is used to display PPP session information for an
interface.
• The show ppp statistics command is used to display PPP session statistics.
• The show ppp summary command is used to display summary information about
PPP-configured interfaces.
• The show interfaces e1-fpc/pic/port, show interfaces t1-fpc/pic/port, and show interfaces
ds-fpc/pic/port commands are used to display the PPP settings of a specific E1, T1, and
DS interface, respectively.
Related • Configuring Interface Encapsulation on Physical Interfaces in ACX Series on page 501
Documentation
• encapsulation on page 1511
Point-to-Point Protocol (PPP) encapsulation is the default encapsulation type for physical
interfaces. You need not configure encapsulation for any physical interfaces that support
PPP encapsulation. If you do not configure encapsulation, PPP is used by default. For
physical interfaces that do not support PPP encapsulation, you must configure an
encapsulation to use for packets transmitted on the interface.
• ATM CCC cell relay—Connects two remote virtual circuits or ATM physical interfaces
with a label-switched path (LSP). Traffic on the circuit is ATM cells.
• TCC version (ethernet-tcc)—Similar to CCC, but used for circuits with different media
on either side of the connection.
For 8-port, 12-port, and 48-port Fast Ethernet PICs, TCC is not supported.
• VLAN CCC (vlan-ccc)—Ethernet interfaces with VLAN tagging enabled can use VLAN
CCC encapsulation. VLAN CCC encapsulation supports TPID 0x8100 only. When you
use this encapsulation type, you can configure the ccc family only.
• TCC version (extended-vlan-tcc)—Similar to CCC, but used for circuits with different
media on either side of the connection.
For 8-port, 12-port, and 48-port Fast Ethernet PICs, extended VLAN CCC is not
supported. For 4-port Gigabit Ethernet PICs, extended VLAN CCC and extended
VLAN TCC are not supported.
• Ethernet VLAN VPLS (vlan-vpls)—Ethernet interfaces with VLAN tagging and VPLS
enabled can use Ethernet VLAN VPLS encapsulation. For more information about
VPLS, see the Junos OS VPNs Library for Routing Devices.
the physical interface, VLAN IDs from 1 through 511 are no longer reserved for normal
VLANs.
• PPP—Defined in RFC 1661, The Point-to-Point Protocol (PPP) for the Transmission of
Multiprotocol Datagrams over Point-to-Point Links. PPP is the default encapsulation
type for physical interfaces. E1, E3, SONET/SDH, T1, and T3 interfaces can use PPP
encapsulation.
Encapsulation Capabilities
When you configure a point-to-point encapsulation (such as PPP or Cisco HDLC) on a
physical interface, the physical interface can have only one logical interface (that is, only
one unit statement) associated with it. When you configure a multipoint encapsulation
(such as Frame Relay), the physical interface can have multiple logical units, and the
units can be either point-to-point or multipoint.
Ethernet CCC encapsulation for Ethernet interfaces with standard TPID tagging requires
that the physical interface have only a single logical interface. Ethernet interfaces in VLAN
mode can have multiple logical interfaces.
For Ethernet interfaces in VLAN mode, VLAN IDs are applicable as follows:
• For encapsulation type vlan-ccc, VLAN IDs 1 through 511 are reserved for normal VLANs.
VLAN IDs 512 and above are reserved for VLAN CCCs.
When you configure Ethernet virtual LAN (VLAN) encapsulation on CCC circuits (by
using the encapsulation vlan-ccc statement at the [edit interfaces interface-name]
hierarchy level), you can bind a list of VLAN IDs to the interface by using the vlan-id-list
[ vlan-id-numbers ] statement to configure a CCC for multiple VLANs. Configuring this
statement creates a CCC for:
• Each VLAN in a list and range combination—for example, vlan-id-list [ 50, 100-200,
300 ]
• For encapsulation type vlan-vpls, VLAN IDs 1 through 511 are reserved for normal VLANs,
and VLAN IDs 512 through 4094 are reserved for VPLS VLANs. For 4-port Fast Ethernet
interfaces, you can use VLAN IDs 512 through 1024 for VPLS VLANs.
• For Gigabit Ethernet interfaces and Gigabit Ethernet IQ and IQE PICs with SFPs (except
the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router),
you can configure flexible Ethernet services encapsulation on the physical interface.
For interfaces with flexible-ethernet-services encapsulation, all VLAN IDs are valid.
VLAN IDs from 1 through 511 are not reserved.
• For encapsulation types extended-vlan-ccc and extended-vlan-vpls, all VLAN IDs are
valid.
The upper limits for configurable VLAN IDs vary by interface type.
When you configure a TCC encapsulation, some modifications are needed to handle
VPN connections over unlike Layer 2 and Layer 2.5 links and terminate the Layer 2 and
Layer 2.5 protocol locally.
Configure PPP encapsulation on a SONET/SDH interface. The second and third family
statements allow Intermediate System-to-Intermediate System (IS-IS) and MPLS to
run on the interface.
[edit interfaces]
so-7/0/0 {
encapsulation ppp;
unit 0 {
point-to-point;
family inet {
address 192.168.1.113/32 {
destination 192.168.1.114;
}
}
family iso;
family mpls;
}
}
Configuring MLPPP
ACX Series routers support MLPPP encapsulations. MLPPP enables you to bundle multiple
PPP links into a single multilink bundle. Multilink bundles provide additional bandwidth,
load balancing, and redundancy by aggregating low-speed links, such as T1 and E1 links.
You configure multilink bundles as logical units or channels on the link services interface.
With MLPPP, multilink bundles are configured as logical units on the link service
interface—for example, lsq-0/0/0.0,lsq-0/0/0.1. MLPPP is supported on ACX1000,
ACX2000, ACX2100 routers, and with Channelized OC3/STM1 (Multi-Rate) MICs with
SFP and 16-port Channelized E1/T1 Circuit Emulation MIC on ACX4000 routers.
After creating multilink bundles, you add constituent links to the bundle. The constituent
links are the low-speed physical links that are to be aggregated. The following table
shows the maximum number of multilink bundles you can create on ACX Series routers:
ACX2000 16 16 16
ACX2100
ACX4000 16 16 16
ACX-MIC-16CHE1-T1-CE
ACX4000 50 336 16
ACX-MIC-4COC3-1COC12CE
ACX1000 8 8 8
The following rules apply when you add constituent links to a multilink bundle:
• On each multilink bundle, add only interfaces of the same type. For example, you can
add either T1 or E1, but not both.
• If an interface is a member of an existing bundle and you add it to a new bundle, the
interface is automatically deleted from the existing bundle and added to the new
bundle.
With multilink PPP bundles, you can use PPP Challenge Handshake Authentication
Protocol (CHAP) and Password Authentication Protocol (PAP) for secure transmission
over the PPP interfaces. For link services IQ (lsq) interfaces only, the maximum number
of multilink classes to be negotiated when a link joins the bundle that you can specify by
using the multilink-max-classes statement at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level is limited to 4. Fragmentation size is not specified
under fragmentation map; instead, fragmentation size configured on the bundle is used.
Compressed Real-Time Transport Protocol (RTP) is not supported. HDLC address and
control field compression (ACFC) and PPP protocol field compression (PFC) are not
supported.
Guidelines for Configuring MLPPP With LSQ Interfaces on ACX Series Routers
You can configure MLPPP bundle interfaces with T1/E1 member links. The traffic that is
transmitted over the MLPPP bundle interface is spread over the member links in a
round-robin manner. If the packet size is higher than the fragmentation size configured
on the MLPPP interface, the packet are fragmented. The fragments are also sent over
member links in a round-robin pattern. The PPP control packets received on the interface
are terminated on the router. The fragmentation size is configured at the MLPPP
bundle-level. This fragmentation size is applied to all the packets on the bundle, regardless
of the multilink class.
Multiclass MLPPP segregates the multilink protocol packets in to multiple classes. ACX
routers support up to a maximum of four classes. One queue is associated with each of
the four classes of multiclass MLPPP (MCML). The packets can be classified to be part
of one of the classes. These packets take the queue associated with the class. The
packets inside a queue are served in first-in first-out (FIFO) sequence.
Traditional LSQ interfaces (anchored on PICs) are supported to combine T1/E1 interfaces
in an MLPPP bundle interface. Inline services (si-) interfaces and inline LSQ interfaces
are not supported in MLPPP bundles. On ACX routers, MLPPP bundling is performed on
the TDM MICs and traditional LSQ model is most effective mechanism. You can configure
channelized OC interfaces (t1-x/y/z:n:m, e1-x/y/z:n) as members of an MLPPP bundle
interface. A maximum of 16 member links per bundle is supported. The MPLS, ISO, and
inet address families are supported. The ISO address family is supported only for IS-IS.
You can configure MLPPP bundles on network-to-network interface (NNI) direction of
an Ethernet pseudowire. Interleaving using multiclass MLPPP is supported.
Keep the following points in mind when you configure MLPPP bundles on ACX routers:
• To add a T1 or E1 member link to the MLPPP bundle as link services LSQ interfaces,
include the bundle statement at the [edit interfaces t1-fpc/pic/port unit
logical-unit-number family mlppp] hierarchy level:
• To configure the link services LSQ interface properties, include the following statements
at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level:
fragment-threshold bytes;
minimum-links number;
mrru bytes;
short-sequence;
family inet {
address address;
}
You can configure the address family as MPLS for the LSQ interfaces in an MLPPP
bundle.
• PPP control protocol support depends on the processing of the PPP application for
MLPPP bundle interfaces IPv4, Internet Protocol Control Protocol (IPCP), PPP Challenge
Handshake Authentication Protocol (CHAP), and Password Authentication Protocol
(PAP) applications are supported for PPP.
• The member links across MICs cannot be bundled. Only physical interfaces on the
same MIC can be bundled.
• Fractional T1 and E1 interfaces are not supported. CoS is supported only for full T1 and
E1 interfaces. Selective time slots of T1/E1 cannot be used and full T1/E1 interfaces
must be used.
Buffering exceptions:
Packet data buffer overflow 0
Fragment data buffer overflow 0
Assembly exceptions:
Fragment timeout 0
Missing sequence number 0
Out-of-order sequence number 0
Out-of-range sequence number 0
Hardware errors (sticky):
Data memory error 0
Control memory error 0
Logical interface lsq-1/1/0.0 (Index 326) (SNMP ifIndex 599) (Generation 177)
Non-fragments:
Input : 0 0 0 0
Output: 0 0 0 0
Multilink class 2:
Fragments:
Input : 0 0 0 0
Output: 0 0 0 0
Non-fragments:
Input : 0 0 0 0
Output: 0 0 0 0
Multilink class 3:
Fragments:
Input : 0 0 0 0
Output: 0 0 0 0
Non-fragments:
Input : 0 0 0 0
Output: 0 0 0 0
NCP state: inet: Opened, inet6: Not-configured, iso: Opened, mpls: Opened
Protocol inet, MTU: 1500, Generation: 232, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 9.1.9/24, Local: 9.1.9.18, Broadcast: Unspecified,
Generation: 212
Protocol iso, MTU: 1500, Generation: 233, Route table: 0
Flags: Is-Primary
Protocol mpls, MTU: 1488, Maximum labels: 3, Generation: 234, Route table:
0
Flags: Is-Primary
• For modifying the frame checksum (FCS) in the set of T1 options or E1 options on a
MLPPP bundle member link, you must remove the member link out of the bundle by
deactivating the link or unconfiguring it as a bundle member, and add the link back to
the bundle after FCS modification. You must first remove the link from the bundle and
modify FCS. If you are configuring FCS for the first time on the member link, specify
the value before it is added to the bundle.
• IPv6 address family header compression (no address and control field compression
[ACFC] or protocol field compression [PFC])
• Prefix elision as defined in RFC 2686, The Multi-Class Extension to Multi-Link PPP
• A functionality that resembles link fragmentation and interleaving (LFI) can be achieved
using multiclass MLPPP (RFC 2686), which interleaves the high priority packets
between lower priority packets. This methodology ensures that the delay desitive
packets are sent as soon as they arrive. While LFI-classified packets are sent to a
specific member link as PPP packets, the ACX implementation of interleaving contains
multilink PPP (also referred to as PPP Multilink, MLP, and MP) headers and fragments
that are sent on all member links in a round-robin manner.
Related •
Documentation
NOTE: Only MLPPP is supported on ACX Series routers. MLFR is not supported
on ACX Series routers.
Multilink and link services interfaces support the following logical interface encapsulation
types:
• MLPPP
• MLFR end-to-end
By default, the logical interface encapsulation type on multilink interfaces is MLPPP. The
default logical interface encapsulation type on link services interfaces is MLFR end-to-end.
For general information on encapsulation, see the Junos OS Network Interfaces Library
for Routing Devices.
You can also configure physical interface encapsulation on link services interfaces. For
more information, see Configuring Encapsulation for Link Services Physical Interfaces.
encapsulation type;
You must also configure the T1, E1, or DS0 physical interface with the same encapsulation
type.
NOTE: ACX Series routers do not support DS0 physical interface as member
links.
CAUTION: When you configure the first MLFR encapsulated unit or delete
the last MLFR encapsulated unit on a port, it triggers an interface
encapsulation change on the port, which causes an interface flap on the other
units within the port that are configured with generic Frame Relay.
• Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces
• Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces
Configuring the Minimum Number of Active Links on Multilink and Link Services Logical
Interfaces
NOTE: Only MLPPP is supported on ACX Series routers. MLFR is not supported
on ACX Series routers.
You can set the minimum number of links that must be up for the multilink bundle as a
whole to be labeled up. By default, only one link must be up for the bundle to be labeled
up. A member link is considered up when the PPP Link Control Protocol (LCP) phase
transitions to open state.
minimum-links number;
For link services interfaces, you also can configure the minimum number of links at the
physical interface level by including the minimum-links statement at the [edit interfaces
ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
minimum-links number;
The number can be from 1 through 8. The maximum number of links supported in a bundle
is 8. When 8 is specified, all configured links of a bundle must be up.
• Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces
• Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces
• Configuring MRRU on Multilink and Link Services Logical Interfaces on page 516
NOTE: Only MLPPP is supported on ACX Series routers. MLFR is not supported
on ACX Series routers.
mrru bytes;
For link services interfaces, you also can configure a different MRRU at the physical
interface level by including the mrru statement at the [edit interfaces
ls-fpc/pic/port:channel mlfr-uni-nni-bundle-options] hierarchy level:
mrru bytes;
The MRRU size can range from 1500 through 4500 bytes.
NOTE: If you set the MRRU on a bundle to a value larger than the MTU of the
individual links within it, you must enable a fragmentation threshold for that
bundle. Set the threshold to a value no larger than the smallest MTU of any
link included in the bundle.
Determine the appropriate MTU size for the bundle by ensuring that the MTU
size does not exceed the sum of the encapsulation overhead and the MTU
sizes for the links in the bundle.
You can configure separate family mtu values on the following protocol families under
bundle interfaces: inet, inet6, iso, and mpls. If not configured, the default value of 1500
is used on all except for mpls configurations, in which the value 1488 is used.
NOTE: ACX Series routers do not support family inet6 on MLPPP interfaces.
NOTE: The effective family MTU might be different from the MTU value
specified for MLPPP configurations, because it is adjusted downward by the
remote MRRU’s constraints. The remote MRRU configuration is not supported
on M120 routers.
• Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces
• Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces
• Configuring the Minimum Number of Active Links on Multilink and Link Services Logical
Interfaces on page 515
Configuring the Sequence Header Format on Multilink and Link Services Logical
Interfaces
NOTE: Only MLPPP is supported on ACX Series routers. MLFR is not supported
on ACX Series routers.
For MLPPP, the sequence header format is set to 24 bits by default. You can configure
an alternative value of 12 bits, but 24 bits is considered the more robust value for most
networks.
short-sequence;
For MLFR FRF.15, the sequence header format is set to 24 bits by default. This is the only
valid option.
• Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces
• Configuring the Minimum Number of Active Links on Multilink and Link Services Logical
Interfaces on page 515
• Configuring MRRU on Multilink and Link Services Logical Interfaces on page 516
For link services LSQ (lsq-) interfaces with MLPPP encapsulation, you can configure
multiclass MLPPP (MCML). If you do not configure MCML, fragments from different
classes cannot be interleaved. All fragments for a single packet must be sent before the
fragments from another packet are sent. Nonfragmented packets can be interleaved
between fragments of another packet to reduce latency seen by nonfragmented packets.
In effect, latency-sensitive traffic is encapsulated as regular PPP traffic, and bulk traffic
is encapsulated as multilink traffic. This model works as long as there is a single class of
latency-sensitive traffic, and there is no high-priority traffic that takes precedence over
latency-sensitive traffic. This approach to LFI, used on the Link Services PIC, supports
only two levels of traffic priority, which is not sufficient to carry the four-to-eight forwarding
classes that are supported by M Series and T Series routers. For more information about
the Link Services PIC support of LFI, see Configuring Delay-Sensitive Packet Interleaving
on Link Services Logical Interfaces.
For link services LSQ interfaces only, you can configure MCML, as defined in RFC 2686,
The Multi-Class Extension to Multi-Link PPP. MCML makes it possible to have multiple
classes of latency-sensitive traffic that are carried over a single multilink bundle with
bulk traffic. In effect, MCML allows different classes of traffic to have different latency
guarantees. With MCML, you can map each forwarding class into a separate multilink
class, thus preserving priority and latency guarantees.
NOTE: Configuring both LFI and MCML on the same bundle is not necessary,
nor is it supported, because multiclass MLPPP represents a superset of
functionality. When you configure multiclass MLPPP, LFI is automatically
enabled.
MCML greatly simplifies packet ordering issues that occur when multiple links are used.
Without MCML, all voice traffic belonging to a single flow is hashed to a single link to
avoid packet ordering issues. With MCML, you can assign voice traffic to a high-priority
class, and you can use multiple links. For more information about voice services support
on link services IQ interfaces (lsq), see Configuring Services Interfaces for Voice Services.
To configure MCML on a link services IQ interface, you must specify how many multilink
classes should be negotiated when a link joins the bundle, and you must specify the
mapping of a forwarding class into an MCML class.
To specify how many multilink classes should be negotiated when a link joins the bundle,
include the multilink-max-classes statement:
multilink-max-classes number;
The number of multilink classes can be 1 through 8. The number of multilink classes for
each forwarding class must not exceed the number of multilink classes to be negotiated.
To specify the mapping of a forwarding class into a MCML class, include the multilink-class
statement at the [edit class-of-service fragmentation-maps map-name forwarding-class
class-name] hierarchy level:
The multilink class index number can be 0 through 7. The multilink-class statement and
no-fragmentation statements are mutually exclusive.
NOTE: In ACX Series routers, the multilink class index number can be 0
through 3. ACX Series routers do not support the no-fragmentation statement
for fragmentation map.
To view the number of multilink classes negotiated, issue the show interfaces
lsq-fpc/pic/port.logical-unit-number detail command.
• Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP
Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on ACX Series
To configure an NxT1 bundle using MLPPP, you aggregate N different T1 links into a bundle.
The NxT1 bundle is called a logical interface, because it can represent, for example, a
routing adjacency. To aggregate T1 links into a an MLPPP bundle, include the bundle
statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp]
hierarchy level:
To configure the LSQ interface properties, include the following statements at the [edit
interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level:
The logical link services IQ interface represents the MLPPP bundle. For the MLPPP bundle,
there are four associated queues on M Series routers and eight associated queues on
M320 and T Series routers. A scheduler removes packets from the queues according to
a scheduling policy. Typically, you designate one queue to have strict priority, and the
remaining queues are serviced in proportion to weights you configure.
For MLPPP, assign a single scheduler map to the link services IQ interface (lsq) and to
each constituent link. The default schedulers for M Series and T Series routers, which
assign 95, 0, 0, and 5 percent bandwidth for the transmission rate and buffer size of
queues 0, 1, 2, and 3, are not adequate when you configure LFI or multiclass traffic.
Therefore, for MLPPP, you should configure a single scheduler with nonzero percent
transmission rates and buffer sizes for queues 0 through 3, and assign this scheduler to
the link services IQ interface (lsq) and to each constituent link, as shown in “Example:
Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP” on page 523.
NOTE: For M320 and T Series routers, the default scheduler transmission
rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 5, 0, 0,
0, and 0 percent.
If the bundle has more than one link, you must include the per-unit-scheduler statement
at the [edit interfaces lsq-fpc/pic/port] hierarchy level:
To configure and apply the scheduling policy, include the following statements at the
[edit class-of-service] hierarchy level:
[edit class-of-service]
interfaces {
t1-fpc/pic/port unit logical-unit-number {
scheduler-map map-name;
}
}
forwarding-classes {
queue queue-number class-name;
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder | temporal microseconds);
priority priority-level;
transmit-rate (rate | remainder) <exact>;
}
}
For link services IQ interfaces, a strict-high-priority queue might starve the other three
queues because traffic in a strict-high priority queue is transmitted before any other
queue is serviced. This implementation is unlike the standard Junos CoS implementation
in which a strict-high-priority queue does round-robin with high-priority queues, as
described in the Class of Service Feature Guide for Routing Devices.
After the scheduler removes a packet from a queue, a certain action is taken. The action
depends on whether the packet came from a multilink encapsulated queue (fragmented
and sequenced) or a nonencapsulated queue (hashed with no fragmentation). Each
queue can be designated as either multilink encapsulated or nonencapsulated,
independently of the other. By default, traffic in all forwarding classes is multilink
encapsulated. To configure packet fragmentation handling on a queue, include the
fragmentation-maps statement at the [edit class-of-service] hierarchy level:
fragmentation-maps {
map-name {
forwarding-class class-name {
multilink-class number;
}
}
}
For NxT1 bundles using MLPPP, the byte-wise load balancing used in
multilink-encapsulated queues is superior to the flow-wise load balancing used in
nonencapsulated queues. All other considerations are equal. Therefore, we recommend
that you configure all queues to be multilink encapsulated. You do this by including the
fragment-threshold statement in the configuration. You use the multilink-class statement
to map a forwarding class into a multiclass MLPPP (MCML). For more information about
MCML, see “Configuring Multiclass MLPPP on LSQ Interfaces” on page 518. For more
information about fragmentation maps, see Configuring CoS Fragmentation by Forwarding
Class on LSQ Interfaces.
When a packet is removed from a multilink-encapsulated queue, the software gives the
packet an MLPPP header. The MLPPP header contains a sequence number field, which
is filled with the next available sequence number from a counter. The software then
places the packet on one of the N different T1 links. The link is chosen on a
packet-by-packet basis to balance the load across the various T1 links.
If the packet exceeds the minimum link MTU, or if a queue has a fragment threshold
configured at the [edit class-of-service fragmentation-maps map-name forwarding-class
class-name] hierarchy level, the software splits the packet into two or more fragments,
which are assigned consecutive multilink sequence numbers. The outgoing link for each
fragment is selected independently of all other fragments.
If you do not include the fragment-threshold statement in the fragmentation map, the
fragmentation threshold you set at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level is the default for all forwarding classes. If you do not
set a maximum fragment size anywhere in the configuration, packets are fragmented if
they exceed the smallest MTU of all the links in the bundle.
Even if you do not set a maximum fragment size anywhere in the configuration, you can
configure the maximum received reconstructed unit (MRRU) by including the mrru
statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level.
The MRRU is similar to the MTU, but is specific to link services interfaces. By default the
MRRU size is 1500 bytes, and you can configure it to be from 1500 through 4500 bytes.
For more information, see “Configuring MRRU on Multilink and Link Services Logical
Interfaces” on page 516.
For UDP and TCP the software computes the hash based on the source and destination
ports, as well as source and destination IP addresses. This guarantees that all packets
belonging to the same TCP/UDP flow always pass through the same T1 link, and therefore
cannot be reordered. However, it does not guarantee that the load on the various T1 links
is balanced. If there are many flows, the load is usually balanced.
The N different T1 interfaces link to another router, which can be from Juniper Networks
or another vendor. The router at the far end gathers packets from all the T1 links. If a
packet has an MLPPP header, the sequence number field is used to put the packet back
into sequence number order. If the packet has a plain PPP header, the software accepts
the packet in the order in which it arrives and makes no attempt to reassemble or reorder
the packet.
}
}
fragmentation-maps {
frag {
forwarding-class {
best-effort {
multilink-class 3;
}
network-control {
multilink-class 0;
}
assured-forwarding {
multilink-class 2;
}
expedited-forwarding {
multilink-class 1;
}
}
}
}
schedulers {
new {
transmit-rate 32k;
shaping-rate 3m;
priority low;
drop-profile-map loss-priority low protocol any drop-profile dp1;
drop-profile-map loss-priority high protocol any drop-profile dp2;
}
new_nc {
transmit-rate 32k;
shaping-rate 3m;
priority strict-high;
}
new_af {
transmit-rate 32k;
shaping-rate 3m;
priority medium-low;
}
new_ef {
transmit-rate 32k;
shaping-rate 3m;
priority medium-high;
}
}
}
The following is a sample for configuring an MLPPP bundle on ACX Series routers:
[edit]
user@host# show interfaces
lsq-1/1/0 {
description LSQ-interface;
per-unit-scheduler;
unit 0 {
encapsulation multilink-ppp;
mrru 2000;
short-sequence;
fragment-threshold 450;
minimum-links 3;
multilink-max-classes 4;
family inet {
address 9.1.9.18/24
}
family iso;
family mpls;
}
}
ct1-1/1/1 {
enable;
no-partition interface-type t1;
}
t1-1/1/1 {
encapsulation ppp;
unit 0 {
family mlppp {
bundle lsq-1/1/0.0;
}
}
}
ct1-1/1/2 {
enable;
no-partition interface-type t1;
}
t1-1/1/2 {
encapsulation ppp;
unit 0 {
family mlppp {
bundle lsq-1/1/0.0;
}
}
}
ct1-1/1/3 {
enable;
no-partition interface-type t1;
}
t1-1/1/3 {
encapsulation ppp;
unit 0 {
family mlppp {
bundle lsq-1/1/0.0;
}
}
}
ct1-1/1/4 {
enable;
no-partition interface-type t1;
}
t1-1/1/4 {
encapsulation ppp;
unit 0 {
family mlppp {
bundle lsq-1/1/0.0;
}
}
}
IPv6 Overview
IP version 6 (IPv6) is the latest version of IP. IP enables numerous nodes on different
networks to interoperate seamlessly. IP version 4 (IPv4) is currently used in intranets
and private networks, as well as the Internet. IPv6 is the successor to IPv4, and is based
for the most part on IPv4.
IPv4 has been widely deployed and used to network the Internet today. With the rapid
growth of the Internet, enhancements to IPv4 are needed to support the influx of new
subscribers, Internet-enabled devices, and applications. IPv6 is designed to enable the
global expansion of the Internet.
• Improved privacy and security—IPv6 supports extensions for authentication and data
integrity, which enhance privacy and security.
This section discusses the following topics that provide background information about
IPv6 headers:
Header Structure
IPv6 packet headers contain many of the fields found in IPv4 packet headers; some of
these fields have been modified from IPv4. The 40-byte IPv6 header consists of the
following 8 fields:
• Flow label—Packet flows requiring a specific class of service. The flow label identifies
all packets belonging to a specific flow, and routers can identify these packets and
handle them in a similar fashion.
• Hop limit—Maximum number of hops allowed. Previously the time-to-live (TTL) field
in IPv4.
• Next header—Next extension header to examine. Previously the protocol field in IPv4.
• Payload length—Length of the IPv6 payload. Previously the total length field in IPv4.
• Version—Version of IP.
Extension Headers
Extension headers are placed between the IPv6 header and the upper layer header in a
packet.
Extension headers are chained together using the next header field in the IPv6 header.
The next header field indicates to the router which extension header to expect next. If
there are no more extension headers, the next header field indicates the upper layer
header (TCP header, User Datagram Protocol [UDP] header, ICMPv6 header, an
encapsulated IP packet, or other items).
IPv6 Addressing
IPv6 uses a 128-bit addressing model. This creates a much larger address space than
IPv4 addresses, which are made up of 32 bits. IPv6 addresses also contain a scope field
that categorizes what types of applications are suitable for the address. IPv6 does not
support broadcast addresses, but instead uses multicast addresses to serve this role. In
addition, IPv6 also defines a new type of address called anycast.
NOTE: You cannot configure a subnet zero IPv6 address because RFC 2461
reserves the subnet-zero address for anycast addresses, and Junos OS
complies with the RFC.
This section discusses the following topics that provide background information about
IPv6 addressing:
Address Representation
aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa
3FFE:0000:0000:0001:0200:F8FF:FE75:50DF
3FFE:0:0:1:200:F8FF:FE75:50DF
You can compress 16-bit groups of zeros to the notation :: (two colons), as shown here,
but only once per address:
3FFE::1:200:F8FF:FE75:50DF
Address Types
• Multicast—For a set of interfaces on the same physical medium. A packet is sent to all
of the interfaces associated with the address.
Address Scope
IPv6 addresses have scope, which identifies the application suitable for the address.
Unicast and multicast addresses support scoping.
Unicast addresses support two types of scope: global scope and local scope. There are
two types of local scope: link-local addresses and site-local addresses. Link-local unicast
addresses are used within a single network link. The first ten bits of the prefix identify the
address as a link-local address. Link-local addresses cannot be used outside a network
link. Site-local unicast addresses are used within a site or intranet. A site consists of
multiple network links, and site-local addresses identify nodes inside the intranet.
Site-local addresses cannot be used outside the site.
Multicast addresses support 16 different types of scope, including node, link, site,
organization, and global scope. A 4-bit field in the prefix identifies the scope.
Address Structure
Unicast addresses identify a single interface. The address consists of n bits for the prefix,
and 128 – n bits for the interface ID.
Multicast addresses identify a set of interfaces. The address is made up of the first 8 bits
of all ones, a 4-bit flags field, a 4-bit scope field, and a 112-bit group ID:
The first octet of ones identifies the address as a multicast address. The flags field
identifies whether the multicast address is a well-known address or a transient multicast
address. The scope field identifies the scope of the multicast address. The 112-bit group
ID identifies the multicast group.
Path MTU Discovery is used by single-source devices to determine the correct size of
fragments. Path MTU Discovery is enabled for IPv6 packets by default.
Routers learn routes through different routing protocols such as OSPF, BGP, or IS-IS.
Learned routes are put in the routing table to enable IPv6 traffic forwarding.
Dual stacking allows a device to run both IPv4 and IPv6 at the same time. End nodes,
routers, and switches run both protocols and use IPv6 as the preferred protocol.
• IPv6 forwarding
The ACX Series port forwarding engine software supports unicast IPv6 routes and next
hops. This includes basic route infrastructure, next-hop support, network infrastructure,
and exception packet processing.
ACX Series Universal Access Routers can interconnect IPv6 islands over an
MPLS-enabled IPv4 network. IPv6 information is sent over the MPLS core using MG-BGP
with IPv4. The BGP Next Hop field conveys the IPv4 address of the router so that MPLS
LSPs can be used without explicit tunnel configuration.
• Neighbor Discovery
ICMP sends error messages and information messages related to IP operations. ICMPv6
defines additional error messages and informational messages specific to IPv6.
• Time Exceeded—A packet cannot be delivered because it has exceeded the hop
count specified in the basic header hop-by-hop field.
ICMPv6 information messages are used for sharing the information required to
implement various test, diagnostic, and support functions that are critical to the
operation of IPv6. There are a total of eight different ICMPv6 informational messages:
• Echo Request—
• Echo Reply—
• Router Advertisement—
• Router Solicitation—
• Neighbor Advertisement—
• Neighbor Solicitation—
• Redirect—
• Router Renumbering—
interfaces {
fe/0/1/0 {
unit 0 {
family inet6 {
address fec0:0:0:3::1/64;
}
}
}
}
routing-options {
rib inet6.0 {
static {
route fec0:0:0:4::/64 next-hop fec0:0:0:3::ffff;
}
}
}
Local
• MPLS Overview for ACX Series Universal Access Routers on page 587
IS-IS Overview
The IS-IS protocol is an interior gateway protocol (IGP) that uses link-state information
to make routing decisions.
IS-IS is a link-state IGP that uses the shortest-path-first (SPF) algorithm to determine
routes. IS-IS evaluates the topology changes and determines whether to perform a full
SPF recalculation or a partial route calculation (PRC). This protocol originally was
developed for routing International Organization for Standardization (ISO) Connectionless
Network Protocol (CLNP) packets.
Like OSPF routing, IS-IS uses hello packets that allow network convergence to occur
quickly when network changes are detected. IS-IS uses the SPF algorithm to determine
routes. Using SPF, IS-IS evaluates network topology changes and determines if a full or
partial route calculation is required.
IS-IS Terminology
An IS-IS network is a single autonomous system (AS), also called a routing domain, that
consists of end systems and intermediate systems. End systems are network entities that
send and receive packets. Intermediate systems send and receive packets and relay
(forward) packets. (Intermediate system is the Open System Interconnection [OSI] term
for a router.) ISO packets are called network PDUs.
In IS-IS, a single AS can be divided into smaller groups called areas. Routing between
areas is organized hierarchically, allowing a domain to be administratively divided into
smaller areas. This organization is accomplished by configuring Level 1 and Level 2
intermediate systems. Level 1 systems route within an area; when the destination is
outside an area, they route toward a Level 2 system. Level 2 intermediate systems route
between areas and toward other ASs. No IS-IS area functions strictly as a backbone.
Level 1 routers share intra-area routing information, and Level 2 routers share interarea
information about IP addresses available within each area. Uniquely, IS-IS routers can
act as both Level 1 and Level 2 routers, sharing intra-area routes with other Level 1 routers
and interarea routes with other Level 2 routers.
The propagation of link-state updates is determined by the level boundaries. All routers
within a level maintain a complete link-state database of all other routers in the same
level. Each router then uses the Dijkstra algorithm to determine the shortest path from
the local router to other routers in the link-state database.
An end system can have multiple NSAP addresses, in which case the addresses differ
only by the last byte (called the n-selector). Each NSAP represents a service that is
available at that node. In addition to having multiple services, a single node can belong
to multiple areas.
Each network entity also has a special network address called a network entity title (NET).
Structurally, an NET is identical to an NSAP address but has an n-selector of 00. Most
end systems and intermediate systems have one NET. Intermediate systems that
participate in multiple areas can have multiple NETs.
49.0001.00a0.c96b.c490.00
49.0001.2081.9716.9018.00
NETs take several forms, depending on your network requirements. NET addresses are
hexadecimal and range from 8 octets to 20 octets in length. Generally, the format consists
of an authority and format Identifier (AFI), a domain ID, an area ID, a system identifier,
and a selector. The simplest format omits the domain ID and is 10 octets long. For
example, the NET address 49.0001.1921.6800.1001.00 consists of the following parts:
• 49—AFI
• 0001—Area ID
• 1921.6800.1001—System identifier
• 00—Selector
The system identifier must be unique within the network. For an IP-only network, we
recommend using the IP address of an interface on the router. Configuring a loopback
NET address with the IP address is helpful when troubleshooting is required on the
network.
The first portion of the address is the area number, which is a variable number from 1
through 13 bytes. The first byte of the area number (49) is the authority and format
indicator (AFI). The next bytes are the assigned domain (area) identifier, which can be
from 0 through 12 bytes. In the examples above, the area identifier is 0001.
The next six bytes form the system identifier. The system identifier can be any six bytes
that are unique throughout the entire domain. The system identifier commonly is the
media access control (MAC) address (as in the first example, 00a0.c96b.c490) or the
IP address expressed in binary-coded decimal (BCD) (as in the second example,
2081.9716.9018, which corresponds to IP address 208.197.169.18). The last byte (00) is
the n-selector.
®
To provide help with IS-IS debugging, the Junos operating system (Junos OS) supports
dynamic mapping of ISO system identifiers to the hostname. Each system can be
configured with a hostname, which allows the system identifier-to-hostname mapping
to be carried in a dynamic hostname type, length, and value (TLV) tuple in IS-IS link-state
PDUs. This enables intermediate systems in the routing domain to learn about the ISO
system identifier of a particular intermediate system.
IS-IS Packets
Each IS-IS PDU shares a common header. IS-IS uses the following PDUs to exchange
protocol information:
• IS-IS hello (IIH) PDUs—Broadcast to discover the identity of neighboring IS-IS systems
and to determine whether the neighbors are Level 1 or Level 2 intermediate systems.
IS-IS hello PDUs establish adjacencies with other routers and have three different
formats: one for point-to-point hello packets, one for Level 1 broadcast links, and one
for Level 2 broadcast links. Level 1 routers must share the same area address to form
an adjacency, while Level 2 routers do not have this limitation. The request for adjacency
is encoded in the Circuit type field of the PDU.
Hello PDUs have a preset length assigned to them. The IS-IS router does not resize
any PDU to match the maximum transmission unit (MTU) on a router interface. Each
interface supports the maximum IS-IS PDU of 1492 bytes, and hello PDUs are padded
to meet the maximum value. When the hello is sent to a neighboring router, the
connecting interface supports the maximum PDU size.
Also included is metric and IS-IS neighbor information. Each link-state PDU must be
refreshed periodically on the network and is acknowledged by information within a
sequence number PDU.
Contained within the CSNP is a link-state PDU identifier, a lifetime, a sequence number,
and a checksum for each entry in the database. Periodically, a CSNP is sent on both
broadcast and point-to-point links to maintain a correct database. Also, the
advertisement of CSNPs occurs when an adjacency is formed with another router. Like
IS-IS hello PDUs, CSNPs come in two types: Level 1 and Level 2.
When a device receives a CSNP, it checks the database entries against its own local
link-state database. If it detects missing information, the device requests specific
link-state PDU details using a partial sequence number PDU (PSNP).
requesting that the missing link-state PDU be transmitted. That routing device, in turn,
forwards the missing link-state PDU to the requesting routing device.
When a device compares a CSNP to its local database and determines that a link-state
PDU is missing, the router issues a PSNP for the missing link-state PDU, which is returned
in a link-state PDU from the router sending the CSNP. The received link-state PDU is
then stored in the local database, and an acknowledgment is sent back to the originating
router.
Installing a Default Route to the Nearest Routing Device That Operates at Both IS-IS Levels
When a routing device that operates as both a Level 1 and Level 2 router (Router B)
determines that it can reach at least one area other than its own (for example, in Area
Y), it sets the ATTACHED bit in its Level 1 link-state PDU. Thereafter, the Level 1 router
(Router A) introduces a default route pointing to the nearest attached routing device
that operates as both a Level 1 and Level 2 router (Router B). See Figure 26 on page 540.
Figure 26: Install Default Route to Nearest Routing Device That Operates
at Both Level 1 and Level 2
IS-IS supports flood-group. This feature limits link-state packet data unit (PDU) flooding
over IS-IS interfaces.
A link-state packet (LSP) that is not self-originated will be flooded only through the
interface belonging to the flood group that has the configured area ID in the LSP. This
helps minimize the routes and topology information, thus ensuring optimal convergence.
You can segregate both Level 1 and Level 2 IS-IS routers into flood groups by using area
IDs as tags to identify a flood group. Configure interfaces with specific area IDs to modify
the flooding behavior as per your requirements. To enable IS-IS flood group, include the
flood-group flood-group-area-ID statement at the [edit protocols isis interface] hierarchy
level.
OSPF Overview
OSPF is an interior gateway protocol (IGP) that routes packets within a single autonomous
system (AS). OSPF uses link-state information to make routing decisions, making route
calculations using the shortest-path-first (SPF) algorithm (also referred to as the Dijkstra
algorithm). Each router running OSPF floods link-state advertisements throughout the
AS or area that contain information about that router’s attached interfaces and routing
metrics. Each router uses the information in these link-state advertisements to calculate
the least cost path to each network and create a routing table for the protocol.
Junos OS supports OSPF version 2 (OSPFv2) and OSPF version 3 (OSPFv3), including
virtual links, stub areas, and for OSPFv2, authentication. Junos OS does not support
type-of-service (ToS) routing.
OSPF was designed for the Transmission Control Protocol/Internet Protocol (TCP/IP)
environment and as a result explicitly supports IP subnetting and the tagging of externally
derived routing information. OSPF also provides for the authentication of routing updates.
OSPF routes IP packets based solely on the destination IP address contained in the IP
packet header. OSPF quickly detects topological changes, such as when router interfaces
become unavailable, and calculates new loop-free routes quickly and with a minimum
of routing overhead traffic.
An OSPF AS can consist of a single area, or it can be subdivided into multiple areas. In a
single-area OSPF network topology, each router maintains a database that describes
the topology of the AS. Link-state information for each router is flooded throughout the
AS. In a multiarea OSPF topology, each router maintains a database that describes the
topology of its area, and link-state information for each router is flooded throughout that
area. All routers maintain summarized topologies of other areas within an AS. Within
each area, OSPF routers have identical topological databases. When the AS or area
topology changes, OSPF ensures that the contents of all routers’ topological databases
converge quickly.
All OSPFv2 protocol exchanges can be authenticated. OSPFv3 relies on IPsec to provide
this functionality. This means that only trusted routers can participate in the AS’s routing.
A variety of authentication schemes can be used. A single authentication scheme is
configured for each area, which enables some areas to use stricter authentication than
others.
Externally derived routing data (for example, routes learned from BGP) is passed
transparently throughout the AS. This externally derived data is kept separate from the
OSPF link-state data. Each external route can be tagged by the advertising router, enabling
the passing of additional information between routers on the boundaries of the AS.
When a routing device starts, it initializes OSPF and waits for indications from lower-level
protocols that the router interfaces are functional. The routing device then uses the OSPF
hello protocol to acquire neighbors, by sending hello packets to its neighbors and receiving
their hello packets.
The routing device then attempts to form adjacencies with some of its newly acquired
neighbors. (On multiaccess networks, only the designated router and backup designated
router form adjacencies with other routing devices.) Adjacencies determine the distribution
of routing protocol packets. Routing protocol packets are sent and received only on
adjacencies, and topological database updates are sent only along adjacencies. When
adjacencies have been established, pairs of adjacent routers synchronize their topological
databases.
A routing device sends LSA packets to advertise its state periodically and when its state
changes. These packets include information about the routing device’s adjacencies,
which allows detection of nonoperational routing devices.
Using a reliable algorithm, the routing device floods LSAs throughout the area, which
ensures that all routing devices in an area have exactly the same topological database.
Each routing device uses the information in its topological database to calculate a
shortest-path tree, with itself as the root. The routing device then uses this tree to route
network traffic.
The description of the SPF algorithm up to this point has explained how the algorithm
works within a single area (intra-area routing). For internal routers to be able to route to
destinations outside the area (interarea routing), the area border routers must inject
additional routing information into the area. Because the area border routers are
connected to the backbone, they have access to complete topological data about the
backbone. The area border routers use this information to calculate paths to all
destinations outside its area and then advertise these paths to the area’s internal routers.
Autonomous system (AS) boundary routers flood information about external autonomous
systems throughout the AS, except to stub areas. Area border routers are responsible
for advertising the paths to all AS boundary routers.
In Figure 27 on page 545, Router A sends hello packets out all its OSPF-enabled interfaces
when it comes online. Router B receives the packet, which establishes that Router B can
receive traffic from Router A. Router B generates a response to Router A to acknowledge
receipt of the hello packet. When Router A receives the response, it establishes that
Router B can receive traffic from Router A. Router A then generates a final response
packet to inform Router B that Router A can receive traffic from Router B. This three-way
handshake ensures bidirectional connectivity.
As new neighbors are added to the network or existing neighbors lose connectivity, the
adjacencies in the topology map are modified accordingly through the exchange (or
absence) of LSAs. These LSAs advertise only the incremental changes in the network,
which helps minimize the amount of OSPF traffic on the network. The adjacencies are
shared and used to create the network topology in the topological database.
OSPF Version 3
OSPFv3 is a modified version of OSPF that supports IP version 6 (IPv6) addressing.
OSPFv3 differs from OSPFv2 in the following ways:
• Router and network link-state advertisements (LSAs) do not carry prefix information.
• Link-local
• Area
• AS
• Link-local addresses are used for all neighbor exchanges except virtual links.
In an OSPF network, a loop free alternate (LFA) is a directly connected neighbor that
provides precomputed backup paths to the destinations reachable through the protected
link on the point of local repair (PLR). A remote LFA is not directly connected to the PLR
and provides precomputed backup paths using dynamically created LDP tunnels to the
remote LFA node. The PLR uses this remote LFA backup path when the primary link fails.
The primary goal of the remote LFA is to increase backup coverage for the OSPF networks
and provide protection for Layer 1 metro-rings.
LFAs do not provide full backup coverage for OSPF networks. This is a major setback for
metro Ethernet networks that are often shaped as ring topologies. To overcome this
setback, Resource Reservation Protocol - Traffic Engineering (RSVP-TE) backup tunnels
are commonly used to extend the backup coverage. However, a majority of network
providers have already implemented LDP as the MPLS tunnel setup protocol and do not
want to implement the RSVP-TE protocol merely for backup coverage. LDP automatically
brings up transport tunnels to all potential destinations in an OSPF network and hence
is the preferred protocol. The existing LDP implemented for the MPLS tunnel setup can
be reused for protection of OSPF networks and subsequent LDP destinations, thereby
eliminating the need for RSVP-TE backup tunnels for backup coverage.
To calculate the remote LFA backup path, the OSPF protocol determines the remote
LFA node in the following manner:
1. Calculates the reverse shortest path first from the adjacent router across the protected
link of a PLR. The reverse shortest path first uses the incoming link metric instead of
the outgoing link metric to reach a neighboring node.
The result is a set of links and nodes, which is the shortest path from each leaf node
to the root node.
2. Calculates the shortest path first (SPF) on the remaining adjacent routers to find the
list of nodes that can be reached without traversing the link being protected.
The result is another set of links and nodes on the shortest path from the root node
to all leaf nodes.
3. Determines the common nodes from the above results. These nodes are the remote
LFAs.
OSPF listens to the advertised labels for the LDP routes. For each advertised LDP route,
OSPF checks whether it contains an LDP supplied next hop. If the corresponding OSPF
route does have a backup next hop, then OSPF runs the backup policy and adds an
additional tracking route with the corresponding LDP label-switched path next hop as
the backup next hop. If there are no backup next hops, LDP builds a dynamic LDP tunnel
to the remote LFA, and LDP establishes a targeted adjacency between the remote LFA
node and the PLR node. This backup route has two LDP labels. The top label is the OSPF
route, which denotes the backup path from the PLR to the remote LFA route. The bottom
label is the LDP MPLS label-switched path that denotes the route for reaching the ultimate
destination from the remote LFA. When an LDP session goes down and a remote tunnel
is no longer available, OSPF changes all the routes that have been using this backup LDP
tunnel.
NOTE: Currently, Junos OS supports only IPv4 transport LSPs. If you need to
reuse IPv4 transport LSPs for IPv6 IGP networks, add an IPv6 explicit NULL
label to the label stack of the tracking route. The system automatically
converts the IPv4 LSP to an IPv6 LSP.
LDP might be vulnerable by an automatically targeted adjacency, and these threats can
be mitigated using all or some of the following mechanisms:
• Remote LFAs that are several hops away use extended hello messages to indicate
willingness to establish a targeted LDP session. A remote LFA can reduce the threat
of spoofed extended hello messages by filtering them and accepting only those
originating at sources permitted by an access or filter list.
• There is a need to authenticate with TCP-MD5 all auto-targeted LDP sessions in the
given IGP/LDP domain using apply groups or LDP global-level authentication.
• As an added security measure, the repair or remote tunnel endpoint routers should be
assigned from a set of addresses that are not reachable from outside of the routing
domain.
Related • Example: Configuring Remote LFA Over LDP Tunnels in OSPF Networks
Documentation
• Configuring Remote LFA Backup over LDP Tunnels in an OSPF Network on page 548
• auto-targeted-session
• no-eligible-remote-backup
• remote-backup-calculation
The primary goal of a remote loop free alternate (LFA) is to increase backup coverage
for OSPF routes and provide protection especially for Layer 1 metro-rings. The existing
LDP implemented for the MPLS tunnel setup can be reused for protection of OSPF
networks and subsequent LDP destinations. The OSPF protocol creates a dynamic LDP
tunnel to reach the remote LFA node from the point of local repair (PLR). The PLR uses
this remote LFA backup path when the primary link fails.
Before you configure remote LFA over LDP tunnels in an OSPF network, you must do the
following:
2. Make sure that remote LFA allows asymmetric remote neighbor discovery—that is, it
must send periodic targeted hello messages to the router that initiated the remote
neighbor for LDP auto-targeted adjacency.
1. Enable remote LFA backup to determine the backup next hop using dynamic LDP
label-switched path.
2. Enable automatically targeted LDP sessions using the loopback addresses between
the PLR and the remote LFA node.
3. Specify a time interval for which the targeted LDP sessions are kept up even after the
remote LFA node goes down.
Related • Remote LFA over LDP Tunnels in OSPF Networks Overview on page 547
Documentation
• Example: Configuring Remote LFA Over LDP Tunnels in OSPF Networks
• auto-targeted-session
• backup-spf-options
• no-eligible-remote-backup
• remote-backup-calculation
Requirements
This example uses the following hardware and software components:
• One ACX5000 router and eight other routers with OSPF protocol and LDP enabled on
the connected interfaces.
Before you configure remote LFA over LDP tunnels in an OSPF networks, make sure of
the following:
• LDP is enabled on the loopback interface. Without a loopback interface, LDP targeted
adjacency cannot be formed. Remote LFA cannot be configured without LDP targeted
adjacency.
• Remote LFA must allow asymmetric remote neighbor discovery—that is, it must send
periodic targeted hello messages to the router that initiated the remote neighbor for
LDP auto targeted adjacency.
• Link protection or node-link protection must be configured on the point of local repair
(PLR).
Overview
The example includes one ACX5000 router and eight other routers in a ring topology.
Configure the OSPF protocol on the directly connected interfaces. Device R0 is the
ACX5000 router and Device R6 is the PLR. This example verifies that Junos OS updates
the routing table of Device R6 with LDP next-hop routes as the backup route.
Topology
In the topology Figure 28 on page 551 shows the remote LFA over LDP tunnels in OSPF
networks is configured on Device R6.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
Configuring Device R6
Step-by-Step The following example requires that you navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit interfaces]
user@R6# set ge-0/0/0 unit 0 family inet address 60.1.1.2/24
user@R6# set ge-0/0/0 unit 0 family mpls
3. Configure the router ID. Apply the policy to the forwarding table of the local router
with the export statement.
[edit routing-options]
user@R6# set router-id 7.7.7.7
4. Enable remote LFA backup, which calculates the backup next hop using dynamic
LDP label-switched path.
5. Configure the traffic engineering and the link protection for the interfaces in the
OSPF area.
6. Specify a time interval for which the targeted LDP sessions are kept up when the
remote LFA goes down, and specify a maximum number of automatically, targeted
LDP sessions to optimize the use of memory.
Results
From configuration mode, confirm your configuration by entering the show interfaces,
show protocols, show policy-options, and show routing-options commands. If the
output does not display the intended configuration, repeat the instructions in this example
to correct the configuration.
family inet {
address 60.1.1.2/24;
}
family mpls;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 70.1.1.1/24;
}
family mpls;
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 80.1.1.2/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 7.7.7.7/32;
}
family mpls;
}
}
ldp {
auto-targeted-session {
teardown-delay 20;
maximum-sessions 60;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface lo0.0;
}
If you are done configuring the device, enter commit from the configuration mode.
Verification
Confirm that the configuration is working properly.
Action On Device R6, from operational mode, run the show route 6.6.6.6/24 command to display
the routes in the routing table.
Meaning The output shows all the routes in the routing table of Device R6.
Action From operational mode, enter the show ldp session auto-targeted detail command.
Purpose Display all the LDP backup routes in the OSPF routing table of Device R6.
Action On Device R6, from operational mode, run the show ospf route command to display the
routes in the OSPF routing table.
Meaning The output shows all the LDP backup routes in the OSPF routing table of Device R6.
Purpose Display the remote LFA next hop determined for a given destination.
Action From operational mode, enter the show ospf backup spf results command.
6.6.6.6
Self to Destination Metric: 1
Parent Node: 60.1.1.2
Primary next-hop: ge-0/0/0.0 via 60.1.1.1
Backup next-hop: LDP->4.4.4.4 via ge-0/0/2.0
Backup Neighbor: 6.6.6.6 via: Direct
Neighbor to Destination Metric: 0, Neighbor to Self Metric: 1
Self to Neighbor Metric: 1, Backup preference: 0x0
Not eligible, Reason: Primary next-hop link fate sharing
Backup Neighbor: 2.2.2.2 via: Direct
Neighbor to Destination Metric: 2, Neighbor to Self Metric: 1
Self to Neighbor Metric: 1, Backup preference: 0x0
Not eligible, Reason: Path loops
Backup Neighbor: 8.8.8.8 via: Direct
Neighbor to Destination Metric: 2, Neighbor to Self Metric: 1
Self to Neighbor Metric: 1, Backup preference: 0x0
Not eligible, Reason: Path loops
Backup Neighbor: 4.4.4.4 via: LDP (LSP endpoint)
Neighbor to Destination Metric: 2, Neighbor to Self Metric: 3
Self to Neighbor Metric: 3, Backup preference: 0x0
Eligible, Reason: Contributes backup next-hop
Meaning The output indicates whether a specific interface or node has been designated as a
remote backup path and why.
Action From operational mode, enter the show ospf backup neighbor command.
Meaning The output displays the backup neighbors available for area 0.0.0.0.
Related • Remote LFA over LDP Tunnels in OSPF Networks Overview on page 547
Documentation
• Configuring Remote LFA Backup over LDP Tunnels in an OSPF Network on page 548
In an IS-IS network, a loop free alternate (LFA) is a directly connected neighbor that
provides precomputed backup paths to the destinations reachable through the protected
link on the point of local repair (PLR). A remote LFA is not directly connected to the PLR
and provides precomputed backup paths using dynamically created LDP tunnels to the
remote LFA node. The PLR uses this remote LFA backup path when the primary link fails.
The primary goal of the remote LFA is to increase backup coverage for the IS-IS networks
and provide protection for Layer 1 metro-rings.
LFAs do not provide full backup coverage for IS-IS networks. This is a major setback for
metro Ethernet networks that are often shaped as ring topologies. To overcome this
setback, Resource Reservation Protocol - Traffic Engineering (RSVP-TE) backup tunnels
are commonly used to extend the backup coverage. However, a majority of network
providers have already implemented LDP as the MPLS tunnel setup protocol and do not
want to implement the RSVP-TE protocol merely for backup coverage. LDP automatically
brings up transport tunnels to all potential destinations in an IS-IS network and hence is
the preferred protocol. The existing LDP implemented for the MPLS tunnel setup can be
reused for protection of IS-IS networks and subsequent LDP destinations, thereby
eliminating the need for RSVP-TE backup tunnels for backup coverage.
To calculate the remote LFA backup path, the IS-IS protocol determines the remote LFA
node in the following manner:
1. Calculates the reverse shortest path first from the adjacent router across the protected
link of a PLR. The reverse shortest path first uses the incoming link metric instead of
the outgoing link metric to reach a neighboring node.
The result is a set of links and nodes, which is the shortest path from each leaf node
to the root node.
2. Calculates the shortest path first (SPF) on the remaining adjacent routers to find the
list of nodes that can be reached without traversing the link being protected.
The result is another set of links and nodes on the shortest path from the root node
to all leaf nodes.
3. Determines the common nodes from the above results, These nodes are the remote
LFAs.
IS-IS listens to the advertised labels for the LDP routes. For each advertised LDP route,
IS-IS checks whether it contains an LDP supplied next hop. If the corresponding IS-IS
route does have a backup next hop, then IS-IS runs the backup policy and adds an
additional tracking route with the corresponding LDP label-switched path next hop as
the backup next hop. If there are no backup next hops, LDP builds a dynamic LDP tunnel
to the remote LFA, and LDP establishes a targeted adjacency between the remote LFA
node and the PLR node. This backup route has two LDP labels. The top label is the IS-IS
route, which denotes the backup path from the PLR to the remote LFA route. The bottom
label is the LDP MPLS label-switched path that denotes the route for reaching the ultimate
destination from the remote LFA. When an LDP session goes down and a remote tunnel
is no longer available, IS-IS changes all the routes that have been using this backup LDP
tunnel.
NOTE: Currently, Junos OS supports only IPv4 transport LSPs. If you need to
reuse IPv4 transport LSPs for IPv6 IGP networks, add an IPv6 explicit NULL
label to the label stack of the tracking route. The system automatically
converts the IPv4 LSP to an IPv6 LSP.
LDP might be vulnerable by an automatically targeted adjacency, and these threats can
be mitigated using all or some of the following mechanisms:
• Remote LFAs that are several hops away use extended hello messages to indicate
willingness to establish a targeted LDP session. A remote LFA can reduce the threat
of spoofed extended hellos by filtering them and accepting only those originating at
sources permitted by an access or filter list.
• There is a need to authenticate with TCP-MD5 all auto-targeted LDP sessions in the
given IGP/LDP domain using apply groups or LDP global-level authentication.
• As an added security measure, the repair or remote tunnel endpoint routers should be
assigned from a set of addresses that are not reachable from outside of the routing
domain.
Related • auto-targeted-session
Documentation
• no-eligible-remote-backup
• remote-backup-calculation
• Configuring Remote LFA Backup over LDP Tunnels in an IS-IS Network on page 566
Starting in Junos OS Release 14.2, the primary goal of a remote loop-free alternate (LFA)
is to increase backup coverage for IS-IS routes and provide protection especially for Layer
1 metro-rings. The existing LDP implemented for the MPLS tunnel setup can be reused
for protection of IS-IS networks and subsequent LDP destinations. The IS-IS protocol
creates a dynamic LDP tunnel to reach the remote LFA node from the point of local repair
(PLR). The PLR uses this remote LFA backup path when the primary link fails.
Before you configure remote LFA over LDP tunnels in an IS-IS network, you must do the
following:
2. Make sure that remote LFA allows asymmetric remote neighbor discovery—that is, it
must send periodic targeted hello messages to the router that initiated the remote
neighbor for LDP auto-targeted adjacency.
1. Enable remote LFA backup to determine the backup next hop using dynamic LDP
label-switched path.
The device uses the configured link protection LFA as the backup for the primary link.
3. Enable automatically targeted LDP sessions using the loopback addresses between
the PLR and the remote LFA node.
4. Specify a time interval for which the targeted LDP sessions are kept up even after the
remote LFA node goes down.
14.2 Starting in Junos OS Release 14.2, the primary goal of a remote loop-free
alternate (LFA) is to increase backup coverage for IS-IS routes and provide
protection especially for Layer 1 metro-rings.
Related • auto-targeted-session
Documentation
• remote-backup-calculation
• no-eligible-remote-backup
• Understanding Remote LFA over LDP Tunnels in IS-IS Networks on page 564
This example shows how to configure remote LFA for LDP tunnels in an IS-IS network
for extending backup protection.
Requirements
This example uses the following hardware and software components:
• One ACX5000 router and five other supporting routers with IS-IS protocol and LDP
enabled on the connected interfaces. If the other supporting routers are also ACX5000
routers, then interfaces should be of type em instead of fxp as shown in this example.
Before you configure remote LFA over LDP tunnels in IS-IS networks, make sure of the
following:
• LDP is enabled on the loopback interface. Without a loopback interface, LDP targeted
adjacency cannot be formed. Remote LFA cannot be configured without LDP targeted
adjacency.
• Remote LFA must allow asymmetric remote neighbor discovery—that is, it must send
periodic targeted hello messages to the router that initiated the remote neighbor for
LDP auto targeted adjacency.
• Link protection or node-link protection must be configured on the point of local repair
(PLR).
Overview
The example includes one ACX5000 router and five other supporting routers in a ring
topology. Configure the IS-IS protocol on the directly connected interfaces. Device R1 is
the ACX5000 router. This example verifies that Junos OS updates the routing table of
Device R1 with LDP next-hop routes as the backup route.
Topology
Figure 29: Configuring Remote LFA over LDP Tunnels in IS-IS Networks
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
Configuring Device R1
Step-by-Step The following example requires that you navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
NOTE: Repeat this procedure except Step 4 and Step 5 for every Juniper
Networks router in the IGP domain, modifying the appropriate interface
names, addresses, and any other parameters.
[edit interfaces]
user@R1# set ge-1/0/0 unit 1 description R1->R2
user@R1# set ge-1/0/0 unit 1 family inet address 1.1.1.1/24
user@R1# set ge-1/0/0 unit 1 family iso
user@R1# set ge-1/0/0 unit 1 family mpls
3. Configure the IS-IS interface for level 2 and the metric value on all the interfaces,
and enable link protection on the protected interface.
4. Enable IS-IS node-link protection, which also automatically extends backup coverage
to all LDP label-switched paths.
5. Enable remote LFA backup, which calculates the backup next hop using dynamic
LDP label-switched path.
6. Configure MPLS to use LDP label-switched paths for all interfaces on the device.
[edit protocols]
user@R1# set mpls interface all
user@R1# set mpls interface em0.0 disable
user@R1# set ldp interface all
user@R1# set ldp interface em0.0 disable
7. Specify a time interval for which the targeted LDP sessions are kept up when the
remote LFA goes down, and specify a maximum number of automatically, targeted
LDP sessions to optimize the use of memory.
9. To enable Packet Forwarding Engine local repair, establish a policy that forces the
routing protocol process to install all the next hops for a given route.
This policy ensures that the backup route is installed in the forwarding table used
by the Packet Forwarding Engine to forward traffic to a given destination.
[edit policy-options]
user@R1# set policy-options policy-statement ecmp term 1
user@R1# set then load-balance per-packet
10. Apply the policy to the forwarding table of the local router with the export statement.
Results
From configuration mode, confirm your configuration by entering the show interfaces,
show protocols, show policy-options, and show routing-options commands. If the
output does not display the intended configuration, repeat the instructions in this example
to correct the configuration.
family inet {
address 10.255.102.128/32;
}
family iso {
address 49.0001.1720.1600.1010.00;
}
}
}
}
}
If you are done configuring the device, enter commit from the configuration mode.
Verification
Confirm that the configuration is working properly.
Action On Device R1, from operational mode, run the show route command to display the routes
in the routing table.
Meaning The output shows all the routes in the routing table of Device R1.
Purpose Display all the LDP backup routes in the IS-IS routing table of Device R1.
Action On Device R1, from operational mode, run the show isis route command to display the
routes in the IS-IS routing table.
lt-1/2/0.1 LSP
LDP->tp3-R4(10.255.102.156)
1.1.5.0/24 1 558 20 int lt-1/2/0.12 IPV4 tp3-R6
lt-1/2/0.1 LSP
LDP->tp3-R4(10.255.102.156)
10.255.102.136/32 1 558 10 int lt-1/2/0.12 IPV4 tp3-R6
lt-1/2/0.1 LSP
LDP->tp3-R4(10.255.102.156)
10.255.102.146/32 1 558 20 int lt-1/2/0.1 IPV4 tp3-R2
lt-1/2/0.1 LSP
LDP->tp3-R4(10.255.102.156)
10.255.102.178/32 1 558 10 int lt-1/2/0.1 IPV4 tp3-R2
Meaning The output shows all the LDP backup routes in the IS-IS routing table of Device R1.
Action From operational mode, enter the show ldp session auto-targeted detail command.
Purpose Display the remote LFA next hop determined for a given destination.
Action From operational mode, enter the show isis backup spf results command.
track-item: R6.00-00
track-item: R4.00-00
Eligible, Backup next-hop: ge-1/0/0, LSP, LDP->R4(10.255.102.156), Prefixes: 2
1 nodes
Meaning The output indicates whether a specific interface or node has been designated as a
remote backup path and why.
Related • Understanding Remote LFA over LDP Tunnels in IS-IS Networks on page 564
Documentation
• auto-targeted-session
• no-eligible-remote-backup
• remote-backup-calculation
Generic routing encapsulation (GRE) provides a private, secure path for transporting
packets through an otherwise public network by encapsulating (or tunneling) the packets.
Overview of GRE
GRE encapsulates data packets and redirects them to a device that de-encapsulates
them and routes them to their final destination. This allows the source and destination
routers to operate as if they have a virtual point-to-point connection with each other
(because the outer header applied by GRE is transparent to the encapsulated payload
packet). For example, GRE tunnels allow routing protocols such as RIP and OSPF to
forward data packets from one router to another router across the Internet. In addition,
GRE tunnels can encapsulate multicast data streams for transmission over the Internet.
GRE is described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The routers support
RFC 2784, but not completely. (For a list of limitations, see “Configuration Limitations”
on page 583.)
As a tunnel source router, the router encapsulates a payload packet for transport through
the tunnel to a destination network. The payload packet is first encapsulated in a GRE
packet, and then the GRE packet is encapsulated in a delivery protocol. The router
performing the role of a tunnel remote router extracts the tunneled packet and forwards
the packet to its destination.
NOTE: Service chaining for GRE, NAT, and IPSec services on ACX1100-AC
and ACX500 routers is not supported.
GRE Tunneling
Data is routed by the system to the GRE endpoint over routes established in the route
table. (These routes can be statically configured or dynamically learned by routing
protocols such as RIP or OSPF.) When a data packet is received by the GRE endpoint, it
is de-encapsulated and routed again to its destination address.
GRE tunnels are stateless-–that is, the endpoint of the tunnel contains no information
about the state or availability of the remote tunnel endpoint. Therefore, the router
operating as a tunnel source router cannot change the state of the GRE tunnel interface
to down if the remote endpoint is unreachable.
1. When a router receives a data packet (payload) to be tunneled, it sends the packet
to the tunnel interface.
2. The tunnel interface encapsulates the data in a GRE packet and adds an outer IP
header.
3. The IP packet is forwarded on the basis of the destination address in the outer IP
header.
1. When the destination router receives the IP packet from the tunnel interface, the outer
IP header and GRE header are removed.
ACX routers support as many as 64 GRE tunnels between routers transmitting IPv4 or
IPv6 payload packets over GRE.
Configuration Limitations
Some GRE tunneling features are not currently available on ACX Series routers. Be aware
of the following limitations when you are configuring GRE on an ACX router:
• Unsupported features—GRE on the ACX routers does not support the following features:
• GRE keepalives
• GRE keys, payload packet fragmentation, and sequence numbers for fragmented
packets
[edit]
user@host# show protocols
ospf {
area 0.0.0.0 {
interface all;
interface gr-0/0/10.0 {
disable;
}
}
}
NOTE: This limitation is applicable for all routing protocols (such as OSPF,
ISIS).
Related • Configuring Generic Routing Encapsulation Tunneling on ACX Series on page 584
Documentation
• Configuring Unicast Tunnels on page 585
Tunneling provides a private, secure path for transporting packets through an otherwise
public network by encapsulating packets inside a transport protocol known as an IP
encapsulation protocol. Generic routing encapsulation (GRE) is an IP encapsulation
protocol that is used to transport packets over a network. Information is sent from one
network to the other through a GRE tunnel.
GRE tunneling is accomplished through routable tunnel endpoints that operate on top
of existing physical and other logical endpoints. GRE tunnels connect one endpoint to
another and provide a clear data path between them.
After conversion to a GRE tunnel port, the physical port cannot be used for network traffic.
To configure a GRE tunnel port on an ACX router, you need to create logical tunnel
interfaces and the bandwidth in gigabits per second to reserve for tunnel services. Include
the tunnel-services bandwidth (1g | 10g) statement at the [edit chassis fpc slot-number
pic number] hierarchy level.
To configure a GRE tunnel port on the ACX5000 line of routers, use any unused physical
port on the router to create a logical tunnel interface as shown below:
1. Configure a physical GRE port with a logical interface name and address:
[edit interfaces]
user@host# set gr-fpc/pic/port unit number family inet address
[edit interfaces]
user@host# set gr-fpc/pic/port unit number family inet6 address
[edit interfaces]
user@host# set gr-fpc/pic/port unit number tunnel source source-address
[edit interfaces]
user@host# set gr-fpc/pic/port unit number tunnel destination destination-address
To configure a unicast tunnel, you configure a gr- interface (to use GRE encapsulation)
and include the tunnel and family statements:
gr-fpc/pic/port {
unit logical-unit-number {
tunnel {
destination destination-address;
routing-instance {
destination routing-instance-name;
}
source address;
ttl number;
}
family family {
address address {
destination address;
}
}
}
}
You can configure these statements at the [edit interfaces] hierarchy level.
You can configure multiple logical units for each GRE interface, and you can configure
only one tunnel per unit.
You must specify the tunnel’s destination and source addresses. The remaining
statements are optional.
To set the time-to-live (TTL) field that is included in the encapsulating header, include
the ttl statement. If you explicitly configure a TTL value for the tunnel, you must configure
it to be one larger than the number of hops in the tunnel. For example, if the tunnel has
seven hops, you must configure a TTL value of 8.
A configured tunnel cannot go through Network Address Translation (NAT) at any point
along the way to the destination. For more information, see Examples: Configuring Unicast
Tunnels and the MPLS Applications Feature Guide.
• MPLS Overview for ACX Series Universal Access Routers on page 587
• TTL Processing on Incoming MPLS Packets on page 588
• Pseudowire Overview for ACX Series Universal Access Routers on page 590
• ATM Pseudowire Overview on page 592
• Example: ATM Pseudowire Base Configuration on page 592
• Ethernet Pseudowire Overview on page 596
• Example: Ethernet Pseudowire Base Configuration on page 597
• TDM Pseudowires Overview on page 600
• Example: TDM Pseudowire Base Configuration on page 600
• Redundant Pseudowires for Layer 2 Circuits and VPLS on page 604
• Configuring Redundant Pseudowires for Layer 2 Circuits and VPLS on page 606
• Configuring the Pseudowire Status TLV on page 608
• Example: Configuring the Pseudowire Status TLV on page 609
• Automatic Bandwidth Allocation for LSPs on page 611
• Configuring Automatic Bandwidth Allocation for LSPs on page 611
• Configuring Reporting of Automatic Bandwidth Allocation Statistics for LSPs on page 619
• Understanding Pseudowire Redundancy Mobile Backhaul Scenarios on page 623
• Example: Configuring Pseudowire Redundancy in a Mobile Backhaul Scenario on page 627
• The configuration of an ingress label edge router (LER) where IP packets are
encapsulated within MPLS packets and forwarded to the MPLS domain, and as an
egress LER where MPLS packets are decapsulated and the IP packets contained within
the MPLS packets are forwarded using information in the IP forwarding table.
Configuring MPLS on the LER is the same as configuring an LSR.
• Uniform and pipe mode configuration providing different types of visibility in the MPLS
network. Uniform mode makes all the nodes that a label-switched path (LSP) traverses
visible to nodes outside the LSP tunnel. Uniform mode is the default. Pipe mode makes
only the LSP ingress and egress points visible to nodes outside the LSP tunnel. Pipe
mode acts like a circuit and must be enabled with the global no-propagate-ttl statement
at the [edit protocols mpls] hierarchy level on each router that is in the path of the LSP.
The no-propagate-ttl statement disables time-to-live (TTL) propagation at the router
level and affects all RSVP-signalled or LDP-signalled LSPs. Only the global configuration
of TTL propagation is supported.
• Exception packet handling of IP packets not processed by the normal packet flow
through the Packet Forwarding Engine. The following types of exception packet handling
are supported:
• Router alert
• LSP hot standby for secondary paths configuration to maintain a path in a hot-standby
state enabling swift cut over to the secondary path when downstream routers on the
current active path indicate connectivity problems.
• Redundancy for a label-switched path (LSP) path with the configuration of fast reroute.
The flow chart on Figure 30 on page 590 illustrates TTL processing on incoming MPLS
packets. On a transit LSR or an egress LER, MPLS pops one or more labels and can push
one or more labels. The incoming TTL of the packet is determined by the configured TTL
processing tunnel model.
When all of the following conditions are met, the incoming TTL is set to the TTL value
found in the immediate inner header:
If any of those conditions is not met, then the incoming TTL is set to the TTL value found
in the outermost label. In all cases, the TTL values of any further inner labels are ignored.
When an IP packet is exposed after MPLS pops all the labels that should be popped,
MPLS passes the packet to IP for further processing, including TTL checking. When the
uniform tunnel model for TTL processing is in effect, MPLS sets the TTL value of the IP
packet to the incoming TTL value that was just set. In other words, the TTL value is copied
from the outermost label to the IP packet. When the pipe model for TTL processing is in
effect, the TTL value in the IP header is left unchanged.
If an IP packet is not exposed by the label popping, then MPLS performs the TTL validation.
If the incoming TTL is less than 2, the packet is dropped. If innermost packet is IP, an
ICMP packet is built and sent. If the TTL does not expire and the packet needs to be sent
out, the outgoing TTL is determined by the rules for outgoing MPLS packets.
On the ACX Series routers, Ethernet, Asynchronous Transfer Mode (ATM), and
time-division multiplexing (TDM) pseudowires are supported. The following pseudowire
features are supported:
• Pseudowire transport service carrying Layer 1 and Layer 2 information over an IP and
MPLS network infrastructure. Only similar end points are supported on the ACX
Series—for example, T1 to T1, ATM to ATM, and Ethernet to Ethernet.
• Maintenance of Layer 2 circuit services after certain types of failures with a standby
pseudowire, which backs up the connection between PE routers and CE devices.
• In case of failure, a protect interface, which backs up the primary interface. Network
traffic uses the primary interface only so long as the primary interface functions. If
the primary interface fails, traffic is switched to the protect interface.
• Hot and cold standby enabling swift cut over to the backup or standby pseudowire.
• Ethernet connectivity fault management (CFM), which can be used to monitor the
physical link between two routers. The following major features of CFM for Ethernet
pseudowires only are supported:
• Connection protection using the continuity check protocol for fault monitoring. The
continuity check protocol is a neighbor discovery and health check protocol that
discovers and maintains adjacencies at the VLAN or link level.
• Path protection using the linktrace protocol for path discovery and fault verification.
Similar to IP traceroute, the linktrace protocol maps the path taken to a destination
MAC address through one or more bridged networks between the source and
destination.
• Configuring a CFM Action Profile to Specify CFM Actions for CFM Events
On ACX series routers, you configure an ATM pseudowire with Layer 2 encapsulation for
Inverse Multiplexing for ATM (IMA).
• Pseudowire Overview for ACX Series Universal Access Routers on page 590
Requirements
The following is a list of the hardware and software requirements for this configuration.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step 1. Create an ATM interface on a channelized T1 interface (ct1) and enable full
Procedure channelization with the no-partition statement. On the ATM interface, set the ATM
virtual circuit identifier (VCI), the virtual path identifier (VPI), and set the
encapsulation cell mode.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# set ct1-0/0/0 no-partition interface-type at
user@host# set at-0/0/0 unit 0 vci 0.64
user@host# set at-0/0/0 atm-options vpi 0
user@host# set at-0/0/0 unit 0 encapsulation atm-ccc-cell-relay
2. Create a Gigabit Ethernet interface and enable MPLS on that interface. Create the
loopback (lo0) interface:
[edit interfaces]
user@host# set ge-0/2/0 unit 0 family inet address 20.1.1.2/24
user@host# set ge-0/2/0 unit 0 family mpls
[edit]
user@host# edit protocols
[edit protocols]
user@host# set rsvp interface ge-0/2/0.0
user@host# set mpls interface ge-0/2/0.0
4. Configure LDP. If you configure RSVP for a pseudowire, you must also configure
LDP:
[edit protocols]
user@host# set protocols ldp interface ge-0/2/0.0
user@host# set protocols ldp interface lo0.0
[edit protocols]
user@host# set mpls label-switched-path PE1-to-PE2 to 40.1.1.1
user@host# set mpls no-cspf
[edit protocols]
user@host# set ospf traffic-engineering
user@host# set ospf area 0.0.0.0 interface ge-0/2/0.0
user@host# set ospf area 0.0.0.0 interface lo0.0 passive
[edit protocols]
user@host# set l2circuit neighbor 40.1.1.1 interface at-0/0/0.0 virtual-circuit-id 1
Results
[edit]
user@host# show
interfaces {
at-0/0/0 {
atm-options {
vpi 0;
}
unit 0 {
encapsulation atm-ccc-cell-relay;
vci 0.64;
}
}
ct1-0/0/0 {
Related • Pseudowire Overview for ACX Series Universal Access Routers on page 590
Documentation
• ATM Pseudowire Overview on page 173
Starting in Junos OS Release 14.1X53 and Junos OS Release 16.1, an Ethernet pseudowire
is used to carry Ethernet or 802.3 Protocol Data Units (PDUs) over an MPLS network
enabling service providers to offer emulated Ethernet services over existing MPLS
networks. Ethernet or 802.3 PDUs are encapsulated within the pseudowire to provide a
point-to-point Ethernet service. For the point-to-point Ethernet service, the following
fault management features are supported:
• The IEEE 802.3ah standard for Operation, Administration, and Management (OAM).
You can configure IEEE 802.3ah OAM link-fault management on Ethernet point-to-point
direct links or links across Ethernet repeaters.
Ethernet OAM link-fault management can be used for physical link-level fault detection
and management. It uses a new, optional sublayer in the data link layer of the OSI
model. Ethernet OAM can be implemented on any full-duplex point-to-point or
emulated point-to-point Ethernet link. A system-wide implementation is not required;
OAM can be deployed on particular interfaces of a router. Transmitted Ethernet OAM
messages or OAM PDUs are of standard length, untagged Ethernet frames within the
normal frame length limits in the range 64–1518 bytes.
• Ethernet connectivity fault management (CFM) to monitor the physical link between
two routers.
• Connection protection using the continuity check protocol for fault monitoring . The
continuity check protocol is a neighbor discovery and health check protocol that
discovers and maintains adjacencies at the VLAN or link level.
• Path protection using the linktrace protocol for path discovery and fault verification
. Similar to IP traceroute, the linktrace protocol maps the path taken to a destination
MAC address through one or more bridged networks between the source and
destination.
14.1X53 Starting in Junos OS Release 14.1X53 and Junos OS Release 16.1, an Ethernet
pseudowire is used to carry Ethernet or 802.3 Protocol Data Units (PDUs) over
an MPLS network enabling service providers to offer emulated Ethernet services
over existing MPLS networks.
Requirements
The following is a list of the hardware and software requirements for this configuration.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step 1. Create two Gigabit Ethernet interfaces, set the encapsulation mode on one interface
Procedure and MPLS on the other interface. Create the loopback (lo0) interface:
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# set ge-0/1/1 encapsulation ethernet-ccc
user@host# set ge-0/1/1 unit 0
user@host# set ge-0/2/0 unit 0 family inet address 20.1.1.2/24
user@host# set ge-0/2/0 unit 0 family mpls
user@host# set lo0 unit 0 family inet address 70.1.1.1/32
2. Enable the MPLS and RSVP protocols on the interface configured with
MPLS—ge-0/2/0.0:
[edit]
user@host# edit protocols
[edit protocols]
user@host# set rsvp interface ge-0/2/0.0
user@host# set mpls interface ge-0/2/0.0
3. Configure LDP. If you configure RSVP for a pseudowire, you must also configure
LDP:
[edit protocols]
user@host# set protocols ldp interface ge-0/2/0.0
user@host# set protocols ldp interface lo0.0
[edit protocols]
user@host# set mpls label-switched-path PE1-to-PE2 to 40.1.1.1
user@host# set mpls no-cspf
[edit protocols]
user@host# set ospf traffic-engineering
user@host# set ospf area 0.0.0.0 interface ge-0/2/0.0
user@host# set ospf area 0.0.0.0 interface lo0.0 passive
[edit protocols]
user@host# set l2circuit neighbor 40.1.1.1 interface ge-0/1/1.0 virtual-circuit-id 1
Results
[edit]
user@host# show
interfaces {
ge-0/1/1 {
encapsulation ethernet-ccc;
unit 0;
}
ge-0/2/0 {
unit 0 {
family inet {
address 20.1.1.2/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 70.1.1.1/32;
}
}
}
}
protocols {
rsvp {
interface ge-0/2/0.0;
}
mpls {
no-cspf;
label-switched-path PE1-to-PE2 {
to 40.1.1.1;
}
interface ge-0/2/0.0;
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface ge-0/2/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface ge-0/2/0.0;
interface lo0.0;
}
l2circuit {
neighbor 40.1.1.1 {
interface ge-0/1/1.0 {
virtual-circuit-id 1;
}
}
}
}
Related • Pseudowire Overview for ACX Series Universal Access Routers on page 590
Documentation
• Ethernet Pseudowire Overview on page 596
A TDM pseudowire acts as Layer 2 circuit or service for T1 and E1 circuit signals across an
MPLS packet-switched network. On ACX Series routers, you configure a TDM pseudowire
with Structure-Agnostic Time Division Multiplexing (TDM) over Packet (SAToP) on the
ACX Series built-in channelized T1 and E1 interfaces. When you configure a TDM
pseudowire, the network between the customer edge (CE) routers appears transparent
to the CE routers, making it seem that the CE routers are directly connected. With the
SAToP configuration on the provider edge (PE) router’s T1 and E1 interfaces, the
interworking function (IWF) forms a payload (frame) that contains the CE router’s T1
and E1 Layer 1 data and control word. This data is transported to the remote PE over the
pseudowire. The remote PE removes all the Layer 2 and MPLS headers added in the
network cloud and forwards the control word and the Layer 1 data to the remote IWF,
which in turn forwards the data to the remote CE router.
• Pseudowire Overview for ACX Series Universal Access Routers on page 590
Requirements
The following is a list of the hardware and software requirements for this configuration.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# set ct1-0/0/0 no-partition interface-type t1
user@host# set t1-0/0/0 encapsulation satop
user@host# set t1-0/0/0 unit 0
3. Create a Gigabit Ethernet interface and enable MPLS on that interface. Create the
loopback (lo0) interface:
[edit interfaces]
user@host# set ge-0/2/0 unit 0 family inet address 20.1.1.2/24
user@host# set ge-0/2/0 unit 0 family mpls
user@host# set lo0 unit 0 family inet address 70.1.1.1/32
[edit]
user@host# edit protocols
[edit protocols]
user@host# set rsvp interface ge-0/2/0.0
user@host# set mpls interface ge-0/2/0.0
5. Configure LDP. If you configure RSVP for a pseudowire, you must also configure
LDP:
[edit protocols]
user@host# set ldp interface ge-0/2/0.0
user@host# set ldp interface lo0.0
[edit protocols]
user@host# set mpls label-switched-path PE1-to-PE2 to 40.1.1.1
user@host# set mpls no-cspf
[edit protocols]
user@host# set ospf traffic-engineering
user@host# set ospf area 0.0.0.0 interface ge-0/2/0.0
user@host# set ospf area 0.0.0.0 interface lo0.0 passive
[edit protocols]
user@host# set l2circuit neighbor 40.1.1.1 interface t1-0/0/0.0 virtual-circuit-id 1
Results
[edit]
user@host# show
chassis {
fpc 0 {
pic 0 {
framing t1;
}
}
}
interfaces {
ct1-0/0/0 {
no-partition interface-type t1;
}
t1-0/0/0 {
encapsulation satop;
unit 0;
}
ge-0/2/0 {
unit 0 {
family inet {
address 20.1.1.2/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 70.1.1.1/32;
}
}
}
}
protocols {
rsvp {
interface ge-0/2/0.0;
}
mpls {
no-cspf;
label-switched-path PE1-to-PE2 {
to 40.1.1.1;
}
interface ge-0/2/0.0;
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface ge-0/2/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface ge-0/2/0.0;
interface lo0.0;
}
l2circuit {
neighbor 40.1.1.1 {
interface t1-0/0/0.0 {
virtual-circuit-id 1;
}
}
}
}
Related • Pseudowire Overview for ACX Series Universal Access Routers on page 590
Documentation
• TDM Pseudowires Overview on page 600
When you configure redundant pseudowires to remote PE routers, you configure one to
act as the primary pseudowire over which customer traffic is being transmitted and you
configure another pseudowire to act as a backup in the event the primary fails. You
configure the two pseudowires statically. A separate label is allocated for the primary
and backup neighbors.
The following sections provide an overview of redundant pseudowires for Layer 2 circuits
and VPLS:
• You can configure a single active pseudowire. The PE router configured as the primary
neighbor is given preference and this connection is the one used for customer traffic.
For the LDP signalling, labels are exchanged for both incoming and outgoing traffic
with the primary neighbor. The LDP label advertisement is accepted from the backup
neighbor, but no label advertisement is forwarded to it, leaving the pseudowire in an
incomplete state. The pseudowire to the backup neighbor is completed only when the
primary neighbor fails. The decision to switch between the two pseudowires is made
by the device configured with the redundant pseudowires. The primary remote PE
router is unaware of the redundant configuration, ensuring that traffic is always switched
using just the active pseudowire.
• Alternatively, you can configure two active pseudowires, one to each of the PE routers.
Using this approach, control plane signalling is completed and active pseudowires are
established with both the primary and backup neighbors. However, the data plane
forwarding is done only over a one of the pseudowires (designated as the active
pseudowire by the local device). The other pseudowire is on standby. The active
pseudowire is preferably established with the primary neighbor and can switch to the
backup pseudowire if the primary fails.
The decision to switch between the active and standby pseudowires is controlled by
the local device. The remote PE routers are unaware of the redundant connection, and
so both remote PE routers send traffic to the local device. The local device only accepts
traffic from the active pseudowire and drops the traffic from the standby. In addition,
the local device only sends traffic to the active pseudowire. If the active pseudowire
fails, traffic is immediately switched to the standby pseudowire.
The two configurations available for pseudowire redundancy have the following
limitations:
• For the single active pseudowire configuration, it takes more time (compared to the
two active pseudowire configuration) to switchover to the backup pseudowire when
a failure is detected. This approach requires additional control plane signalling to
complete the pseudowire with the backup neighbor and traffic can be lost during the
switchover from primary to backup.
• If you configure two active pseudowires, bandwidth is lost on the link carrying the
backup pseudowire between the remote PE router and the local device. Traffic is always
duplicated over both the active and standby pseudowires. The single active pseudowire
configuration does not waste bandwidth in this fashion.
• Periodic pseudowire OAM procedure fails (Layer 2 circuit-based MPLS ping to the PE
router fails)
verify data plane connectivity. If the ping fails, traffic is automatically switched to the
redundant pseudowire.
When a failure is detected, traffic is switched from the failed active pseudowire to the
redundant pseudowire. The redundant pseudowire is then designated as the active
pseudowire. The switch is nonreversible, meaning that once the redundant pseudowire
assumes the role of the active pseudowire at the time of a failover, it remains as the
active pseudowire even though the previously active pseudowire comes up again.
For example, a primary pseudowire has failed and traffic has been successfully switched
to the redundant pseudowire. After a period of time, the cause of the failure of the primary
pseudowire has been resolved and it is now possible to reestablish the original connection.
However, traffic is not switched back to the original pseudowire unless a failure is detected
on the currently active pseudowire.
For an overview of how redundant pseudowires work, see “Redundant Pseudowires for
Layer 2 Circuits and VPLS” on page 604.
To configure pseudowire redundancy for Layer 2 circuits and VPLS, complete the
procedures in the following sections:
backup-neighbor {
community name;
psn-tunnel-endpoint address;
standby;
virtual-circuit-id number;
}
For a list of hierarchy levels at which you can include this statement, see the statement
summary for this statement.
switchover-delay milliseconds;
For a list of hierarchy levels at which you can include this statement, see the statement
summary for this statement.
To configure a revert time for redundant pseudowires, specify the time in seconds using
the revert-time statement:
With the maximum option, specify a maximum reversion interval to add after the
revert-time delay. If a revert-time delay is defined but a maximum timer is not defined,
VCs are restored upon the revert-timer's expiration.
To reduce as much as possible the amount of traffic discarded, and potential data-path
asymmetries observed during primary-to-backup transition periods, you can use this
restoration timer. This restoration timer is activated when the backup path is performing
as active, and then the primary path is restored. The goal is to avoid moving traffic back
to the primary path right away, to make sure that the control plane's related tasks (such
as IGP, LDP, RSVP, and internal BGP) have enough time to complete their updating cycle.
By enabling a gradual return of traffic to the primary path, you can ensure that the
relatively-slow control-plane processing and updating does not have a negative impact
on the restoration process.
The maximum option extends the revert timer’s functionality to provide a jittered interval
over which a certain number of circuits can be transitioned back to the primary path. By
making use of this maximum value, you can define a time interval during which circuits
are expected to switch over. As a consequence, circuits’ effective transitions are scattered
during restoration periods.
When making use of revert-time x maximum y statement, you can ensure that the
corresponding circuit that is active is moved to the primary path within a time-slot (t1)
such as that: x <= t1 <= y. In other words, by activating this statement, you can ensure
the following:
• VCs stay in the backup path for at least x seconds after the primary path comes back
up.
• VCs are moved back to the primary path before y seconds have elapsed.
The ideal values for x and y will are conditioned to internal aspects of your network. For
this reason, there are no default values for these settings. If no revert-time is set, the
default behavior is non-revertive. That is, circuits are not returned to the primary path
upon restoration. They are kept on the backup path.
For a list of hierarchy levels at which you can include this statement, see the statement
summary for this statement.
The pseudowire status type length variable (TLV) is used to communicate the status of
a pseudowire back and forth between two provider edge (PE) routers. For Layer 2 circuit
configurations, you can configure the PE router to negotiate the pseudowire with its
neighbor using the pseudowire status TLV. The pseudowire status TLV is configurable
for each pseudowire connection and is disabled by default. The pseudowire status
negotiation process assures that a PE router reverts back to the label withdraw method
for pseudowire status if its remote PE router neighbor does not support the pseudowire
status TLV.
Unlike the control word, a PE router’s ability to support the pseudowire status TLV is
communicated when the initial label mapping message is sent to its remote PE router.
Once the PE router transmits its support for the pseudowire status TLV to its remote PE
router, it includes the pseudowire status TLV in every label mapping message sent to
the remote PE router. If you disable support for the pseudowire status TLV on the PE
router, a label withdraw message is sent to the remote PE router and then a new label
mapping message without the pseudowire status TLV follows.
To configure the pseudowire status TLV for the pseudowire to the neighbor PE router,
include the pseudowire-status-tlv statement at an appropriate hierarchy level.
For a list of the hierarchy levels at which you can include this statement, see the statement
summarysection for this statement.
Requirements
The following is a list of the hardware and software requirements for this configuration.
Overview
The configuration shown here is the base configuration of a pseudowire with
pseudowire-status-tlv enabled. The pseudowire-status-tlv is used to communicate the
status of a pseudowire between PE routers.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step 1. Navigate to the [edit protocols l2circuit] hierarchy level to configure Layer 2 circuits
Procedure over MPLS.
[edit]
user@host# edit protocols l2circuit
2. Set the address for the neighbor provider edge router;, this example uses a fictitious
address, 10.255.64.26.
3. Specify the name of the interface forming the Layer 2 circuit; this example uses
xe-0/0/0.
Results
Related • Pseudowire Overview for ACX Series Universal Access Routers on page 590
Documentation
• Configuring the Pseudowire Status TLV on page 608
You set a sampling interval on an LSP configured with automatic bandwidth allocation.
The average bandwidth is monitored during this interval. At the end of the interval, an
attempt is made to signal a new path for the LSP with the bandwidth allocation set to
the maximum average value for the preceding sampling interval. If the new path is
successfully established and the original path is removed, the LSP is switched over to
the new path. If a new path is not created, the LSP continues to use its current path until
the end of the next sampling interval, when another attempt is made to establish a new
path. Note that you can set minimum and maximum bandwidth values for the LSP.
During the automatic bandwidth allocation interval, the router might receive a steady
increase in traffic (increasing bandwidth utilization) on an LSP, potentially causing
congestion or packet loss. To prevent this, you can define a second trigger to prematurely
expire the automatic bandwidth adjustment timer before the end of the current
adjustment interval.
At the end of the automatic bandwidth allocation time interval, the current maximum
average bandwidth usage is compared with the allocated bandwidth for the LSP. If the
LSP needs more bandwidth, an attempt is made to set up a new path where bandwidth
is equal to the current maximum average usage. If the attempt is successful, the LSP’s
traffic is routed through the new path and the old path is removed. If the attempt fails,
the LSP continues to use its current path.
NOTE: In calculating the value for Max AvgBW (relative to the ingress LSP),
the sample collected during make before break (MBB) is ignored to prevent
inaccurate results. The first sample after a bandwidth adjustment, or after
a change in the LSP ID (regardless of path change), is also ignored.
If you have configured link and node protection for the LSP and traffic has been switched
to the bypass LSP, the automatic bandwidth allocation feature continues to operate and
take bandwidth samples from the bypass LSP. For the first bandwidth adjustment cycle,
the maximum average bandwidth usage taken from the original link and node-protected
LSP is used to resignal the bypass LSP if more bandwidth is needed. (Link and node
protection are not supported on QFX Series switches.)
If you have configured fast-reroute for the LSP, you might not be able to use this feature
to adjust the bandwidth. Because the LSPs use a fixed filter (FF) reservation style, when
a new path is signaled, the bandwidth might be double-counted. Double-counting can
prevent a fast-reroute LSP from ever adjusting its bandwidth when automatic bandwidth
allocation is enabled. (Fast reroute is not supported on QFX Series switches.)
If an LSP has an automatic bandwidth configuration, you can disable automatic bandwidth
adjustments on a particular path (either primary or secondary) by configuring a static
bandwidth value and by disabling the CSPF computation (using the no-cspf statement).
For example:
At the end of the automatic bandwidth allocation interval, the automatic bandwidth
computation and new path setup process is triggered.
To specify the bandwidth reallocation interval in seconds for a specific LSP, include the
adjust-interval statement:
adjust-interval seconds;
You can maintain the LSP’s bandwidth between minimum and maximum bounds by
specifying values for the minimum-bandwidth and maximum-bandwidth statements.
To specify the minimum amount of bandwidth allocated for a specific LSP, include the
minimum-bandwidth statement:
minimum-bandwidth bps;
To specify the maximum amount of bandwidth allocated for a specific LSP, include the
maximum-bandwidth statement:
maximum-bandwidth bps;
Use the adjust-threshold statement to specify the sensitivity of the automatic bandwidth
adjustment of an LSP to changes in bandwidth utilization. You can set the threshold for
when to trigger automatic bandwidth adjustments. When configured, bandwidth demand
for the current interval is determined and compared to the LSP’s current bandwidth
allocation. If the percentage difference in bandwidth is greater than or equal to the
specified adjust-threshold percentage, the LSP’s bandwidth is adjusted to the current
bandwidth demand.
For example, assume that the current bandwidth allocation is 100 megabits per second
(Mbps) and that the percentage configured for the adjust-threshold statement is 15
percent. If the bandwidth demand increases to 110 Mbps, the bandwidth allocation is not
adjusted. However, if the bandwidth demand increases to 120 Mbps (20 percent over
the current allocation) or decreases to 80 Mbps (20 percent under the current allocation),
the bandwidth allocation is increased to 120 Mbps or decreased to 80 Mbps, respectively.
adjust-threshold percent;
The automatic bandwidth adjustment timer is a periodic timer which is triggered every
adjust interval to determine whether any bandwidth adjustments are required on the
LSP's active path. This interval is typically configured as a long period of time, usually
hours. If, at the end of adjust interval, the change in bandwidth is above a certain adjust
threshold, the LSP is resignaled with the new bandwidth.
During the automatic bandwidth adjustment interval, the router might receive a steady
increase in traffic (increasing bandwidth utilization) on an LSP, potentially causing
congestion or packet loss. To prevent this, you can define a second trigger to prematurely
expire the automatic bandwidth adjustment timer before the end of the current
adjustment interval.
Every statistics interval, the router samples the average bandwidth utilization of an LSP
and if this has exceeded the current maximum average bandwidth utilization, the
maximum average bandwidth utilization is updated.
During each sample period, the following conditions are also checked:
• Is the current average bandwidth utilization above the active bandwidth of the path?
• Has the difference between the average bandwidth utilization and the active bandwidth
exceeded the adjust threshold (bandwidth utilization has changed significantly)?
If these conditions are true, it is considered to be one bandwidth overflow sample. Using
the adjust-threshold-overflow-limit statement, you can define a limit on the number of
bandwidth overflow samples such that when the limit is reached, the current automatic
bandwidth adjustment timer is expired and a bandwidth adjustment is triggered. Once
this adjustment is complete, the normal automatic bandwidth adjustment timer is reset
to expire after the periodic adjustment interval.
adjust-threshold-overflow-limit number;
Similarly, if the current average bandwidth utilization is below the active bandwidth of
the path by the configured adjusted threshold (meaning that bandwidth utilization has
gone down significantly), the sample is considered to be an underflow sample. The
adjusted (new signaling) bandwidth after an adjustment due to underflow is the maximum
average bandwidth among the underflow samples. Starting in Junos OS Release 14.1R9,
15.1R7, 16.1R5, 16.2R3, and 17.2R2, all zero value bandwidth samples are considered as
underflow samples, except for the zero value samples that arrive after an LSP comes up
for the first time, and the zero value samples that arrive first after a Routing Engine
switchover.
You can specify a limit on the number of bandwidth underflow samples before triggering
an automatic bandwidth allocation adjustment by configuring the adjust
threshold-underflow-limit statement:
adjust-threshold-underflow-limit number;
• You must configure a nonzero value for the adjust-threshold statement if you configure
the adjust-threshold-overflow-limit or adjust-threshold-underflow-limit statement.
• Any bandwidth increase or decrease below the value configured for the adjust-threshold
statement does not constitute an overflow or underflow condition.
• To prevent unlimited increases in LSP bandwidth (to limit overflow beyond a certain
bandwidth), you must also configure the maximum-bandwidth statement when you
configure the adjust-threshold-overflow-limit statement.
• You cannot configure automatic bandwidth adjustments to occur more often than
every 300 seconds. The adjust-threshold-overflow-limit statement is subject to the
same minimum value with regard to the minimum frequency of adjustment allowed.
Overflow condition based adjustments can occur no sooner than 300 seconds from
the start of the overflow condition. Therefore it is required that:
These values are checked during the commit operation. An error is returned if the value
is less than 300 seconds.
monitor-bandwidth;
If you have configured an LSP with primary and secondary paths, the automatic bandwidth
allocation statistics are carried over to the secondary path if the primary path fails. For
example, consider a primary path whose adjustment interval is half complete and whose
maximum average bandwidth usage is currently calculated as 50 Mbps. If the primary
path suddenly fails, the time remaining for the next adjustment and the maximum average
bandwidth usage are carried over to the secondary path.
• When the LSP is configured for automatic bandwidth allocation in monitor mode (the
monitor-bandwidth statement is included in the configuration as described in
“Configuring Passive Bandwidth Utilization Monitoring” on page 617), and want to initiate
an immediate bandwidth adjustment.
To use the request mpls lsp adjust-autobandwidth command, the following must be true:
• The criteria required to trigger a bandwidth adjustment have been met (the difference
between the adjust bandwidth and the current LSP path bandwidth is greater than
the threshold limit).
A manually triggered bandwidth adjustment operates only on the active LSP path. Also,
if you have enabled periodic automatic bandwidth adjustment, the periodic automatic
bandwidth adjustment parameters (the adjustment interval and the maximum average
bandwidth) are not reset after a manual adjustment.
For example, suppose the periodic adjust interval is 10 hours and there are currently
5 hours remaining before an automatic bandwidth adjustment is triggered. If you initiate
a manual adjustment with the request mpls lsp adjust-autobandwidth command, the
adjust timer is not reset and still has 5 hours remaining.
To manually trigger a bandwidth allocation adjustment, you need to use the request mpls
lsp adjust-autobandwidth command. You can trigger the command for all affected LSPs
on the router, or you can specify a particular LSP:
Once you execute this command, the automatic bandwidth adjustment validation process
is triggered. If all the criteria for adjustment are met, the LSP’s active path bandwidth is
adjusted to the adjusted bandwidth value determined during the validation process.
14.1R9 Starting in Junos OS Release 14.1R9, 15.1R7, 16.1R5, 16.2R3, and 17.2R2, all zero
value bandwidth samples are considered as underflow samples, except for the
zero value samples that arrive after an LSP comes up for the first time, and the
zero value samples that arrive first after a Routing Engine switchover.
statistics {
auto-bandwidth (MPLS Statistics);
file filename <files number> <size size> <world-readable | no-world-readable>;
interval seconds;
no-transit-statistics;
transit-statistics-polling;
}
2. Specify the filename for the files used to store the MPLS trace operation output using
the file option. All files are placed in the directory /var/log. We recommend that you
place MPLS tracing output in the file mpls-log.
3. Specify the maximum number of trace files using the files number option. When a
trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then
trace-file.1, and so on, until the maximum number of trace files is reached. Then the
oldest trace file is overwritten.
4. Specify the interval for calculating the average bandwidth usage by configuring a time
in seconds using the interval option. You can also set the adjustment interval on a
specific LSP by configuring the interval option at the [edit protocols mpls
label-switch-path label-switched-path-name statistics] hierarchy level.
5. To trace automatic bandwidth allocation, include the autobw-state flag for the MPLS
traceoptions statement at the [edit protocols mpls] hierarchy level.
The following configuration enables the MPLS traceoptions for automatic bandwidth
allocation. The trace records are stored in a file called auto-band-trace (the filename
is user configurable):
6. Using the show log command, you can display the automatic bandwidth allocation
statistics file generated when you configure the auto-bandwidth (MPLS Statistics)
statement. The following shows sample log file output taken from an MPLS statistics
file named auto-band-stats on a router configured with an LSP named E-D. The log
file shows that LSP E-D is operating over its reserved bandwidth limit initially. Before
Oct 30 17:14:57, the router triggered an automatic bandwidth adjustment (you might
see two sessions for an LSP undergoing an automatic bandwidth adjustment). By Oct
30 17:16:57, the LSP has been reestablished at a higher bandwidth and is now shown
using less than 100 percent of its Reserved Bw (reserved bandwidth).
decr nh 0x952c308, type 4, flags 0x0, n_gw 1, nhid 0 to refcount 1Oct 30 17:16:57 Total 1 sessions: 1
success, 0 fail, 0 ignored
7. Issue the show mpls lsp autobandwidth command to display current information about
automatic bandwidth allocation. The following shows sample output from the show
mpls lsp autobandwidth command taken at about the same time as the log file shown
previously:
8. Issue the file show command to display the MPLS trace file. You need to specify the
file location and file name (the file is located in /var/log/. The following shows sample
trace file output is taken from an MPLS trace file named auto-band-trace.0.gz on a
router configured with an LSP named E-D. The trace file shows that LSP E-D is
operating over its reserved bandwidth limit initially. At Oct 30 17:15:26, the router
triggers an automatic bandwidth adjustment (you might see two sessions for an LSP
undergoing an automatic bandwidth adjustment). By Oct 30 17:15:57, the LSP has
been reestablished at a higher bandwidth and is now shown using less than 100
percent of its Reserved Bw (reserved bandwidth).
37 Bps
Oct 30 17:15:57.467106 E-D (LSP ID 6, Tunnel ID 6741) 33
pkt 2695 Byte 1 pps 89 Bps Util 87.69% Reserved Bw
101 Bps
Oct 30 17:15:57.467201 LSP E-D (id 6, old id 5); LSP up after autobw adjustment
and active for 30 sec
Oct 30 17:15:57.467398 LSP E-D (id 6) psb bytes 2695 < bytes recorded
22607 total bytes 2695 in 30 sec
Oct 30 17:15:57.467461 First sample of the adjust interval after automatic bw
adjustment
Oct 30 17:15:57.467594 Update curr max avg bw 0bps of LSP E-D with new bw
716.225bps
Oct 30 17:16:27.466830 E-D (LSP ID 5, Tunnel ID 6741) 0
pkt 0 Byte 0 pps 0 Bps Util 0.00% Reserved Bw
37 Bps
Oct 30 17:16:27.467079 E-D (LSP ID 6, Tunnel ID 6741) 65
pkt 5338 Byte 1 pps 88 Bps Util 86.70% Reserved Bw
101 Bps
Oct 30 17:16:27.467171 LSP E-D (id 6, old id 6); sampled bytes 5338 >
bytes recorded 2695
Oct 30 17:16:27.467237 LSP E-D (id 6) new bytes arrived 2643 in 29
sec
Oct 30 17:16:57.466712 E-D (LSP ID 6, Tunnel ID 6741) 97
pkt 7981 Byte 1 pps 88 Bps Util 86.70% Reserved Bw
101 Bps
Oct 30 17:16:57.466870 LSP E-D (id 6, old id 6); sampled bytes 7981 >
bytes recorded 5338
With the rising demand for mobile broadband services, telecommunication providers are
seeing a sharp increase in bandwidth requirements. To keep pace with demand, operators
are deploying packet-based backhaul networks that offer increased capacity at a lower
cost, while providing the necessary service reliability and quality of experience that users
expect.
Most of the legacy backhaul infrastructure has been traditionally built over PDH
microwave, TDM T1/E1, or ATM-over-DSL links. Service providers have traditionally added
subsequent TDM links to their base stations when needed to deal with bandwidth
constraint scenarios. This expansion model has proven to be inefficient for the
unprecedented traffic demands required by 3G and Long Term Evolution (LTE) services.
As a direct consequence, operators are gradually migrating to an Ethernet-based higher
capacity infrastructure in the backhaul portion of 3G and LTE topologies. Modern base
stations now provide Ethernet backhaul connectivity, allowing pseudowire technologies
to transport end-user content to the desired destination. As part of this Ethernet transition,
service providers are increasingly demanding better resiliency mechanisms to cover the
existence gap with those features provided by previous legacy technologies. With that
goal in mind, Junos OS provides efficient pseudowire redundancy capabilities to those
topologies where Layer 2 and Layer 3 segments are interconnected.
Sample Topology
Figure 31 on page 623 shows a sample topology.
An A5
CE2
A1 PE1 PE3
A2 PE2 PE4
A4 CE3
A3
g041420
• Layer 2 and Layer 3 domains are synchronized with regard to the elected data path.
• Node failures
• Control-plane failures
By having the active and standby states being defined by the access routers, Junos OS
mitigates potential primary path collisions, as there is a unique network element dictating
the preferable forwarding path to be elected. As an added value, this allows network
operators to switch forwarding paths on demand, which is quite useful for troubleshooting
and network maintenance purposes.
The active and standby states are communicated to the aggregation routers by making
use of an additional pseudowire state flag.
Table 45: Pseudowire Status Code for the Pseudowire Status TLV
Flag Code
L2CKT_PW_STATUS_PW_FWD 0x00000000
L2CKT_PW_STATUS_PW_NOT_FWD 0x00000001
L2CKT_PW_STATUS_AC_RX_FAULT 0x00000002
L2CKT_PW_STATUS_AC_TX_FAULT 0x00000004
L2CKT_PW_STATUS_PSN_RX_FAULT 0x00000008
L2CKT_PW_STATUS_PSN_TX_FAULT 0x00000010
L2CKT_PW_STATUS_PW_FWD_STDBY 0x00000020
L2CKT_PW_STATUS_SWITCH_OVER 0x00000040
How It Works
The solution uses logical tunnel (lt-) paired interfaces for stitching the Layer 2 and Layer
3 domains.
Figure 32 on page 625 shows a diagram depicting how pseudowire redundancy in a mobile
backhaul scenario works.
CE2
PE1 PE3
10.1.1/24
Metro MPLS L3VPN Core MPLS
A1
ring VRF cloud
PE2 PE4
CE3
A Layer 2 pseudowire terminates on one of the logical tunnel interfaces (x), defined with
the circuit cross-connect (CCC) address family configured. A Layer 3 VPN (RFC 2547)
terminates the second logical tunnel interface (y), defined with the IPv4 (inet) address
family. Logical tunnel interface (x) and (y) are paired. Layer 2 pseudowires established
between each access router and its corresponding aggregation PE devices terminate on
the logical tunnel interface defined within each PE device. This logical tunnel interface
is used to establish a Layer 2 virtual circuit (VC) toward the remote end. In consequence,
the CCC address family needs to be configured on it. The same applies to the remote
end, where an equivalent interface needs to be defined with CCC capabilities.
This CCC logical tunnel interface created in the aggregation PE devices is paired with a
second logical tunnel interface on which the INET address family is enabled. This second
logical tunnel interface is configured within the context of an RFC 2547 Layer 3 VPN.
Within the scope of this document, we refer to the CCC and INET logical tunnel interfaces
as LT(x) and LT(y), respectively.
The Junos OS routing protocol process (rpd) enables the stitching required to interconnect
the Layer 2 VC ending in LT(x) and the associated LT(y).
In the aggregation PE routers, the routing process builds a pseudowire toward access
routers, and this happens regardless of the active or standby state of the pseudowire.
The same occurs in access routers, where the control and forwarding state is
preestablished in both the Routing Engine and the Packet Forwarding Engine to mitigate
traffic disruption during convergence periods.
An attachment circuit (AC) is a physical or virtual circuit (VC) that attaches a CE device
to a PE device. Local preference is used to provide better information than the multiple
exit discriminator (MED) value provides for a packet's path selection. You can configure
the local preference attribute so that it has a higher value for prefixes received from a
router that provides a desired path than prefixes received from a router that provides a
less desirable path. The higher the value, the more preferred the route. The local
preference attribute is the metric most often used in practice to express preferences for
one set of paths over another.
If the Layer 2 circuit is primary, the corresponding PE device advertises the AC’s subnet
with the higher local preference. All aggregation PE devices initially advertise the AC’s
subnet with the same local preference. You can configure a routing policy to allow a
higher local preference value to be advertised if the Layer 2 VC is active.
If a pseudowire is down, LT(x) is tagged with the CCC_Down flag. When this happens,
the corresponding PE device withdraws the AC subnet that was initially advertised. The
LT(y) address is shared between the aggregation PE devices as a virtual instance port
(VIP). No VRRP hello messages are exchanged. Both PE devices assume mastership.
Both primary and standby Layer 2 VCs are kept open to reduce traffic disruption in
backup-to-primary transitions. The hot-standby-vc-on configuration statement allows
manual activation.
Resiliency in the Layer 2 domain is provided through plain pseudowire redundancy for
back-to-back connections. For other topologies, pseudowire virtual circuit connectivity
verification (VCCV) is used.
Resiliency in the Layer 3 domain is provided by MPLS fast reroute and end-to-end service
restoration. A restoration timer prevents having VCs in the secondary path from being
switched back to the primary path immediately after the master PE device is restored.
Access routers can indicate to the aggregation routers which Layer 2 VC is considered to
be active. Upon arrival at LT(x) of a status TLV message communicating a standby state,
the routing process decreases the BGP's local preference value of the direct subnet
represented by the LT(y) IPv4 address. At this point, BGP proceeds to advertise this local
preference change to the rest of the members within the Layer 3 domain, which will then
reelect the designated forwarder PE device by relying on BGP's path selection
mechanisms.
A similar behavior occurs upon arrival of a status TLV message indicating a Layer 2 VC
active state. In this case, the receiving PE device changes the local preference
corresponding to the LT(y)'s subnet. The value to be used to either decrease or increase
the subnet's local preference value is manually configured using a policy.
This example shows how to configure pseudowire redundancy where Layer 2 and Layer
3 segments are interconnected in a mobile backhaul scenario.
Requirements
This example can be configured using the following software and hardware components:
NOTE: The PE routers could also be T Series Core Routers but that is not
typical. Depending on your scaling requirements, the core routers could also
be MX Series 3D Universal Edge Routers or M Series Multiservice Edge Routers.
The customer edge (CE) devices could be other routers or switches from
Juniper Networks or another vendor.
Overview
Device CE1 is a simple edge router with an IPv4 interface and a static route pointing to
the PE devices. Device A1 establishes two virtual circuits (VCs) toward Device PE1 and
Device PE2 by making use of the hot-standby statement. Device PE1 and Device PE2
terminate these VCs and enforce a policy condition over the logical tunnel IPv4 subnet.
Device PE3 performs as a Layer 3 VPN provider edge device by having an IPv4 interface
in a Layer 3 VPN shared with Device PE1 and Device PE2.
“CLI Quick Configuration” on page 628 shows the configuration for all of the devices in
Figure 33 on page 628.
The section “Step-by-Step Procedure” on page 634 describes the steps on Device A1 and
Device PE1.
10.10.0.101 10.31.0.101
PE1
ge-0/1/3 ge-0/1/2
10.21.0.101 ge-0/1/1
lt-1/2/0.600 lt-1/2/0.601
10.41.0.101
CE1 CE2
10.20.0.100 ge-1/3/0 ge-2/0/3 10.32.0.103
lt-1/2/0.601
lo0: lt-1/2/0.600 10.41.0.102
CE1 192.168.0.104
CE2 192.168.0.105 10.21.0.102 ge-0/3/1
A1 192.166.0.100
g041423
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Device PE1 set interfaces ge-0/1/1 unit 0 family inet address 10.21.0.101/24
set interfaces ge-0/1/1 unit 0 family iso
set interfaces ge-0/1/1 unit 0 family mpls
Device PE2 set interfaces ge-0/3/0 unit 0 family inet address 10.20.0.102/24
set interfaces ge-0/3/0 unit 0 family iso
set interfaces ge-0/3/0 unit 0 family mpls
set interfaces ge-0/3/1 unit 0 family inet address 10.21.0.102/24
set interfaces ge-0/3/1 unit 0 family iso
set interfaces ge-0/3/1 unit 0 family mpls
set interfaces ge-0/3/3 unit 0 family inet address 10.32.0.102/24
set interfaces ge-0/3/3 unit 0 family iso
set interfaces ge-0/3/3 unit 0 family mpls
set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc
set interfaces lt-1/2/0 unit 600 vlan-id 600
set interfaces lt-1/2/0 unit 600 peer-unit 601
set interfaces lt-1/2/0 unit 601 encapsulation vlan
set interfaces lt-1/2/0 unit 601 vlan-id 600
set interfaces lt-1/2/0 unit 601 peer-unit 600
set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet
set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0
virtual-address 10.41.0.1
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 accept-data
set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.102/32 except
set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8
set firewall family inet filter icmp_inet term 0 from protocol icmp
set firewall family inet filter icmp_inet term 0 then count icmp_inet
set firewall family inet filter icmp_inet term 0 then log
set firewall family inet filter icmp_inet term 0 then accept
set firewall family inet filter icmp_inet term 1 then accept
set routing-instances l3vpn instance-type vrf
set routing-instances l3vpn interface lt-1/2/0.601
set routing-instances l3vpn interface lo0.1
set routing-instances l3vpn route-distinguisher 192.168.1.102:64511
set routing-instances l3vpn vrf-import l3vpn_import
set routing-instances l3vpn vrf-export l3vpn_export
set routing-instances l3vpn vrf-table-label
set routing-instances l3vpn protocols ospf export ospf_export
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lt-1/2/0.601
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1
Device PE3 set interfaces ge-2/0/3 unit 0 family inet address 10.32.0.103/24
set interfaces ge-2/0/3 unit 0 family iso
set interfaces ge-2/0/3 unit 0 family mpls
set interfaces ge-2/0/5 unit 0 family inet address 10.53.0.103/24
set interfaces ge-2/0/5 unit 0 family mpls
set interfaces ge-2/1/8 unit 0 family inet address 10.31.0.103/24
set interfaces ge-2/1/8 unit 0 family iso
set interfaces ge-2/1/8 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.0.103/32 primary
set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0103.00
set interfaces lo0 unit 1 family inet address 192.168.1.103/32
set routing-options router-id 192.168.0.103
set routing-options autonomous-system 64511
set protocols rsvp interface ge-2/0/3.0
set protocols rsvp interface ge-2/1/8.0
set protocols rsvp interface lo0.0
set protocols mpls label-switched-path to_PE1 to 192.168.0.101
set protocols mpls label-switched-path to_PE2 to 192.168.0.102
set protocols mpls interface ge-2/0/3.0
set protocols mpls interface ge-2/1/8.0
set protocols bgp local-address 192.168.0.103
set protocols bgp group ibgp family inet-vpn any
set protocols bgp group ibgp peer-as 64511
set protocols bgp group ibgp neighbor 192.168.0.101
set protocols bgp group ibgp neighbor 192.168.0.102
set protocols isis interface ge-2/0/3.0
set protocols isis interface ge-2/1/8.0
set protocols isis interface lo0.0
set protocols ldp interface ge-2/0/3.0
set protocols ldp interface ge-2/1/8.0
set protocols ldp interface lo0.0
set policy-options policy-statement l3vpn_ospf_export term 0 from protocol direct
set policy-options policy-statement l3vpn_ospf_export term 0 then accept
set policy-options policy-statement l3vpn_ospf_import term 0 from protocol bgp
set policy-options policy-statement l3vpn_ospf_import term 0 from community l3vpn
set policy-options policy-statement l3vpn_ospf_import term 0 then accept
set policy-options policy-statement ospf_export term 0 from community l3vpn
Device CE2 set interfaces ge-2/0/8 unit 0 family inet address 10.53.0.105/24
set interfaces lo0 unit 0 family inet address 192.168.0.105/32 primary
set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
set protocols ospf area 0.0.0.0 interface lo0.0
set routing-options router-id 192.168.0.105
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
Enable MPLS on the core-facing interfaces. The ISO address family is also enabled,
because IS-IS is used as the interior gateway protocol (IGP) in the provider network.
On the customer-facing interface, you do not need to enable MPLS. On this interface,
enable CCC encapsulation and address family CCC.
[edit interfaces]
user@A1# set ge-1/3/0 unit 0 family inet address 10.20.0.100/24
user@A1# set ge-1/3/0 unit 0 family iso
user@A1# set ge-1/3/0 unit 0 family mpls
2. Configure the RSVP on the core-facing interfaces and on the loopback interface.
6. On the interface that faces the customer edge, configure the Layer 2 circuit.
Configure the hot-standby statement on those routers with both active and standby
virtual circuits (VCs) (Device A1 in our topology). You must include the
pseudowire-status-tlv statement on access routers. Without the status TLV signaling,
the standby flag cannot be advertised to remote provider edge (PE) devices.
The revert-time statement and the maximum option must also be configured on
access routers. Without the revert-time statement, traffic of all the VCs will not be
transitioned to the primary path upon completion of the restoration. If a revert-time
delay is defined but a maximum delay is not, then VCs are restored immediately
upon the revert timer's expiration. The maximum option allows the VCs to be
restored in a scattered fashion rather than all at once.
7. To have the unilist next hop get pushed to other access routers, configure per-packet
load balancing.
[edit routing-options]
user@A1# set router-id 192.168.0.100
user@A1# set autonomous-system 64510
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit interfaces]
user@PE1# set ge-0/1/1 unit 0 family inet address 10.21.0.101/24
user@PE1# set ge-0/1/1 unit 0 family iso
user@PE1# set ge-0/1/1 unit 0 family mpls
2. On Device PE1 and Device PE2, which are aggregation routers, configure a pair of
logical tunnel interfaces to represent LT(x) and LT(y).
The solution uses logical tunnel (lt-) paired interfaces for stitching the Layer 2 and
Layer 3 domains.
[edit interfaces]
user@PE1# set lt-1/2/0 unit 600 encapsulation vlan-ccc
user@PE1# set lt-1/2/0 unit 600 vlan-id 600
3. (Optional) Associate a unique VRRP address with both Device PE1 and Device PE2.
In this case, both Device PE1 and Device PE2 assume the mastership state for the
defined VIP IPv4 address, so no VRRP hello message are exchanged between the
routers.
BGP is a policy-driven protocol, so also configure and apply any needed routing
policies. For example, you might want to export static routes into BGP.
11. Define a pair of conditions to be applied to the egress policy defined within the Layer
3 VPN instance.
In both condition primary and condition standby, the matching route corresponds
to the interface lt-1/2/0.600 (y), as this is the format in which egress routes appear
in routing table mpls.0 to represent any given pseudowire.
The difference between these conditions is in the standby attribute. Upon arrival of
the PW_FWD_STDBY status TLV to Device PE1 or Device PE2, Junos OS matches
condition standby, and in consequence, only term standby within the l3vpn policy
will be executed. On the other hand, if the PW_FWD_STDBY status TLV is not
present, the policy matches only condition primary, which then executes term primary
in the l3vpn policy. Also, for logical tunnel-based CCC services, you must specify
the logical tunnel interface, LT(y), that is associated with the logical tunnel CCC
interface, LT(x). (See “Understanding Pseudowire Redundancy Mobile Backhaul
Scenarios” on page 623.)
Finally, for CCC-based conditions, Junos OS allows only mpls.0 as the matching
routing table. For the address attribute, Junos OS allows only strings with a logical
interface unit format (for example, lt-0/0/0.0).
If the Layer 2 virtual circuit (VC) is primary, the corresponding provider edge (PE)
routing device advertises the attachment circuit’s (AC’s) subnet with the higher
local preference. All aggregation PE devices initially advertise the AC’s subnet with
the same local preference.
This routing policy allows a higher local preference value to be advertised if the
Layer 2 VC is active.
14. Configure the Layer 3 VPN import policy, based on the Layer 3 VPN community.
15. Configure OSPF export policy, based on the Layer 3 VPN community.
16. (Optional) Configure a firewall filter to check the path taken by traffic.
This routing instance is in the Layer 2 domain where Device PE1 and Device PE2 are
interconnected to the metro ring over multiaccess media (Ethernet). You must
include the vrf-table-label statement on Device PE1 and Device PE2 to enable
advertisement of the direct subnet prefix corresponding to the logical tunnel (lt-)
interface toward the Layer 3 domain.
Device PE1 and Device PE2 use OSPF for Layer 3 VPN communication with Device
CE1.
[edit routing-options]
user@PE1# set router-id 192.168.0.101
user@PE1# set autonomous-system 64511
Results From configuration mode, confirm your configuration by entering the show interfaces,
show firewall, show protocols, show policy-options, show routing-options, and show
routing-instances commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
}
ge-1/3/2 {
vlan-tagging;
encapsulation vlan-ccc;
unit 600 {
encapsulation vlan-ccc;
vlan-id 600;
family ccc;
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.100/32 {
primary;
}
}
family iso {
address 49.0002.0192.0168.0100.00;
}
}
}
}
address 10.41.0.101/24 {
vrrp-group 0 {
virtual-address 10.41.0.1;
accept-data;
}
}
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.101/32 {
primary;
}
}
family iso {
address 49.0002.0192.0168.0003.00;
}
}
unit 1 {
family inet {
address 192.168.1.101/32;
}
}
}
interface ge-0/1/3.0;
interface lo0.0;
}
mpls {
label-switched-path to_PE3 {
to 192.168.0.103;
}
label-switched-path to_PE2 {
to 192.168.0.102;
}
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
}
bgp {
local-address 192.168.0.101;
group ibgp {
family inet-vpn {
any;
}
peer-as 64511;
neighbor 192.168.0.102;
neighbor 192.168.0.103;
}
}
isis {
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
interface lo0.0;
}
ldp {
interface ge-0/1/1.0;
interface ge-0/1/2.0;
interface ge-0/1/3.0;
interface lo0.0;
}
l2circuit {
neighbor 192.168.0.100 {
interface lt-1/2/0.600 {
virtual-circuit-id 1;
pseudowire-status-tlv hot-standby-vc-on;
}
}
}
term standby {
from condition standby;
then {
local-preference add 30;
community set l3vpn;
accept;
}
}
term default {
then {
community set l3vpn;
accept;
}
}
}
policy-statement l3vpn_import {
term 1 {
from community l3vpn;
then accept;
}
term default {
then reject;
}
}
policy-statement ospf_export {
term 0 {
from community l3vpn;
then accept;
}
}
community l3vpn members target:64511:600;
condition primary {
if-route-exists {
address-family {
ccc {
lt-1/2/0.600;
table mpls.0;
peer-unit 601;
}
}
}
}
condition standby {
if-route-exists {
address-family {
ccc {
lt-1/2/0.600;
table mpls.0;
standby;
peer-unit 601;
}
}
}
}
router-id 192.168.0.101;
autonomous-system 64511;
If you are done configuring the devices, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Purpose Upon Layer 2 virtual circuit (VC) establishment, the output of the show l2circuit
connections command shows the active and the hot-standby VC. In addition, control-plane
details are shown for the hot-standby VC.
Action From operational mode, enter the show l2circuit connections extensive command.
Meaning From the perspective of Device PE1 and Device PE2, a single Layer 2 circuit is established
toward access routers, so there is no standby device information in the CLI output of the
show l2circuit connections command. Note that no timing and flapping information is
provided for the VC acting as the hot-standby. Junos OS allows only these counters to
be tracked for the active VC.
Purpose On the PE devices, verify the state of the different conditions defined as part of the Layer3
VPN's egress policy, where 10.41.0.0/24 corresponds to the logical tunnel (y) subnet.
Action From operational mode, enter the show policy conditions detail command.
Configured conditions:
Condition primary (static), event: Existence of a route in a specific routing
table
Dependent routes:
10.41.0.0/24, generation 8
192.168.0.104/32, generation 8
Condition tables:
Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary
(static) standby (static)
Table l3vpn.inet.0, generation 12, dependencies 2
Condition tables:
Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary
(static) standby (static)
Table l3vpn.inet.0, generation 367, dependencies 2
For Ethernet, Fast Ethernet, Gigabit Ethernet, 10-Gigabit Ethernet, and logical interfaces,
you can configure Virtual Router Redundancy Protocol (VRRP). VRRP enables hosts on
a LAN to make use of redundant routers on that LAN without requiring more than the
static configuration of a single default route on the hosts. The routers running VRRP share
the IP address corresponding to the default route configured on the hosts. At any time,
one of the routers running VRRP is the master (active) and the others are backups. If the
master fails, one of the backup routers becomes the new master router, providing a virtual
default router and enabling traffic on the LAN to be routed without relying on a single
router. Using VRRP, a backup router can take over a failed default router within a few
seconds. This is done with minimum VRRP traffic and without any interaction with the
hosts.
NOTE: You can configure VRRP on Integrated Routing and Bridging (IRB)
interfaces.
Routers running VRRP dynamically elect master and backup routers. You can also force
assignment of master and backup routers using priorities from 1 through 255, with 255
being the highest priority. In VRRP operation, the default master router sends
advertisements to backup routers at regular intervals. The default interval is 1 second. If
a backup router does not receive an advertisement for a set period, the backup router
with the next highest priority takes over as master and begins forwarding packets.
NOTE: To minimize network traffic, VRRP is designed in such a way that only
the router that is acting as the master sends out VRRP advertisements at
any given point in time. The backup routers do not send any advertisement
until they take over mastership.
Figure 34 on page 652 illustrates a basic VRRP topology for IPv4 family. In this example,
Routers A, B, and C are running VRRP and together they make up a virtual router. The IP
address of this virtual router is 10.10.0.1 (the same address as the physical interface of
Router A).
Because the virtual router uses the IP address of the physical interface of Router A, Router
A is the master VRRP router, while Routers B and C function as backup VRRP routers.
Clients 1 through 3 are configured with the default gateway IP address of 10.10.0.1. As the
master router, Router A forwards packets sent to its IP address. If the master virtual router
fails, the backup router configured with the higher priority becomes the master virtual
router and provides uninterrupted service for the LAN hosts. When Router A recovers, it
becomes the master virtual router again.
NOTE: ACX Series routers support VRRP version 3 for IPv6 addresses.
ACX routers can support up to 64 VRRP group entries. These can be a combination of
IPv4 or IPv6 families. If either of the family (IPv4 or IPv6) is solely configured for VRRP,
then 64 unique VRRP group identifiers are supported. If both IPv4 and IPv6 families share
the same VRRP group, then only 32 unique VRRP identifiers are supported.
An interface can be a member of one or more VRRP groups. To configure basic VRRP
support, configure VRRP groups on interfaces by including the vrrp-group statement:
vrrp-group group-id {
priority number;
virtual-address [ addresses ];
}
Within a VRRP group, the master virtual router and the backup virtual router must be
configured on two different routers.
• Address of one or more virtual routers that are members of the VRRP group—Normally,
you configure only one virtual IP address per group. However, you can configure up to
eight addresses. Do not include a prefix length in a virtual IP address. The following
considerations apply to configuring a virtual IP address:
• The virtual router IP address must be the same for all routers in the VRRP group.
• If you configure a virtual IP address to be the same as the physical interface’s address,
the interface becomes the master virtual router for the group. In this case, you must
configure the priority to be 255, and you must configure preemption by including the
preempt statement.
• If the virtual IP address you choose is not the same as the physical interface’s address,
you must ensure that the virtual IP address does not appear anywhere else in the
router’s configuration. Verify that you do not use this address for other interfaces,
for the IP address of a tunnel, or for the IP address of static ARP entries.
• You cannot configure the same virtual IP address on interfaces that belong to the
same logical system and routing instance combination. However, you can configure
the same virtual IP address on interfaces that belong to different logical system and
routing instance combinations.
• Priority for a router to become the master virtual router—Configure the value used to
elect the master virtual router in the VRRP group. It can be a number from 1 through
255. The default value for backup routers is 100. A larger value indicates a higher priority.
The router with the highest priority within the group becomes the master router.
NOTE: If there are two or more backup routers with the same priority, the
router that has the highest primary address becomes the master.
NOTE: Mixed tagging (configuring two logical interfaces on the same Ethernet
port, one with single-tag framing and one with dual-tag framing) is supported
only for interfaces on Gigabit Ethernet IQ2 and IQ PICs. If you include the
flexible-vlan-tagging statement at the [edit interfaces interface-name] hierarchy
level for a VRRP-enabled interface on a PIC that does not support mixed
tagging, VRRP on that interface is disabled. In the output of the show vrrp
summary command, the interface status is listed as Down.
NOTE: If you enable MAC source address filtering on an interface, you must
include the virtual MAC address in the list of source MAC addresses that you
specify in the source-address-filter statement at the [edit interfaces
interface-name] hierarchy level. MAC addresses ranging from 00:00:5e:00:01:01
through 00:00:5e:00:01:ff are reserved for VRRP, as defined in RFC 2378. For
IPv6, the MAC addresses range from 00:00:5e:00:02:01 through
00:00:5e:00:02:ff. The VRRP group number must be the decimal equivalent
of the last hexadecimal byte of the virtual MAC address.
By default, the master router sends VRRP advertisement packets every second to all
members of the VRRP group. These packets indicate that the master router is still
operational. If the master router fails or becomes unreachable, the backup router with
the highest priority value becomes the new master router.
You can modify the advertisement interval in seconds or in milliseconds. The interval
must be the same for all routers in the VRRP group.
advertise-interval seconds;
fast-interval milliseconds;
preempt;
no-preempt;
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
The hold time is the maximum number of seconds that can elapse before a higher-priority
backup router preempts the master router. You might want to configure a hold time so
that all Junos OS components converge before preemption.
By default, the hold-time value is 0 seconds. A value of 0 means that preemption can
occur immediately after the backup router comes online.
NOTE: The hold time is counted from the time the backup router comes
online. The hold time is only valid when the VRRP router is just coming online.
hold-time seconds;
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
The asymmetric-hold-time statement at the [edit protocols vrrp] hierarchy level enables
you to configure a VRRP master router to switch over to the backup router
immediately—that is, without waiting for the priority hold time to expire—when a tracked
interface or route goes down or when the bandwidth of a tracked interface decreases.
Such events can cause an immediate reduction in the priority based on the configured
priority cost for the event, and trigger a mastership election.
However, when the tracked route or interface comes up again, or when the bandwidth
for a tracked interface increases, the backup (original master) router waits for the hold
time to expire before it updates the priority and initiates the switchover if the priority is
higher than the priority for the VRRP master (original backup) router.
If the asymmetric-hold-time statement is not configured, the VRRP master waits for the
hold time to expire before it initiates a switchover when a tracked route goes down.
[edit]
user@host# set protocols vrrp asymmetric-hold-time
[edit]
user@host# show protocols vrrp
asymmetric-hold-time;
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
In VRRP implementations where the router acting as the master router is not the IP
address owner—the IP address owner is the router that has the interface whose actual
IP address is used as the virtual router’s IP address (virtual IP address)—the master router
accepts only the Address Resolution Protocol (ARP) packets from the packets that are
sent to the virtual IP address. Junos OS enables you to override this limitation with the
help of the accept-data configuration. When the accept-data statement is included in
the configuration, the master router accepts all packets sent to the virtual IP address
even when the master router is not the IP address owner.
NOTE: If the master router is the IP address owner or has its priority set to
255, the master router, by default, accepts all packets addressed to the virtual
IP address. In such cases, the accept-data configuration is not required.
To configure an interface to accept all packets sent to the virtual IP address, include the
accept-data statement:
accept-data;
To prevent a master router that is the IP address owner or has its priority set to 255 from
accepting packets other than the ARP packets addressed to the virtual IP address, include
the no-accept-data statement:
no-accept-data;
NOTE:
• If you want to restrict the incoming IP packets to ICMP packets only, you
must configure firewall filters to accept only ICMP packets.
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
VRRP can track whether a logical interface is up, down, or not present, and can also
dynamically change the priority of the VRRP group based on the state of the tracked
logical interface, triggering a new master router election. VRRP can also track the
operational speed of a logical interface and dynamically update the priority of the VRRP
group when the speed crosses a configured threshold.
When interface tracking is enabled, you cannot configure a priority of 255 (a priority of
255 designates the master router). For each VRRP group, you can track up to 10 logical
interfaces.
track {
interface interface-name {
bandwidth-threshold bits-per-second priority-cost priority;
priority-cost priority;
}
priority-hold-time seconds;
}
The interface specified is the interface to be tracked for the VRRP group. The priority hold
time is the minimum length of time that must elapse between dynamic priority changes.
A tracking event, such as an interface state change (up or down) or a change in bandwidth,
triggers one of the following responses:
• The first tracking event initiates the priority hold timer, and also initializes the pending
priority based on the current priority and the priority cost. However, the current priority
remains unchanged.
• A tracking event or a manual configuration change that occurs while the priority hold
timer is on triggers a pending priority update. However, the current priority remains
unchanged.
This ensures that Junos OS does not initiate mastership elections every time a tracked
interface flaps.
When the priority hold time expires, the current priority inherits the value from the pending
priority, and the pending priority ceases.
NOTE: If you have configured asymmetric-hold-time, VRRP does not wait for
the priority hold time to expire before initiating mastership elections if a
tracked interface fails (state changes from up to down), or if the available
bandwidth for a tracked interface decreases. For more information about
asymmetric-hold-time, see Configuring the Asymmetric Hold Time for VRRP
Routers.
The bandwidth threshold specifies a threshold for the tracked interface. When the
bandwidth of the tracked interface drops below the configured bandwidth threshold
value, the VRRP group uses the bandwidth threshold priority cost. You can track up to
five bandwidth threshold statements for each tracked interface.
The priority cost is the value to be subtracted from the configured VRRP priority when
the tracked logical interface goes down, forcing a new master router election. The value
can be from 1 through 254. The sum of the costs for all tracked logical interfaces or routes
must be less than or equal to the configured priority of the VRRP group.
If you are tracking more than one interface, the router applies the sum of the priority costs
for the tracked interfaces (at most, only one priority cost for each tracked interface) to
the VRRP group priority. However, the interface priority cost and bandwidth threshold
priority cost values for each VRRP group are not cumulative. The router uses only one
priority cost to a tracked interface as indicated in Table 46 on page 661:
Not down; media speed below one or more Priority-cost of the lowest applicable bandwidth
bandwidth thresholds threshold
You must configure an interface priority cost only if you have configured no bandwidth
thresholds. If you have not configured an interface priority cost value, and the interface
is down, the interface uses the bandwidth threshold priority cost value of the lowest
bandwidth threshold.
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
VRRP can track whether a route is reachable (that is, the route exists in the routing table
of the routing instance included in the configuration) and dynamically change the priority
of the VRRP group based on the reachability of the tracked route, triggering a new master
router election.
track {
priority-hold-time seconds;
route prefix/prefix-length routing-instance instance-name priority-cost priority;
}
The route prefix specified is the route to be tracked for the VRRP group. The priority hold
time is the minimum length of time that must elapse between dynamic priority changes.
A route tracking event, such as adding a route to or removing a route from the routing
table, might trigger one or more of the following:
• The first tracking event initiates the priority hold timer, and also initializes the pending
priority based on the current priority and the priority cost. However, the current priority
remains unchanged.
• A tracking event or a manual configuration change that occurs while the priority hold
timer is on triggers a pending priority update. However, the current priority remains
unchanged.
When the priority hold time expires, the current priority inherits the value from the pending
priority, and the pending priority ceases. This ensures that Junos OS does not initiate
mastership elections every time a tracked route flaps.
NOTE: If you have configured asymmetric-hold-time, VRRP does not wait for
the priority hold time to expire before initiating mastership elections if a
tracked route is removed from the routing table. For more information about
asymmetric-hold-time, see Configuring the Asymmetric Hold Time for VRRP
Routers.
The routing instance is the routing instance in which the route is to be tracked. If the route
is in the default, or global, routing instance, specify the instance name as default.
The priority cost is the value to be subtracted from the configured VRRP priority when
the tracked route goes down, forcing a new master router election. The value can be
from 1 through 254. The sum of the costs for all tracked logical interfaces or routes must
be less than or equal to the configured priority of the VRRP group.
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
The silent period starts when the interface state is changed from down to up. During this
period, the Master Down Event is ignored. Configure the silent period interval to avoid
alarms caused by the delay or interruption of the incoming VRRP advertisement packets
during the interface startup phase.
To configure the silent period interval that the Master Down Event timer ignores, include
the startup-silent-period statement at the [edit protocols vrrp] hierarchy level:
NOTE: During the silent startup period, the show vrrp detail command output
shows a value of 0 for Master priority and your IP address for Master router.
These values indicate that the selection of the master router is not completed
yet, and these values can be ignored.
When you have configured startup-silent-period, the Master Down Event is ignored until
the startup-silent-period expires.
For example, configure a VRRP group, vrrp-group1, with an advertise interval of 1 second,
startup silent period of 10 seconds, and an interface interface1 with a priority less than
255.
• The vrrp-group1 group moves to the backup state, and starts the Master Down Event
timer (3 seconds; three times the value of the advertise interval, which is 1 second in
this case).
• If no VRRP PDU is received during the 3-second period, the startup-silent-period (10
seconds in this case) is checked, and if the startup silent period has not expired, the
Master Down Event timer is restarted. This is repeated until the startup-silent-period
expires. In this example, the Master Down Event timer runs four times (12 seconds) by
the time the 10-second startup silent period expires.
• If no VRRP PDU is received by the end of the fourth 3-second cycle, vrrp-group1 takes
over mastership.
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
To trace VRRP operations, include the traceoptions statement at the [edit protocols vrrp]
hierarchy level.
By default, VRRP logs the error, data carrier detect (DCD) configuration, and routing
socket events in a file in the /var/log directory. By default, this file is named /var/log/vrrpd.
The default file size is 1 megabyte (MB), and three files are created before the first one
gets overwritten.
To change the configuration of the logging file, include the traceoptions statement at the
[edit protocols vrrp] hierarchy level:
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
Configure one master (Router A) and one backup (Router B) router running VRRP. The
address configured in the virtual-address statements differs from the addresses configured
in the address statements. When you configure multiple VRRP groups on an interface,
you configure one to be the master virtual router for that group.
priority 200;
}
}
}
}
}
Configuring VRRP and The VRRP group number is the decimal equivalent of the last byte of the virtual MAC
MAC Source Address address.
Filtering
[edit interfaces]
ge-5/2/0 {
gigether-options {
source-filtering;
source-address-filter {
00:00:5e:00:01:0a; # Virtual MAC address
}
}
unit 0 {
family inet {
address 192.168.1.10/24 {
vrrp-group 10; # VRRP group number
virtual-address 192.168.1.10;
priority 255;
preempt;
}
}
}
}
• Configuring the Advertisement Interval for the VRRP Master Router on page 655
Configure VRRP properties for IPv6 in one master (Router A) and one backup (Router B).
[edit protocols]
router-advertisement {
interface ge-1/0/0.0 {
prefix fec0::/64;
max-advertisement-interval 4;
}
}
}
}
}
}
[edit protocols]
router-advertisement {
interface ge-1/0/0.0 {
prefix fec0::/64;
max-advertisement-interval 4;
}
}
The Multicast Listener Discovery (MLD) Protocol manages the membership of hosts and
routers in multicast groups. IP version 6 (IPv6) multicast routers use MLD to learn, for
each of their attached physical networks, which groups have interested listeners. Each
router maintains a list of host multicast addresses that have listeners. The router provides
addresses to the multicast routing protocol, which ensures that multicast packets are
delivered to interested listeners. In this way, MLD is used as the transport for the Protocol
Independent Multicast (PIM) Protocol.
MLD is an integral part of IPv6 and must be enabled on all IPv6 routers and hosts that
need to receive IP multicast traffic. The Junos OS supports MLD versions 1 and 2. Version
2 is supported for source-specific multicast (SSM) include and exclude modes.
In include mode, the receiver specifies the source or sources it is interested in receiving
the multicast group traffic from. Exclude mode works the opposite of include mode. It
allows the receiver to specify the source or sources it is not interested in receiving the
multicast group traffic from.
For each attached network, a multicast router can be either a querier or a nonquerier. A
querier router, usually one per subnet, solicits group membership information by
transmitting MLD queries. When a host reports to the querier router that it has interested
listeners, the querier router forwards the membership information to the rendezvous
point (RP) router by means of the receiver's (host's) designated router (DR). This builds
the rendezvous-point tree (RPT) connecting the host with interested listeners to the RP
router. The RPT is the initial path used by the sender to transmit information to the
interested listeners. Nonquerier routers do not transmit MLD queries on a subnet but can
do so if the querier router fails.
To configure MLD version 1, include the mld statement at the [edit protocols] hierarchy
level as shown below:
[edit protocols]
mld {
interface <interface-name> {
}
}
To configure MLD version 2, include the mld statement at the [edit protocols] hierarchy
level as shown below:
[edit protocols]
mld {
interface <interface-name> {
version 2;
}
}
Enabling MLD
MLD specifies different behaviors for multicast listeners and for routers. When a router
is also a listener, the router responds to its own messages. If a router has more than one
interface to the same link, it needs to perform the router behavior over only one of those
interfaces. Listeners, on the other hand, must perform the listener behavior on all interfaces
connected to potential receivers of multicast traffic.
If MLD is not running on an interface—either because PIM and DVMRP are not configured
on the interface or because MLD is explicitly disabled on the interface—you can explicitly
enable MLD.
1. If PIM and DVMRP are not running on the interface, explicitly enable MLD by including
the interface name.
2. Check to see if MLD is disabled on any interfaces. In the following example, MLD is
disabled on a Gigabit Ethernet interface.
interface fe-0/0/0.0;
interface ge-0/0/0.0 {
disable;
}
interface fe-0/0/0.0;
interface ge-0/0/0.0;
5. Verify the operation of MLD by checking the output of the show mld interface command.
PIM Overview
The predominant multicast routing protocol in use on the Internet today is Protocol
Independent Multicast, or PIM. The type of PIM used on the Internet is PIM sparse mode.
PIM sparse mode is so accepted that when the simple term “PIM” is used in an Internet
context, some form of sparse mode operation is assumed.
Starting in Junos OS Release 15.2, only PIM version 2 is supported. In the CLI, the command
for specifying a version (1 or 2) is removed.
PIMv1 and PIMv2 can coexist on the same routing device and even on the same interface.
The main difference between PIMv1 and PIMv2 is the packet format. PIMv1 messages
use Internet Group Management Protocol (IGMP) packets, whereas PIMv2 has its own
IP protocol number (103) and packet structure. All routing devices connecting to an IP
subnet such as a LAN must use the same PIM version. Some PIM implementations can
recognize PIMv1 packets and automatically switch the routing device interface to PIMv1.
Because the difference between PIMv1 and PIMv2 involves the message format, but not
the meaning of the message or how the routing device processes the PIM message, a
routing device can easily mix PIMv1 and PIMv2 interfaces.
PIM is used for efficient routing to multicast groups that might span wide-area and
interdomain internetworks. It is called “protocol independent” because it does not depend
on a particular unicast routing protocol. Junos OS supports bidirectional mode, sparse
mode, dense mode, and sparse-dense mode.
NOTE: ACX Series routers supports only sparse mode. Dense mode on ACX
series is supported only for control multicast groups for auto-discovery of
rendezvous point (auto-RP).
PIM operates in several modes: bidirectional mode, sparse mode, dense mode, and
sparse-dense mode. In sparse-dense mode, some multicast groups are configured as
dense mode (flood-and-prune, [S,G] state) and others are configured as sparse mode
(explicit join to rendezvous point [RP], [*,G] state).
PIM drafts also establish a mode known as PIM source-specific mode, or PIM SSM. In
PIM SSM there is only one specific source for the content of a multicast group within a
given domain.
Because the PIM mode you choose determines the PIM configuration properties, you first
must decide whether PIM operates in bidirectional, sparse, dense, or sparse-dense mode
in your network. Each mode has distinct operating advantages in different network
environments.
• In sparse mode, routing devices must join and leave multicast groups explicitly.
Upstream routing devices do not forward multicast traffic to a downstream routing
device unless the downstream routing device has sent an explicit request (by means
of a join message) to the rendezvous point (RP) routing device to receive this traffic.
The RP serves as the root of the shared multicast delivery tree and is responsible for
forwarding multicast data from different sources to the receivers.
Sparse mode is well suited to the Internet, where frequent interdomain join messages
and prune messages are common.
• Bidirectional PIM is similar to sparse mode, and is especially suited to applications that
must scale to support a large number of dispersed sources and receivers. In bidirectional
PIM, routing devices build shared bidirectional trees and do not switch to a source-based
tree. Bidirectional PIM scales well because it needs no source-specific (S,G) state.
Instead, it builds only group-specific (*,G) state.
• Unlike sparse mode and bidirectional mode, in which data is forwarded only to routing
devices sending an explicit PIM join request, dense mode implements a flood-and-prune
mechanism, similar to the Distance Vector Multicast Routing Protocol (DVMRP). In
dense mode, a routing device receives the multicast data on the incoming interface,
then forwards the traffic to the outgoing interface list. Flooding occurs periodically and
is used to refresh state information, such as the source IP address and multicast group
pair. If the routing device has no interested receivers for the data, and the outgoing
interface list becomes empty, the routing device sends a PIM prune message upstream.
Dense mode works best in networks where few or no prunes occur. In such instances,
dense mode is actually more efficient than sparse mode.
• Sparse-dense mode, as the name implies, allows the interface to operate on a per-group
basis in either sparse or dense mode. A group specified as “dense” is not mapped to
an RP. Instead, data packets destined for that group are forwarded by means of PIM
dense mode rules. A group specified as “sparse” is mapped to an RP, and data packets
are forwarded by means of PIM sparse-mode rules. Sparse-dense mode is useful in
networks implementing auto-RP for PIM sparse mode.
NOTE: On SRX Series devices, PIM does not support upstream and
downstream interfaces across different virtual routers in flow mode.
PIM sparse mode is more complicated and requires the establishment of special routing
devices called rendezvous points (RPs) in the network core. These routing devices are
where upstream join messages from interested receivers meet downstream traffic from
the source of the multicast group content. A network can have many RPs, but PIM sparse
mode allows only one RP to be active for any multicast group.
If there is only one RP in a routing domain, the RP and adjacent links might become
congested and form a single point of failure for all multicast traffic. Thus, multiple RPs
are the rule, but the issue then becomes how other multicast routing devices find the RP
that is the source of the multicast group the receiver is trying to join. This RP-to-group
mapping is controlled by a special bootstrap router (BSR) running the PIM BSR mechanism.
There can be more than one bootstrap router as well, also for single-point-of-failure
reasons.
The bootstrap router does not have to be an RP itself, although this is a common
implementation. The bootstrap router's main function is to manage the collection of RPs
and allow interested receivers to find the source of their group's multicast traffic. PIM
bootstrap messages are sourced from the loopback address, which is always up. The
loopback address must be routable. If it is not routable, then the bootstrap router is
unable to send bootstrap messages to update the RP domain members. The show pim
bootstrap command displays only those bootstrap routers that have routable loopback
addresses.
PIM SSM can be seen as a subset of a special case of PIM sparse mode and requires no
specialized equipment other than that used for PIM sparse mode (and IGMP version 3).
Bidirectional PIM RPs, unlike RPs for PIM sparse mode, do not need to perform PIM
Register tunneling or other specific protocol action. Bidirectional PIM RPs implement no
specific functionality. RP addresses are simply a location in the network to rendezvous
toward. In fact, for bidirectional PIM, RP addresses need not be loopback interface
addresses or even be addresses configured on any routing device, as long as they are
covered by a subnet that is connected to a bidirectional PIM-capable routing device and
advertised to the network.
15.2 Starting in Junos OS Release 15.2, only PIM version 2 is supported. In the
CLI, the command for specifying a version (1 or 2) is removed.
Designated Router
In a PIM sparse mode (PIM-SM) domain, there are two types of designated routers to
consider:
• The receiver DR sends PIM join and PIM prune messages from the receiver network
toward the RP.
• The source DR sends PIM register messages from the source network to the RP.
Neighboring PIM routers multicast periodic PIM hello messages to each other every
30 seconds (the default). The PIM hello message usually includes a holdtime value for
the neighbor to use, but this is not a requirement. If the PIM hello message does not
include a holdtime value, a default timeout value (in Junos OS, 105 seconds) is used. On
receipt of a PIM hello message, a router stores the IP address and priority for that neighbor.
If the DR priorities match, the router with the highest IP address is selected as the DR.
If a DR fails, a new one is selected using the same process of comparing IP addresses.
this message is actually called a join/prune message, but for clarity in this description, it
is called either join or prune, depending on its context.) The join message is multicast
hop by hop upstream to the ALL-PIM-ROUTERS group (224.0.0.13) by means of each
router’s RPF interface until it reaches the RP. The RP router receives the (*,G) PIM join
message and adds the interface on which it was received to the outgoing interface list
(OIL) of the rendezvous-point tree (RPT) forwarding state entry. This builds the RPT
connecting the receiver with the RP. The RPT remains in effect, even if no active sources
generate traffic.
When a source becomes active, the source DR encapsulates multicast data packets into
a PIM register message and sends them by means of unicast to the RP router.
If the RP router has interested receivers in the PIM sparse-mode domain, it sends a PIM
join message toward the source to build a shortest-path tree (SPT) back to the source.
The source sends multicast packets out on the LAN, and the source DR encapsulates
the packets in a PIM register message and forwards the message toward the RP router
by means of unicast. The RP router receives PIM register messages back from the source,
and thus adds a new source to the distribution tree, keeping track of sources in a PIM
table. Once an RP router receives packets natively (with S,G), it sends a register stop
message to stop receiving the register messages by means of unicast.
In actual application, many receivers with multiple SPTs are involved in a multicast traffic
flow. To illustrate the process, we track the multicast traffic from the RP router to one
receiver. In such a case, the RP router begins sending multicast packets down the RPT
toward the receiver’s DR for delivery to the interested receivers. When the receiver’s DR
receives the first packet from the RPT, the DR sends a PIM join message toward the
source DR to start building an SPT back to the source. When the source DR receives the
PIM join message from the receiver’s DR, it starts sending traffic down all SPTs. When
the first multicast packet is received by the receiver’s DR, the receiver’s DR sends a PIM
prune message to the RP router to stop duplicate packets from being sent through the
RPT. In turn, the RP router stops sending multicast packets to the receiver’s DR, and
sends a PIM prune message for this source over the RPT toward the source DR to halt
multicast packet delivery to the RP router from that particular source.
If the RP router receives a PIM register message from an active source but has no
interested receivers in the PIM sparse-mode domain, it still adds the active source into
the PIM table. However, after adding the active source into the PIM table, the RP router
sends a register stop message. The RP router discovers the active source’s existence and
no longer needs to receive advertisement of the source (which utilizes resources).
NOTE: If the number of PIM join messages exceeds the configured MTU, the
messages are fragmented in IPv6 PIM sparse mode. To avoid the
fragmentation of PIM join messages, the multicast traffic receives the
interface MTU instead of the path MTU.
• Routers with downstream receivers join a PIM sparse-mode tree through an explicit
join message.
• PIM sparse-mode RPs are the routers where receivers meet sources.
• Senders announce their existence to one or more RPs, and receivers query RPs to find
multicast sessions.
• Once receivers get content from sources through the RP, the last-hop router (the router
closest to the receiver) can optionally remove the RP from the shared distribution tree
(*,G) if the new source-based tree (S,G) is shorter. Receivers can then get content
directly from the source.
The transitional aspect of PIM sparse mode from shared to source-based tree is one
of the major features of PIM, because it prevents overloading the RP or surrounding
core links.
There are related issues regarding source, RPs, and receivers when sparse mode multicast
is used:
• Receivers initially need to know only one RP (they later learn about others).
• Receivers that never transition to a source-based tree are effectively running Core
Based Trees (CBT).
PIM sparse mode has standard features for all of these issues.
Rendezvous Point
The RP router serves as the information exchange point for the other routers. All routers
in a PIM domain must provide mapping to an RP router. It is the only router that needs
to know the active sources for a domain—the other routers just need to know how to
reach the RP. In this way, the RP matches receivers with sources.
The RP router is downstream from the source and forms one end of the shortest-path
tree. As shown in Figure 35 on page 678, the RP router is upstream from the receiver and
thus forms one end of the rendezvous-point tree.
The benefit of using the RP as the information exchange point is that it reduces the
amount of state in non-RP routers. No network flooding is required to provide non-RP
routers information about active sources.
RP Mapping Options
RPs can be learned by one of the following mechanisms:
• Static configuration
• Anycast RP
• Auto-RP
• Bootstrap router
We recommend a static RP mapping with anycast RP and a bootstrap router (BSR) with
auto-RP configuration, because static mapping provides all the benefits of a bootstrap
router and auto-RP without the complexity of the full BSR and auto-RP mechanisms.
pim {
disable;
default-vpn-source {
interface-name interface-name;
}
assert-timeout seconds;
dense-groups {
addresses;
}
dr-election-on-p2p;
export;
graceful-restart {
disable;
no-bidirectional-mode;
restart-duration seconds;
}
idle-standby-path-switchover-delay seconds;
import [ policy-names ];
interface interface-name {
family (inet | inet6) {
bfd-liveness-detection {
authentication {
algorithm algorithm-name;
key-chain key-chain-name;
loose-check;
}
detection-time {
threshold milliseconds;
}
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
disable;
}
import;
hello-interval seconds;
mode ( sparse | sparse-dense);
neighbor-policy [ policy-names ];
override-interval milliseconds;
priority number;
propagation-delay milliseconds;
reset-tracking-bit;
version version;
}
join-prune-timeout;
nonstop-routing {
disable;
}
override-interval milliseconds;
propagation-delay milliseconds;
reset-tracking-bit;
rp {
auto-rp {
(discovery | mapping);
(mapping-agent-election | no-mapping-agent-election);
}
bootstrap {
family (inet | inet6) {
export [ policy-names ];
import [ policy-names ];
priority number;
}
}
bootstrap-export [ policy-names ];
bootstrap-import [ policy-names ];
bootstrap-priority number;
dr-register-policy [ policy-names ];
static {
address address {
override;
version version;
group-ranges {
destination-ip-prefix</prefix-length>;
}
spt-threshold {
infinity [ policy-names ];
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>;
flag flag <flag-modifier> <disable>;
}
}
}
}
}
• [edit protocols]
NOTE: You cannot configure PIM within a nonforwarding instance. If you try
to do so, the router displays a commit check error and does not complete the
configuration commit process.
NOTE: You can configure PIM on Integrated Routing and Bridging (IRB)
interfaces.
Starting in Junos OS Release 15.2, it is no longer necessary to configure the PIM version.
Support for PIM version 1 has been removed and the remaining, default, version is PIM 2.
PIM version 2 is the default for both rendezvous point (RP) mode (at the [edit protocols
pim rp static address address] hierarchy level) and for interface mode (at the [edit protocols
pim interface interface-name] hierarchy level).
Routing devices send hello messages at a fixed interval on all PIM-enabled interfaces.
By using hello messages, routing devices advertise their existence as PIM routing devices
on the subnet. With all PIM-enabled routing devices advertised, a single designated router
for the subnet is established.
When a routing device is configured for PIM, it sends a hello message at a 30-second
default interval. The interval range is from 0 through 255. When the interval counts down
to 0, the routing device sends another hello message, and the timer is reset. A routing
device that receives no response from a neighbor in 3.5 times the interval value drops
the neighbor. In the case of a 30-second interval, the amount of time a routing device
waits for a response is 105 seconds.
If a PIM hello message contains the hold-time option, the neighbor timeout is set to the
hold-time sent in the message. If a PIM hello message does not contain the hold-time
option, the neighbor timeout is set to the default hello hold time.
To modify how often the routing device sends hello messages out of an interface:
1. This example shows the configuration for the routing instance. Configure the interface
globally or in the routing instance.
2. Verify the configuration by checking the Hello Option Holdtime field in the output of
the show pim neighbors detail command.
Interface: lo0.0
Address: 10.255.245.91, IPv4, PIM v2, Mode: Sparse
Hello Option Holdtime: 255 seconds
Hello Option DR Priority: 1
Hello Option LAN Prune Delay: delay 500 ms override 2000 ms
Join Suppression supported
Interface: pd-6/0/0.32768
Address: 0.0.0.0, IPv4, PIM v2, Mode: Sparse
Hello Option Holdtime: 255 seconds
Hello Option DR Priority: 0
Hello Option LAN Prune Delay: delay 500 ms override 2000 ms
Join Suppression supported
You can configure several Protocol Independent Multicast (PIM) features on an interface
regardless of its PIM mode (bidirectional, sparse, dense, or sparse-dense mode).
NOTE: ACX Series routers supports only sparse mode. Dense mode on ACX
series is supported only for control multicast groups for auto-discovery of
rendezvous point (auto-RP).
If you configure PIM on an aggregated (ae- or as-) interface, each of the interfaces in the
aggregate is included in the multicast output interface list and carries the single stream
of replicated packets in a load-sharing fashion. The multicast aggregate interface is
“expanded” into its constituent interfaces in the next-hop database.
In PIM sparse mode (PIM-SM), the assumption is that very few of the possible receivers
want packets from a source, so the network establishes and sends packets only on
branches that have at least one leaf indicating (by message) a desire for the traffic.
WANs are appropriate networks for sparse-mode operation.
Starting in Junos OS Release 16.1, PIM is disabled by default. When you enable PIM, it
operates in sparse mode by default. You do not need to configure Internet Group
Management Protocol (IGMP) version 2 for a sparse mode configuration. After you enable
PIM, by default, IGMP version 2 is also enabled.
Junos OS uses PIM version 2 for both rendezvous point (RP) mode (at the [edit protocols
pim rp static address address] hierarchy level) and interface mode (at the [edit protocols
pim interface interface-name] hierarchy level).
You can configure PIM sparse mode globally or for a routing instance. This example
shows how to configure PIM sparse mode globally on all interfaces. It also shows how
to configure a static RP router and how to configure the non-RP routers.
2. Configure the RP router interfaces. When configuring all interfaces, exclude the fxp0.0
management interface by including the disable statement for that interface.
3. Configure the non-RP routers. Include the following configuration on all of the non-RP
routers.
16.1 Starting in Junos OS Release 16.1, PIM is disabled by default. When you
enable PIM, it operates in sparse mode by default.
The Bidirectional Forwarding Detection (BFD) Protocol is a simple hello mechanism that
detects failures in a network. BFD works with a wide variety of network environments
and topologies. A pair of routing devices exchanges BFD packets. Hello packets are sent
at a specified, regular interval. A neighbor failure is detected when the routing device
stops receiving a reply after a specified interval. The BFD failure detection timers have
shorter time limits than the Protocol Independent Multicast (PIM) hello hold time, so
they provide faster detection.
The BFD failure detection timers are adaptive and can be adjusted to be faster or slower.
The lower the BFD failure detection timer value, the faster the failure detection and vice
versa. For example, the timers can adapt to a higher value if the adjacency fails (that is,
the timer detects failures more slowly). Or a neighbor can negotiate a higher value for a
timer than the configured value. The timers adapt to a higher value when a BFD session
flap occurs more than three times in a span of 15 seconds. A back-off algorithm increases
the receive (Rx) interval by two if the local BFD instance is the reason for the session
flap. The transmission (Tx) interval is increased by two if the remote BFD instance is the
reason for the session flap. You can use the clear bfd adaptation command to return BFD
interval timers to their configured values. The clear bfd adaptation command is hitless,
meaning that the command does not affect traffic flow on the routing device.
You must specify the minimum transmit and minimum receive intervals to enable BFD
on PIM.
This is the minimum interval after which the routing device transmits hello packets
to a neighbor with which it has established a BFD session. Specifying an interval smaller
than 300 ms can cause undesired BFD flapping.
3. Configure the minimum interval after which the routing device expects to receive a
reply from a neighbor with which it has established a BFD session.
Specifying an interval smaller than 300 ms can cause undesired BFD flapping.
5. Configure the threshold for the adaptation of the BFD session detection time.
When the detection time adapts to a value equal to or greater than the threshold, a
single trap and a single system log message are sent.
6. Configure the number of hello packets not received by a neighbor that causes the
originating interface to be declared down.
8. Specify that BFD sessions should not adapt to changing network conditions.
We recommend that you not disable BFD adaptation unless it is preferable not to
have BFD adaptation enabled in your network.
9. Verify the configuration by checking the output of the show bfd session command.
Tracing operations record detailed messages about the operation of routing protocols,
such as the various types of routing protocol packets sent and received, and routing policy
actions. You can specify which trace operations are logged by including specific tracing
flags. The following table describes the flags that you can include.
Flag Description
Flag Description
join Trace join messages, which are sent to join a branch onto
the multicast distribution tree.
In the following example, tracing is enabled for all routing protocol packets. Then tracing
is narrowed to focus only on PIM packets of a particular type.
1. (Optional) Configure tracing at the [routing-options hierarchy level to trace all protocol
packets.
Disabling PIM
By default, when you enable the PIM protocol it applies to the specified interface only.
To enable PIM for all interfaces, include the all parameter (for example, set protocol pim
interface all). You can disable PIM at the protocol, interface, or family hierarchy levels.
The hierarchy in which you configure PIM is critical. In general, the most specific
configuration takes precedence. However, if PIM is disabled at the protocol level, then
any disable statements with respect to an interface or family are ignored.
For example, the order of precedence for disabling PIM on a particular interface family
is:
1. If PIM is disabled at the [edit protocols pim interface interface-name family] hierarchy
level, then PIM is disabled for that interface family.
2. If PIM is not configured at the [edit protocols pim interface interface-name family]
hierarchy level, but is disabled at the [edit protocols pim interface interface-name]
hierarchy level, then PIM is disabled for all families on the specified interface.
3. If PIM is not configured at either the [edit protocols pim interface interface-name family]
hierarchy level or the [edit protocols pim interface interface-name] hierarchy level, but
is disabled at the [edit protocols pim] hierarchy level, then the PIM protocol is disabled
globally for all interfaces and all families.
The following sections describe how to disable PIM at the various hierarchy levels.
[edit protocols]
pim {
disable;
}
2. (Optional) Verify your configuration settings before committing them by using the
show protocols pim command.
[edit protocols]
pim {
interface interface-name {
disable;
}
}
2. (Optional) Verify your configuration settings before committing them by using the
show protocols pim command.
[edit protocols]
pim {
family inet {
disable;
}
family inet6 {
disable;
}
}
2. (Optional) Verify your configuration settings before committing them by using the
show protocols pim command.
[edit protocols]
pim {
rp {
local {
family inet {
disable;
}
family inet6 {
disable;
}
}
}
}
2. (Optional) Verify your configuration settings before committing them by using the
show protocols pim command.
PCEP Overview
PCEP Overview
A Path Computation Element (PCE) is an entity (component, application, or network
node) that is capable of computing a network path or route based on a network graph
and applying computational constraints. A Path Computation Client (PCC) is any client
application requesting a path computation to be performed by a PCE. The Path
Computation Element Protocol (PCEP) enables communications between a PCC and
a PCE, or between two PCEs (defined in RFC 5440).
PCEP is a TCP-based protocol defined by the IETF PCE Working Group, and defines a
set of messages and objects used to manage PCEP sessions and to request and send
paths for multidomain traffic engineered LSPs (TE LSPs). It provides a mechanism for
a PCE to perform path computation for a PCC’s external LSPs. The PCEP interactions
include LSP status reports sent by the PCC to the PCE, and PCE updates for the external
LSPs.
Figure 36 on page 692 illustrates the role of PCEP in the client-side implementation of a
stateful PCE architecture in an MPLS RSVP-TE enabled network.
PCE
PCEP
PCEP
RSVP-TE
PCEP Network
g040939
PCC
A TCP-based PCEP session connects a PCC to an external PCE. The PCC initiates the
PCEP session and stays connected to the PCE for the duration of the PCEP session.
During the PCEP session, the PCC requests LSP parameters from the stateful PCE. On
receiving one or more LSP parameters from the PCE, the PCC re-signals the TE LSP.
When the PCEP session is terminated, the underlying TCP connection is closed
immediately, and the PCC attempts to re-establish the PCEP session.
• LSP tunnel state synchronization between a PCC and a stateful PCE—When an active
stateful PCE connection is detected, a PCC tries to delegate all LSPs to this PCE in a
procedure called LSP state synchronization. PCEP enables synchronization of the PCC
LSP state to the PCE.
• Delegation of control over LSP tunnels to a stateful PCE—An active stateful PCE
controls one or more LSP attributes for computing paths, such as bandwidth, path
(ERO), and priority (setup and hold). PCEP enables such delegation of LSPs for path
computation.
• Stateful PCE control of timing and sequence of path computations within and across
PCEP sessions–An active stateful PCE modifies one or more LSP attributes, such as
bandwidth, path (ERO), and priority (setup and hold). PCEP communicates these new
LSP attributes from the PCE to the PCC, after which the PCC re-signals the LSP in the
specified path.
Related • Support of the Path Computation Element Protocol for RSVP-TE Overview on page 692
Documentation
For traffic engineering in large, dense networks, MPLS capabilities can be implemented
because they potentially provide most of the functionality available from an overlay
model, in an integrated manner, and at a lower cost than the currently competing
alternatives. The primary reason for implementing MPLS traffic engineering is to control
paths along which traffic flows through a network. The main advantage of implementing
MPLS traffic engineering is that it provides a combination of the traffic engineering
capabilities of ATM, along with the class-of-service (CoS) differentiation of IP.
In an MPLS network, data plane information is forwarded using label switching. A packet
arriving on a provider edge (PE) router from the customer edge (CE) router has labels
applied to it, and it is then forwarded to the egress PE router. The labels are removed at
the egress router and it is then forwarded out to the appropriate destination as an IP
packet. The label-switching routers (LSRs) in the MPLS domain use label distribution
protocols to communicate the meaning of labels used to forward traffic between and
through the LSRs. RSVP-TE is one such label distribution protocol that enables an LSR
peer to learn about the label mappings of other peers.
When both MPLS and RSVP are enabled on a router, MPLS becomes a client of RSVP.
The primary purpose of the Junos OS RSVP software is to support dynamic signaling
within label-switched paths (LSPs). RSVP reserves resources, such as for IP unicast and
multicast flows, and requests quality-of-service (QoS) parameters for applications. The
protocol is extended in MPLS traffic engineering to enable RSVP to set up LSPs that can
be used for traffic engineering in MPLS networks.
When MPLS and RSVP are combined, labels are associated with RSVP flows. Once an
LSP is established, the traffic through the path is defined by the label applied at the
ingress node of the LSP. The mapping of label to traffic is accomplished using different
criteria. The set of packets that are assigned the same label value by a specific node
belong to the same forwarding equivalence class (FEC), and effectively define the RSVP
flow. When traffic is mapped onto an LSP in this way, the LSP is called an LSP tunnel.
LSP tunnels are a way to establish unidirectional label-switched paths. RSVP-TE builds
on the RSVP core protocol by defining new objects and modifying existing objects used
in the PATH and RESV objects for LSP establishment. The new objects—LABEL-REQUEST
object (LRO), RECORD-ROUTE object (RRO), LABEL object, and EXPLICIT-ROUTE object
(ERO)—are optional with respect to the RSVP protocol, except for the LRO and LABEL
objects, which are both mandatory for establishing LSP tunnels.
In general, RSVP-TE establishes a label-switched path that ensures frame delivery from
ingress to egress router. However, with the new traffic engineering capabilities, the
following functions are supported in an MPLS domain:
• Possibility to establish a label-switched path using either a full or partial explicit route
(RFC 3209).
• Endpoint control, which is associated with establishing and managing LSP tunnels at
the ingress and egress routers.
• MPLS fast reroute (FRR), which manages the LSPs that need protection and assigns
backup tunnel information to these LSPs.
Although the RSVP extensions for traffic engineering enable better network utilization
and meet requirements of classes of traffic, today’s MPLS RSVP-TE protocol suite has
several issues inherent to its distributed nature. This causes a number of issues during
contention for bisection capacity, especially within an LSP priority class where a subset
of LSPs share common setup and hold priority values. The limitations of RSVP-TE include:
demands based on the order of arrival. Because the ingress routers do not have a global
view of the bandwidth demand on the network, using the order of preference to
establish LSPs can cause traffic to be dropped or LSPs not being established at all
when there is an excess of bandwidth demand.
As an example, Figure 37 on page 695 is configured with MPLS RSVP-TE, in which A and
G are the label edge routers (LERs). These ingress routers establish LSPs independently
based on the order of demands and have no knowledge or control over each other’s LSPs.
Routers B, C, and D are intermediate or transit routers that connect to the egress routers
E and F.
The ingress routers establish LSPs based on the order in which the demands arrive. If
Router G receives two demands of capacity 5 each for G-F, then G signals two LSPs –
LSP1 and LSP2 – through G-B-D-F. In the same way, when Router A receives the third
demand of capacity 10 for A-E, then it signals an LSP, LSP3, through A-B-C-E. However,
if the demand on the A-E LSP increases from 10 to 15, Router A cannot signal LSP3 using
the same (A-B-C-E) path, because the B-C link has a lower capacity.
Router A should have signaled the increased demand on LSP3 using the A-B-D-C-E path.
Since LSP1 and LSP2 have utilized the B-D link based on the order of demands received,
LSP3 is not signaled.
Thus, although adequate max-flow bandwidth is available for all the LSPs, LSP3 is subject
to potentially prolonged service degradation. This is due to Router A’s lack of global
demand visibility and the lack of systemic coordination in demand placement by the
ingress routers A and G.
As a solution to the current limitations found in the MPLS RSVP-TE path computation,
an external path computing entity with a global view of per-LSP, per-device demand in
the network independent of available capacity is required.
Currently, only online and real-time constraint-based routing path computation is provided
in an MPLS RSVP-TE network. Each router performs constraint-based routing calculations
independent of the other routers in the network. These calculations are based on currently
available topology information—information that is usually recent, but not completely
accurate. LSP placements are locally optimized, based on current network status. The
MPLS RSVP-TE tunnels are set up using the CLI. An operator configures the TE LSP,
which is then signaled by the ingress router.
In addition to the existing traffic engineering capabilities, the MPLS RSVP-TE functionality
is extended to include an external path computing entity, called the Path Computation
Element (PCE). The PCE computes the path for the TE LSPs of ingress routers that have
been configured for external control. The ingress router that connects to a PCE is called
a Path Computation Client (PCC). The PCC is configured with the Path Computation
Client Protocol (PCEP) to facilitate external path computing by a PCE.
For more information, see “Components of External Path Computing” on page 696.
To enable external path computing for a PCC’s TE LSPs, include the lsp-external-controller
pccd statement at the [edit mpls] and [edit mpls lsp lsp-name] hierarchy levels.
• Stateful PCE—A stateful PCE maintains strict synchronization between the PCE and
network states (in terms of topology and resource information), along with the set of
computed paths and reserved resources in use in the network. In other words, a stateful
PCE utilizes information from the traffic engineering database as well as information
about existing paths (for example, TE LSPs) in the network when processing new
requests from the PCC.
• Passive stateful PCE—Maintains synchronization with the PCC and learns the PCC
LSP states to better optimize path calculations, but does not have control over them.
• Active stateful PCE—Actively modifies the PCC LSPs, in addition to learning about
the PCC LSP states.
• Modifies other LSP attributes on the router, such as ERO, setup priority, and hold
priority.
A PCE has a global view of the bandwidth demand in the network and maintains a
traffic-engineered database to perform path computations. It performs statistics
collection from all the routers in the MPLS domain using SNMP and NETCONF. This
provides a mechanism for offline control of the PCC’s TE LSPs. Although an offline
LSP path computation system can be embedded in a network controller, the PCE acts
like a full-fledged network controller that provides control over the PCC’s TE LSPs, in
addition to computing paths.
Although a stateful PCE allows for optimal path computation and increased path
computation success, it requires reliable state synchronization mechanisms, with
potentially significant control plane overhead and the maintenance of a large amount
of data in terms of states, as in the case of a full mesh of TE LSPs.
• Stateless PCE—A stateless PCE does not remember any computed path, and each
set of requests is processed independently of each other (RFC 5440).
A Path Computation Client (PCC) is any client application requesting a path computation
to be performed by a PCE.
A PCC can connect to a maximum of 10 PCEs at one time. The PCC to PCE connection
can be a configured static route or a TCP connection that establishes reachability. The
PCC assigns each connected PCE a priority number. It sends a message to all the
connected PCEs with information about its current LSPs, in a process called LSP state
synchronization. For the TE LSPs that have external control enabled, the PCC delegates
those LSPs to the main PCE. The PCC elects, as the main PCE, a PCE with the lowest
priority number, or the PCE that it connects to first in the absence of a priority number.
The PCC re-signals an LSP based on the computed path it receives from a PCE. When
the PCEP session with the main PCE is terminated, the PCC elects a new main PCE, and
all delegated LSPs to the previously main PCE are delegated to the newly available main
PCE.
The Path Computation Element Protocol (PCEP) is used for communication between
PCC and PCE (as well as between two PCEs) (RFC 5440). PCEP is a TCP-based protocol
defined by the IETF PCE Working Group, and defines a set of messages and objects used
to manage PCEP sessions and to request and send paths for multidomain TE LSPs. The
PCEP interactions include PCC messages, as well as notifications of specific states
related to the use of a PCE in the context of MPLS RSVP-TE. When PCEP is used for
PCE-to-PCE communication, the requesting PCE assumes the role of a PCC.
Figure 38 on page 698 illustrates the relationship between a PCE, PCC, and the role of
PCEP in the context of MPLS RSVP-TE.
The PCE to PCC communication is enabled by the TCP-based PCEP. The PCC initiates
the PCEP session and stays connected to a PCE for the duration of the PCEP session.
NOTE: Starting with Junos OS Release 16.1, you can secure a PCEP session
using TCP-MD5 authentication as per RFC 5440. To enable the MD5 security
mechanism for a PCEP session, it is recommended that you define and bind
the MD5 authentication key at the [edit protocols pcep pce pce-id] hierarchy
level for a PCEP session. You can, however, also use a predefined keychain
from the [edit security authentication-key-chains key-chain] hierarchy level to
secure a PCEP session. In this case, you should bind the predefined keychain
into the PCEP session at the [edit protocols pcep pce pce-id] hierarchy level.
The PCE and PCC use the same key to verify the authenticity of each segment
sent on the TCP connection of the PCEP session, thereby securing the PCEP
communication between the devices, which might be subject to attacks and
can disrupt services on the network.
Once the PCEP session is established, the PCC performs the following tasks:
1. LSP state synchronization—The PCC sends information about all the LSPs (local and
external) to all connected PCEs. For external LSPs, the PCC sends information about
any configuration change, RRO change, state change, and so on, to the PCE.
For PCE-initiated LSPs, there is no LSP configuration present on the PCC. The PCE
initiating the LSP sends the LSP parameters to the PCC that has indicated its capability
of supporting PCE-initiated LSPs.
2. LSP delegation—After the LSP state information is synchronized, the PCC then
delegates the external LSPs to one PCE, which is the main active stateful PCE. Only
the main PCE can set parameters for the external LSP. The parameters that the main
PCE modifies include bandwidth, path (ERO), and priority (setup and hold). The
parameters specified in the local configuration are overridden by the parameters that
are set by the main PCE.
NOTE: When the PCEP session with the main PCE is terminated, the PCC
elects a new main PCE, and all delegated LSPs to the previously main PCE
are delegated to the newly available main PCE.
In the case of PCE-initiated LSPs, the PCC creates the LSP using the parameters
received from the PCE. The PCC assigns the PCE-initiated LSP a unique LSP-ID, and
automatically delegates the LSP to the PCE. A PCC cannot revoke the delegation for
the PCE-initiated LSPs for an active PCEP session.
When a PCEP session terminates, the PCC starts two timers without immediately
deleting the PCE-initiated LSPs – delegation cleanup timeout and lsp cleanup timer –
to avoid disruption of services. During this time, an active stateful PCE can acquire
control of the LSPs provisioned by the failed PCE, by sending a create request for the
LSP.
Control over PCE-initiated LSPs reverts to the PCC at the expiration of the delegation
cleanup timeout. When the delegation cleanup timeout expires, and no other PCE has
acquired control over the LSP from the failed PCE, the PCC takes local control of the
non-delegated PCE-initiated LSP. Later, when the original or a new active stateful
PCE wishes to acquire control of the locally controlled PCE-initiated LSPs, the PCC
delegates these LSPs to the PCE and the lsp cleanup timer timer is stopped.
A PCE may return the delegation of the PCE-initiated LSP to the PCC to allow LSP
transfer between PCEs. This triggers the lsp cleanup timer for the PCE-initiated LSP.
The PCC waits for the LSP cleanup timer to expire before removing the non-delegated
PCE-initiated LSPs from the failed PCE.
When the lsp cleanup timer expires, and no other PCE has acquired control over the
LSPs from the failed PCE, the PCC deletes all the LSPs provisioned by the failed PCE.
3. LSP signaling—On receiving one or more LSP parameters from the main active stateful
PCE, the PCC re-signals the TE LSP based on the PCE provided path. If the PCC fails
to set up the LSP, it notifies the PCE of the setup failure and waits for the main PCE
to provide new parameters for that LSP, and then re-signals it.
When the PCE specifies a path that is incomplete or has loose hops where only the
path endpoints are specified, the PCC does not perform local constraint-based routing
to find out the complete set of hops. Instead, the PCC provides RSVP with the PCE
provided path, as it is, for signaling, and the path gets set up using IGP hop-by-hop
routing.
Considering the topology used in Figure 37 on page 695, Figure 39 on page 701 illustrates
the partial client-side PCE implementation in the MPLS RSVP-TE enabled network. The
ingress routers A and G are the PCCs that are configured to connect to the external
stateful PCE through a TCP connection.
The PCE has a global view of the bandwidth demand in the network and performs external
path computations after looking up the traffic engineering database. The active stateful
PCE then modifies one or more LSP attributes and sends an update to the PCC. The PCC
uses the parameters it receives from the PCE to re-signal the LSP.
This way, the stateful PCE provides a cooperative operation of distributed functionality
used to address specific challenges of a shortest interdomain constrained path
computation. It eliminates congestion scenarios in which traffic streams are inefficiently
mapped onto available resources, causing overutilization of some subsets of network
resources, while other resources remain underutilized.
LSP Types
The PCC informs the PCE about the configured parameters of a PCE-controlled LSP,
such as bandwidth, ERO, and priorities. It also informs the PCE about the actual values
used for these parameters to set up the LSP including the RRO, when available.
The PCC sends such LSP status reports to the PCE only when a reconfiguration has
occurred or when there is a change in the ERO, RRO, or status of the PCE-controlled
LSPs under external control.
There are two types of parameters that come from the CLI configuration of an LSP for
a PCE:
• Parameters that are not overridden by a PCE, and that are applied immediately.
The CLI-controlled LSPs, PCE-controlled LSPs, and PCE-initiated LSPs can coexist on
a PCC.
In a client-side PCE implementation, there are two types of control modes for a
PCC-controlled LSP:
• External—By default, all PCE-controlled LSPs are under external control. When an LSP
is under external control, the PCC uses the PCE-provided parameters to set up the
LSP.
• Local—A PCE-controlled LSP can come under local control. When the LSP switches
from external control to local control, path computation is done using the CLI-configured
parameters and constraint-based routing. Such a switchover happens only when there
is a trigger to re-signal the LSP. Until then, the PCC uses the PCE-provided parameters
to signal the PCE-controlled LSP, although the LSP remains under local control.
A PCE-controlled LSP switches to local control from its default external control mode
in cases such as no connectivity to a PCE or when a PCE returns delegation of LSPs back
to the PCC.
For more information about CLI-controlled LSPs and PCE-controlled LSPs, see “LSP
Types” on page 701.
Table 47 on page 703 lists the MPLS and existing LSP configuration statements that apply
to a PCE-controlled LSP.
The rest of the LSP configuration statements are applicable in the same way as for
existing LSPs. On configuring any of the above configuration statements for a
PCE-controlled LSP, an MPLS log message is generated to indicate when the configured
parameters take effect.
The protection paths, including fast reroute and bypass LSPs, are locally computed by
the PCC using constraint-based routing. A stateful PCE specifies the primary path (ERO)
only. A PCE can also trigger a non-standby secondary path, even if the local configuration
does not have a non-standby secondary path for LSP protection.
For PCE-controlled LSPs (PCC-delegated LSPs and PCE-initated LSPs), only a full-blown
Explicit Route Object (ERO) object has to be sent from the PCE to the PCC; otherwise
the PCC rejects the PCUpdate or PCCreate message for that PCEP session.
Starting in Junos OS Release 17.2, in addition to external cspf, two new path computation
types are introduced for the PCE-controlled LSPs: local cspf and no cspf.
• local cspf—A PCC uses the local cspf computation type only when the PCE sends in a
Juniper Vendor TLV (enterprise number: 0x0a4c) of type 5.
• no cspf—Neither the PCE nor the PCC performs a constrained path calculation. The
endpoints and constraints are given to the RSVP module for setting up the LSP with
the IGP path.
• When the PCE sends local cspf TLV, and when the Junos OS configuration or matching
template for this LSP included no-cspf in the PCC-delegated LSP.
• When the PCE sends local cspf TLV, and when the Junos OS configuration template
for this LSP included no-cspf in the PCE-initiated LSP.
• When the PCE does not send local cspf TLV with an empty ERO or loose ERO (with
loose bit set in the ERO object).
With these new computation types, a PCC can accept an ERO object either as a loose
ERO, or as an empty ERO. An external path computing entity that is not capable of
computing a path can modify parameters such as bandwidth and color, based on the
analytics. In such cases, an empty ERO object or loose ERO is used and the path to be
taken is decided by the PCC.
After a PCEP session is established between a PCE and a PCC, the PCC reports all the
LSPs in the system to the PCE for LSP state synchronization. This includes PCC-controlled,
PCE-delegated, and PCE-initiated point-to-point LSPs. Starting with Junos OS Release
15.1F6 and 16.1R1, this capability is extended to report point-to-multipoint LSPs as well.
For a PCE, the point-to-multipoint LSP is similar to that of RSVP point-to-multipoint
LSP, where the point-to-multipoint LSP is treated as collection of point-to-point LSPs
grouped under a point-to-multipoint identifier.
• Auto-bandwidth
• TE++
A stateful PCE server automates the creation of traffic engineering paths across the
network, increasing network utilization and enabling a customized programmable
networking experience with the use of PCEP communication with a PCC. A PCC sends
LSP reports to a PCE server, and the PCE updates or provisions LSPs back to the PCC.
The data sent over a PCEP session is crucial for a PCE server to perform external path
computing. As a result, an attack on the PCEP communication can disrupt network
services. If altered PCEP messages are sent to a PCC, inappropriate LSPs can be set up.
Similarly, if altered PCEP messages are sent to a PCE, an incorrect view of the network
is learned by the PCE.
Considering the significance of the PCEP communication between a PCE and PCC in
executing the PCE functionalities effectively, Junos OS Release 16.1 introduces the feature
of securing a PCEP session using TCP-MD5 authentication as per RFC 5440. This feature
protects the communication between a PCE and PCC over a PCEP session, which might
be subject to an attack, and can disrupt network services.
To enable the MD5 security mechanism for a PCEP session, it is recommended that you
define and bind the MD5 authentication key at the [edit protocols pcep pce pce-id]
hierarchy level for a PCEP session. You can, however, also use a predefined keychain
from the [edit security authentication-key-chains key-chain] hierarchy level to secure a
PCEP session. In this case, you should bind the predefined keychain into the PCEP session
at the [edit protocols pcep pce pce-id] hierarchy level.
The following configuration is executed on the PCC to establish a secure PCEP session
with a PCE:
For secure PCEP sessions to be established successfully, the MD5 authentication should
be configured with the pre-shared authentication key on both the PCE server and the
PCC. The PCE and PCC use the same key to verify the authenticity of each segment sent
on the TCP connection of the PCEP session.
NOTE:
• Junos OS Release 16.1 supports only TCP-MD5 authentication for PCEP
sessions, without extending support for TLS and TCP-AO, such as protection
against eavesdropping, tampering, and message forgery.
• This feature does not provide support for any session authentication
mechanism.
• To view the authentication keychain used by the PCEP session, use the
show path-computation-client status and show protocols pcep command
outputs.
• Use the show system statistics tcp | match auth command to view the
number of packets that get dropped by TCP because of authentication
errors.
• Operation of the keychain can be verified by using the show security keychain
detail command output.
• Path calculations incorporating total network state is highly complex, even if the PCE
has detailed information on all paths, priorities, and layers.
In spite of the above concerns, the partial client-side implementation of the stateful PCE
is extremely effective in large traffic engineering systems. It provides rapid convergence
and significant benefits in terms of optimal resource usage, by providing the requirement
for global visibility of a TE LSP state and for ordered control of path reservations across
devices within the system being controlled.
17.2R1 Starting in Junos OS Release 17.2, in addition to external cspf, two new path
computation types are introduced for the PCE-controlled LSPs: local cspf and
no cspf.
16.1 Starting with Junos OS Release 16.1, you can secure a PCEP session using
TCP-MD5 authentication as per RFC 5440.
16.1 Junos OS Release 16.1 introduces the feature of securing a PCEP session using
TCP-MD5 authentication as per RFC 5440.
Related • Example: Configuring the Path Computation Element Protocol for MPLS RSVP-TE on
Documentation page 707
• Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE with
Support of PCE-Initiated LSPs on page 721
• Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE with
Support for PCE-Controlled Point-to-Multipoint LSPs on page 735
Configuring PCEP
Example: Configuring the Path Computation Element Protocol for MPLS RSVP-TE
This example shows how to enable external path computing by a Path Computation
Element (PCE) for traffic engineered label-switched paths (TE LSPs) on a Path
Computation Client (PCC). It also shows how to configure the Path Computation Element
Protocol (PCEP) on the PCC to enable PCE to PCC communication.
Requirements
• Three routers that can be a combination of ACX Series routers, M Series Multiservice
Edge Routers, MX Series 3D Universal Edge Routers, T Series Core Routers, or PTX
Series Transport Router, one of which is configured as a PCC.
• Junos OS Release 12.3 or later running on the PCC along with the JSDN add-on package.
NOTE: The JSDN add-on package is required to be installed along with the
core Junos OS installation package.
Overview
Starting with Junos OS Release 12.3, the MPLS RSVP-TE functionality is extended to
provide a partial client-side implementation of the stateful PCE architecture
(draft-ietf-pce-stateful-pce) on a PCC.
lsp-external-controller pccd;
To enable PCE to PCC communication, configure PCEP on the PCC at the [edit protocols]
hierarchy level.
pcep { ... }
• The JSDN add-on package is required to be installed along with the core Junos OS
installation package.
• A PCC can connect to a maximum of 10 stateful PCEs. At any given point in time, there
can be only one main PCE (the PCE with the lowest priority value, or the PCE that
connects to the PCC first in the absence of a PCE priority) to which the PCC delegates
LSPs for path computation.
• For Junos OS Release 12.3, the PCC always initiates the PCEP sessions. PCEP sessions
initiated by remote PCEs are not accepted by the PCC.
• Existing LSP features, such as LSP protection and make-before-break, work for
PCE-controlled LSPs.
• The auto-bandwidth option is turned off for PCE-controlled LSPs, although LSPs under
the control of auto-bandwdith and constraint-based routing can coexist with
PCE-controlled LSPs.
• Setup time and convergence time (reroute, MBB) for exisiting LSPs is the same as in
previous releases, in the absence of PCE-controlled LSPs. However, a small impact is
seen in the presence of PCE-controlled LSPs.
Topology
In this example, PCC is the ingress router that connects to the external active stateful
PCE.
1. Router PCC receives the LSP tunnel configuration that was set up using the CLI.
Assuming that the received configuration is enabled with external path computing,
Router PCC becomes aware that some of the LSP attributes – bandwidth, path, and
priority – are under the control of the stateful PCE and delegates the LSP to the PCE.
In this example, the external LSP is called PCC-to-R2 and it is being set up from Router
PCC to Router R2 . The CLI-configured ERO for PCC-to-R2 is PCC-R0-R1-R2. The
bandwidth for PCC-to-R2 is 10m, and both the setup and hold priority values are 4.
2. Router PCC tries to retrieve the PCE-controlled LSP attributes. To do this, Router PCC
sends out a PCRpt message to the stateful PCE stating that the LSP has been
configured. The PCRpt message communicates the status of the LSP and contains
the local configuration parameters of the LSP.
3. The stateful PCE modifies one or more of the delegated LSP attributes and sends the
new LSP parameters to Router PCC through the PCUpd message.
4. On receiving the new LSP parameters, Router PCC sets up a new LSP and re-signals
it using the PCE-provided path.
In this example, the PCE-provided ERO for PCC-to-R2 is PCC-R3-R2. The bandwidth
for PCC-to-R2 is 8m, and both the setup and hold priority values are 3.
5. Router PCC sends a PCRpt with the new RRO to the stateful PCE.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.
NOTE: Repeat this procedure for every Juniper Networks ingress router in the
MPLS domain, after modifying the appropriate interface names, addresses,
and any other parameters for each router.
To enable MPLS, include the protocol family on the interface so that the interface
does not discard incoming MPLS traffic.
[edit interfaces]
user@PCC# set ge-1/0/1 unit 0 family inet address 20.31.4.1/24
user@PCC# set ge-1/0/1 unit 0 family iso
user@PCC# set ge-1/0/1 unit 0 family mpls
2. Enable RSVP on all interfaces of Router PCC, excluding the management interface.
[edit protocols]
user@PCC# set rsvp interface all
user@PCC# set rsvp interface fxp0.0 disable
3. Configure the label-switched path (LSP) from Router PCC to Router R2 and enable
external control of LSPs by the PCE.
[edit protocols]
user@PCC# set mpls lsp-external-controller pccd
user@PCC# set mpls label-switched-path PCC-to-R2 to 10.255.179.98/32
user@PCC# set mpls label-switched-path PCC-to-R2 bandwidth 10m
user@PCC# set protocols mpls label-switched-path PCC-to-R2 priority 4 4
user@PCC# set protocols mpls label-switched-path PCC-to-R2 primary to-R2-path
user@PCC# set protocols mpls label-switched-path PCC-to-R2
lsp-external-controller pccd
4. Configure the LSP from Router PCC to Router R2, which has local control and is
overridden by the PCE-provided LSP parameters.
[edit protocols]
user@PCC# set mpls path to-R2-path 20.31.1.2/30 strict
user@PCC# set mpls path to-R2-path 20.31.2.2/30 strict
5. Enable MPLS on all interfaces of Router PCC, excluding the management interface.
[edit protocols]
user@PCC# set mpls interface all
user@PCC# set mpls interface fxp0.0 disable
6. Configure IS-IS on all interfaces of Router PCC, excluding the management interface.
[edit protocols]
user@PCC# set isis level 1 disable
user@PCC# set isis interface all
user@PCC# set isis interface fxp0.0 disable
user@PCC# set isis interface lo0.0
7. Define the PCE that Router PCC connects to, and configure the IP address of the
PCE.
[edit protocols]
user@PCC# set pcep pce pce1 destination-ipv4-address 10.209.57.166
8. Configure the destination port for Router PCC that connects to a PCE using the
TCP-based PCEP.
[edit protocols]
user@PCC# set pcep pce pce1 destination-port 4189
[edit protocols]
user@PCC# set pcep pce pce1 pce-type active
user@PCC# set pcep pce pce1 pce-type stateful
Results
From configuration mode, confirm your configuration by entering the show interfaces and
show protocols commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.179.95/32;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Purpose Verify the PCEP session status between the PCE and Router PCC when the PCE status
is up.
Action From operational mode, run the show path-computation-client active-pce command.
Counters
PCReqs Total: 0 last 5min: 0 last hour: 0
Timers
Local Keepalive timer: 30 [s] Dead timer: 120 [s]
Errors
PCErr-recv
PCErr-sent
PCE-PCC-NTFS
PCC-PCE-NTFS
Meaning The output displays information about the current active stateful PCE that Router PCC
is connected to. The PCE status output field indicates the current status of the PCEP
session between the PCE and Router PCC.
For pce1, the status of the PCEP session is PCE_STATE_UP, which indicates that the PCEP
session has been established between the PCEP peers.
The statistics of PCRpts indicate the number of messages sent by Router PCC to the PCE
to report the current status of LSPs. The PCUpdates statistics indicate the number of
messages received by Router PCC from the PCE. The PCUpdates messages include the
PCE modified parameters for the PCE-controlled LSPs.
Purpose Verify the status of the PCE-controlled LSP from Router PCC to Router R2 when the LSP
is under external control.
Action From operational mode, run the show mpls lsp name PCC-to-R2 extensive command.
10.255.179.98
From: 10.255.183.59, State: Up, ActiveRoute: 0, LSPname: PCC-to-R2
ActivePath: to-R2-path (primary)
LSPtype: Externally controlled, Penultimate hop popping
LSP Control Status: Externally controlled
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary to-R2-path State: Up
Priorities: 3 3
Bandwidth: 8Mbps
SmartOptimizeTimer: 180
No computed ERO.
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
20.31.4.2 20.31.5.2
21 Mar 11 05:00:56.736 EXTCTRL LSP: Sent Path computation request and LSP
status
20 Mar 11 05:00:56.736 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
19 Mar 11 05:00:56.735 Selected as active path
18 Mar 11 05:00:56.734 EXTCTRL LSP: Sent Path computation request and LSP
status
17 Mar 11 05:00:56.734 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
16 Mar 11 05:00:56.734 Record Route: 20.31.4.2 20.31.5.2
15 Mar 11 05:00:56.734 Up
14 Mar 11 05:00:56.713 EXTCTRL LSP: Sent Path computation request and LSP
status
13 Mar 11 05:00:56.713 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
12 Mar 11 05:00:56.712 Originate Call
11 Mar 11 05:00:56.712 EXTCTRL_LSP: Received setup parameters : 20.31.4.2
20.31.5.2
10 Mar 11 05:00:49.283 EXTCTRL LSP: Sent Path computation request and LSP
status
9 Mar 11 05:00:49.283 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
8 Mar 11 05:00:20.581 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
7 Mar 11 05:00:20.581 EXTCTRL LSP: Sent Path computation request and LSP
status
6 Mar 11 05:00:20.581 EXTCTRL_LSP: Computation request/lsp status contains:
Meaning In the output, the LSPtype and LSP Control Status output fields show that the LSP is
externally controlled. The output also shows a log of the PCEP messages sent between
Router PCC and the PCE.
The PCEP session between the PCE and Router PCC is up, and Router PCC receives the
following PCE-controlled LSP parameters:
• Bandwidth—8Mbps
Purpose Verify the status of the PCE-controlled LSP from Router PCC to Router R2 when the LSP
control becomes local.
Action From operational mode, run the show mpls lsp name PCC-to-R2 extensive command.
10.255.179.98
From: 10.255.183.59, State: Up, ActiveRoute: 0, LSPname: PCC-to-R2
ActivePath: to-R2-path (primary)
LSPtype: Externally controlled, Penultimate hop popping
LSP Control Status: Locally controlled
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary to-R2-path State: Up
Priorities: 4 4 (ActualPriorities 3 3)
Bandwidth: 10Mbps (ActualBandwidth: 8Mbps)
SmartOptimizeTimer: 180
No computed ERO.
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
20.31.4.2 20.31.5.2
Meaning In the output, the LSP Control Status output field shows that the LSP is under local control.
Although the PCE-controlled LSP is under local control, Router PCC continues to use the
PCE-provided parameters, until the next opportunity to re-signal the LSP.
The output now displays the LSP parameters that were configured using the CLI along
with the PCE-provided parameters used to establish the LSP as the actual values in use.
• Priorities—4 4 (ActualPriorities 3 3)
On the trigger to re-signal the LSP, Router PCC uses the local configuration parameters
to establish the PCE-controlled LSP.
10.255.179.98
From: 10.255.183.59, State: Up, ActiveRoute: 0, LSPname: PCC-to-R2
ActivePath: to-R2-path (primary)
LSPtype: Externally controlled, Penultimate hop popping
LSP Control Status: Locally controlled
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary to-R2-path State: Up
Priorities: 4 4
Bandwidth: 10Mbps
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 30)
20.31.1.2 S 20.31.2.2 S 20.31.8.2 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
20.31.1.2 20.31.2.2 20.31.8.2
28 Mar 11 05:02:51.787 Record Route: 20.31.1.2 20.31.2.2 20.31.8.2
27 Mar 11 05:02:51.787 Up
26 Mar 11 05:02:51.697 EXTCTRL_LSP: Applying local parameters with this
signalling attempt
25 Mar 11 05:02:51.697 Originate Call
24 Mar 11 05:02:51.696 Clear Call
23 Mar 11 05:02:51.696 CSPF: computation result accepted 20.31.1.2 20.31.2.2
20.31.8.2
22 Mar 11 05:02:09.618 EXTCTRL_LSP: Control status became local
21 Mar 11 05:00:56.736 EXTCTRL LSP: Sent Path computation request and LSP
status
20 Mar 11 05:00:56.736 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
19 Mar 11 05:00:56.735 Selected as active path
18 Mar 11 05:00:56.734 EXTCTRL LSP: Sent Path computation request and LSP
status
17 Mar 11 05:00:56.734 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
16 Mar 11 05:00:56.734 Record Route: 20.31.4.2 20.31.5.2
15 Mar 11 05:00:56.734 Up
14 Mar 11 05:00:56.713 EXTCTRL LSP: Sent Path computation request and LSP
status
13 Mar 11 05:00:56.713 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
12 Mar 11 05:00:56.712 Originate Call
11 Mar 11 05:00:56.712 EXTCTRL_LSP: Received setup parameters : 20.31.4.2
20.31.5.2
10 Mar 11 05:00:49.283 EXTCTRL LSP: Sent Path computation request and LSP
status
9 Mar 11 05:00:49.283 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
8 Mar 11 05:00:20.581 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
7 Mar 11 05:00:20.581 EXTCTRL LSP: Sent Path computation request and LSP
status
6 Mar 11 05:00:20.581 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
5 Mar 11 05:00:20.580 EXTCTRL_LSP: Control status became external
4 Mar 11 05:00:03.716 EXTCTRL_LSP: Control status became local
3 Mar 11 05:00:03.714 EXTCTRL LSP: Sent Path computation request and LSP
status
2 Mar 11 05:00:03.714 EXTCTRL_LSP: Computation request/lsp status contains:
bandwidth 10000000 priority - setup 4 hold 4 hops: 20.31.1.2 20.31.2.2
1 Mar 11 05:00:00.279 EXTCTRL LSP: Awaiting external controller connection
Created: Mon Mar 11 05:00:00 2013
Total 1 displayed, Up 1, Down 0
The Computed ERO is 20.31.1.2, 20.31.2.2, and 20.31.8.2. The PCE-controlled LSP is
established using the local configuration parameters.
Related • Support of the Path Computation Element Protocol for RSVP-TE Overview on page 692
Documentation
Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE with Support
of PCE-Initiated LSPs
This example shows how to configure the Path Computation Client (PCC) with the
capability of supporting Path Computation Element (PCE)-initiated traffic-engineered
label-switched paths (LSPs).
Requirements
• Three routers that can be a combination of ACX Series, M Series, MX Series, or T Series
routers.
• A TCP connection to two external stateful PCEs from the ingress router (PCC).
Overview
Starting with Junos OS Release 16.1, the PCEP functionality is extended to allow a stateful
PCE to initiate and provision traffic engineering LSPs through a PCC. Earlier, the LSPs
were configured on the PCC and the PCC delegated control over the external LSPs to a
PCE. The ownership of the LSP state was maintained by the PCC. With the introduction
of the PCE-initiated LSPs, a PCE can initiate and provision a traffic engineering LSP
dynamically without the need for a locally configured LSP on the PCC. On receiving a
PCCreate message from a PCE, the PCC creates the PCE-initiated LSP and automatically
delegates the LSP to the PCE.
By default, a PCC rejects the request for provisioning PCE-initiated LSPs from a PCE. To
enable support of PCE-initated LSPs on the PCC, include the lsp-provisioning statement
at the [edit protocols pcep pce pce-id] or [edit protocols pcep pce-group group-id] hierarchy
levels.
A PCC indicates its capability of supporting PCE-initiated LSPs while establishing the
Path Computation Element Protocol (PCEP) session with the PCE. A PCE selects a PCC
with this capability to initiate an LSP. The PCE provides the PCC with the PCE-initiated
LSP parameters. On receiving the PCE-initiated LSP parameters, the PCC sets up the
LSP, assigns an LSP ID, and automatically delegates the LSP to the PCE.
When the PCE initiating the LSP does not provide the PCE-initiated LSP parameters, the
PCC uses the default parameters. An optional LSP template may also be configured to
specify values for the PCE-initiated LSP when the LSP parameters are not provided by
the PCE. To configure an LSP template for PCE-initiated LSPs on the PCC, include the
label-switched-path-template statement at the [edit protocols mpls lsp-external-controller
lsp-external-controller] hierarchy level.
When a PCEP session terminates, the PCC starts two timers without immediately deleting
the PCE-initiatedLSPs—delegation cleanup timeout and lsp cleanup timer—to avoid
disruption of services. During this time, an active stateful PCE can acquire control of the
LSPs provisioned by the failed PCE.
A PCE may return the delegation of the PCE-initiated LSP to the PCC to allow LSP transfer
between PCEs. Control over PCE-initiated LSPs reverts to the PCC at the expiration of
the delegation cleanup timeout. When the delegation cleanup timeout expires, and no
other PCE has acquired control over the LSP from the failed PCE, the PCC takes local
control of the non-delegated PCE-initiated LSP. Later, when the original or a new active
stateful PCE wishes to acquire control of the locally controlled PCE-initiated LSPs, the
PCC delegates these LSPs to the PCE and the LSP cleanup timer is stopped.
The PCC waits for the LSP cleanup timer to expire before deleting the non-delegated
PCE-initiated LSPs from the failed PCE. When the LSP cleanup timer expires, and no
other PCE has acquired control over the LSPs from the failed PCE, the PCC deletes all
the LSPs provisioned by the failed PCE.
When configuring the support of PCE-initiated LSPs for a PCC, be aware of the following
considerations:
• For Junos OS Release 13.3, the PCC always initiates the PCEP sessions. PCEP sessions
initiated by remote PCEs are not accepted by the PCC.
• Existing LSP features, such as LSP protection and make-before-break, work for
PCE-initiated LSPs.
• RSVP-TE for unnumbered links is not supported. PCE-initiated LSPs support only
numbered links.
Topology
g043463
PCE2
lo0=192.168.70.65
In this example, PCC is the ingress router that connects to two external stateful PCEs:
PCE1 and PCE2.
When there is a new demand, the active stateful PCE dynamically initiates an LSP to
meet the requirement. Since PCC is configured with the capability of supporting the
PCE-initiated LSP, path computation on PCC is performed as follows:
1. A PCE sends a PCCreate message to the PCC to initiate and provision an LSP. The
PCC sets up the PCE-initiated LSP using the parameters received from the PCE, and
automatically delegates the PCE-initiated LSP to the PCE that initiated it.
In this example, PCE1 is the active stateful PCE that initiates and provisions the
PCE-initiated LSP on PCC. On receiving the PCE-initiated LSP parameters, PCC sets
up the LSP and automatically delegates the PCE-initiated LSP to PCE1.
2. When the PCEP session between PCC and PCE1 is terminated, PCC starts two timers
for the PCE1-initiated LSP: delgation cleanup timeout and the LSP cleanup timer.
During this time, PCE1 or PCE2 can acquire control of the PCE-initiated LSP.
3. If PCE2 acquires control over the PCE-initiated LSP before the expiration of the LSP
cleanup timer, PCC delegates the PCE-initiated LSP to PCE2, and the LSP cleanup
timer and the delegation cleanup timeout are stopped.
4. If the delegation cleanup timeout expired, and neither PCE1 nor PCE2 acquired control
over the PCE-initiated LSP, PCC takes local control of the non-delegated PCE-initiated
LSP until the expiration of the LSP cleanup timer.
5. After the expiration of the LSP cleanup timer, PCC deletes the PCE-initiated LSP
provisioned by PCE1.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.
NOTE: Repeat this procedure for every Juniper Networks ingress router in the
MPLS domain, after modifying the appropriate interface names, addresses,
and any other parameters for each router.
To enable MPLS, include the protocol family on the interface so that the interface
does not discard incoming MPLS traffic.
[edit interfaces]
user@PCC# set ge-0/1/1 unit 0 family inet address 10.0.102.9/24
user@PCC# set ge-0/1/1 unit 0 family iso
user@PCC# set ge-0/1/1 unit 0 family mpls
2. Enable RSVP on all interfaces of the PCC, excluding the management interface.
[edit protocols]
user@PCC# set rsvp interface all
user@PCC# set rsvp interface fxp0.0 disable
[edit protocols]
user@PCC# set mpls lsp-external-controller pccd
4. Enable MPLS on all interfaces of the PCC, excluding the management interface.
[edit protocols]
user@PCC# set mpls interface all
user@PCC# set mpls interface fxp0.0 disable
5. Configure OSPF on all interfaces of the PCC, excluding the management interface.
[edit protocols]
user@PCC# set ospf traffic-engineering
user@PCC# set ospf area 0.0.0.0 interface all
user@PCC# set ospf area 0.0.0.0 interface fxp0.0 disable
user@PCC# set ospf interface lo0.0
6. Define the PCE group and enable support of PCE-initiated LSPs for the PCE group.
[edit protocols]
user@PCC# set protocols pcep pce-group PCEGROUP pce-type active
user@PCC# set protocols pcep pce-group PCEGROUP pce-type stateful
user@PCC# set protocols pcep pce-group PCEGROUP lsp-provisioning
user@PCC# set protocols pcep pce-group PCEGROUP lsp-cleanup-timer 30
[edit protocols]
user@PCC# set pcep pce PCE1 destination-ipv4-address 192.168.69.58
user@PCC# set pcep pce PCE1 destination-port 4189
user@PCC# set pcep pce PCE1 pce-group PCEGROUP
Results
From configuration mode, confirm your configuration by entering the show interfaces and
show protocols commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
}
family iso;
family mpls;
}
}
ge-0/1/3 {
unit 0 {
family inet {
address 10.0.112.14/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.168.12.1/32;
}
}
}
pce PCE2 {
destination-ipv4-address 192.168.70.65;
destination-port 4189;
pce-group PCEGROUP;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Purpose Verify the PCEP session status and LSP summary between the PCC and the connected
PCEs.
Action From operational mode, run the show path-computation-client status command.
LSP Summary
Total number of LSPs : 1
Static LSPs : 0
Externally controlled LSPs : 0
Externally provisioned LSPs : 1/16000 (current/limit)
Orphaned LSPs : 0
PCE1 (main)
Delegated : 1
Externally provisioned : 1
PCE2
Delegated : 0
Externally provisioned : 0
Meaning The output displays the status of the PCEP session between the active stateful PCEs
and the PCC. It also displays information about the different types of LSPs on the PCC,
and the number of LSPs provisioned by the connected PCEs and delegated to them.
PCE1 is the main active PCE and has one PCE-initiated LSP that has been automatically
delegated to it by the PCC.
Action From operational mode, run the show path-computation-client active-pce detail command.
Counters
PCReqs Total: 0 last 5min: 0 last hour: 0
Timers
Local Keepalive timer: 30 [s] Dead timer: 120 [s] LSP cleanup timer:
30 [s]
Remote Keepalive timer: 0 [s] Dead timer: 0 [s] LSP cleanup timer:
- [s]
Errors
PCErr-recv
PCErr-sent
PCE-PCC-NTFS
PCC-PCE-NTFS
Meaning The output displays information about the current active stateful PCE to which the PCC
is connected. The PCE status output field indicates the current status of the PCEP session
between a PCE and PCC.
For PCE1, the status of the PCEP session is PCE_STATE_UP, which indicates that the
PCEP session has been established with the PCC.
Verifying the PCE-Initiated LSP Status When the LSP Is Externally Provisioned
Action From operational mode, run the show mpls lsp externally-provisioned detail command.
10.0.101.10
From: 10.0.102.9, State: Up, ActiveRoute: 0, LSPname: lsp15
ActivePath: path1 (primary)
Link protection desired
LSPtype: Externally Provisioned, Penultimate hop popping
LSP Control Status: Externally controlled
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary path1 State: Up
Priorities: 7 0
Bandwidth: 8Mbps
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 3)
10.0.102.10 S 10.0.101.9 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
10=SoftPreempt 20=Node-ID):
10.0.102.10 S 10.0.101.9 S
Meaning In the output, the LSPtype output field shows that the LSP is externally provisioned.
The PCEP session between PCC and PCE1 is up, and the PCC receives the following
PCE-initiated LSP parameters:
• Bandwidth—8 Mbps
Related • Support of the Path Computation Element Protocol for RSVP-TE Overview on page 692
Documentation
• Example: Configuring the Path Computation Element Protocol for MPLS RSVP-TE on
page 707
• Configuring Path Computation Element Protocol for MPLS RSVP-TE with Support of
PCE-Initiated LSPs on page 732
Configuring Path Computation Element Protocol for MPLS RSVP-TE with Support of
PCE-Initiated LSPs
You can configure a Path Computation Client (PCC) with the capability of supporting
dynamically created label switched paths (LSPs) from a centralized external path
computing entity. A stateful Path Computaiton Element (PCE) can be used to perform
external path computation and generate dynamic LSPs when there is an increase in
demand.
A PCC creates the PCE-initiated LSP using the PCE-provided LSP parameters, or
parameters from a pre-configured LSP template when the PCE does not provision the
LSP, and automatically delegates the PCE-initiated LSP to the respective PCE. As a
result, for PCE-initiated LSPs, there is no need for a locally configured LSP on the PCC.
A CLI-controlled LSP, PCE-controlled LSP, and PCE-initiated LSP can coexist with each
other on a PCC.
[edit]
user@PCC# edit protocols pcep
2. Specify the number of messages per minute that the PCC can receive at maximum.
3. Specify the number of externally provisioned label switched paths (LSPs) over all
connected PCEs that the PCC can accept at maximum.
4. Specify the unique user defined ID for the connected PCE to configure the PCE
parameters.
5. Specify the amount of time (in seconds) that the PCC must wait before returning
control of LSPs to the routing protocol process after a PCEP session is disconnected.
The value can range from 1 through 65535 and the default value is 4189.
8. Specify the amount of time (in seconds) that the PCC must wait before deleting any
non-delegated PCE-initiated LSPs from the failed PCE after a PCEP session terminates.
9. Configure the PCC to accept SPs that are externally provisioned by connected PCEs.
By default, the PCC rejects PCE-initiated LSPs.
10. Specify the number of unknown messages per minute that the PCC can receive at
maximum after which the PCEP session is closed.
The value can range from 1 through 16384, and the default value is 0 (disabled or no
limit).
11. Specify the number of unknown requests per minute that the PCC can receive at
maximum after which the PCEP session is terminated.
The value can range from 0 through 16384, and the default value is 5. A value of 0
disables this statement.
13. Specify the amount of time (in seconds) that the PCC must wait for a reply before
resending a request.
user@PCC# show
user@PCC# commit
Sample Output
[edit]
user@PCC# edit protocols pcep
Related • Support of the Path Computation Element Protocol for RSVP-TE Overview on page 692
Documentation
• Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE with
Support of PCE-Initiated LSPs on page 721
Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE with Support
for PCE-Controlled Point-to-Multipoint LSPs
This example shows how to configure the Path Computation Client (PCC) with the
capability of reporting point-to-multipoint traffic engineered label-switched paths (TE
LSPs) to a Path Computation Element (PCE).
Requirements
• Three routers that can be a combination of ACX Series, M Series, MX Series, or T Series
routers.
• One virtual machine configured with Virtual Route Reflector (VRR) feature.
Overview
After a PCEP session is established between a PCE and a PCC, the PCC reports all the
LSPs in the system to the PCE for LSP state synchronization. This includes PCC-controlled,
PCE-delegated, and PCE-initiated point-to-point LSPs. Starting with Junos OS Release
15.1F6 and 16.1R1, this capability is extended to report point-to-multipoint LSPs as well.
Topology
.1 .2 .1 .2
ge-0 / 0/0 1.2.4.0/30 ge-0 / 0/2 ge-0 / 0/0 2.3.4.0/30 ge-0 / 0/3
4.5.0.1/30 ge-0 / 0/1 1.2.3.0/30 ge-0 / 0/5 ge-0 / 0/4 2.3.1.0/30 ge-0 / 0/1
em1 1.4.0.1/30 PCC R1 R2
ge-0/0/4 ge-0 / 0/2 1.2.2.0/30 ge-0 / 0/3 ge-0 / 0/8 2.3.5.0/30 ge-0 / 0/2
em2 ge-0 / 0/3 1.2.5.0/30 ge-0 / 0/6 ge-0 / 0/9 2.3.2.0/30 ge-0 / 0/4
1.4.0.2/30
R3 ge-0 / 0/5 1.2.1.0/30 ge-0 / 0/7 ge-0 / 1/0 2.3.3.0/30 ge-0 / 0/5
(VRR)
ge-0 / 0/6 1.2.0.0/30 ge-0 / 0/1 ge-0 / 1/1 2.3.0.0/30 ge-0 / 0/0
g043463
lo0= lo0= lo0=
128.102.180.228/32 128.102.180.202/32 128.102.177.16/32
In this example, PCC is the ingress router, Router R1 is the transit router, and Router R2
is the egress router. PCC is connected to a Virtual Route Reflector (VRR) that is connected
to a PCE. There are many point-to-multipoint interfaces between PCC, Router R1, and
Router R2.
5. Once all the LSPs are reported to the PCE, LSP state is synchronized between the
PCE and PCC.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.
1. Configure the interfaces of Router PCC. To enable MPLS, include the protocol family
on the interface so that the interface does not discard incoming MPLS traffic.
[edit interfaces]
user@PCC# set ge-0/0/0 unit 0 family inet address 1.2.4.1/30
user@PCC# set ge-0/0/0 unit 0 family mpls
[edit routing-options]
user@PCC# set autonomous-system 100
3. Enable RSVP on all interfaces of Router PCC, excluding the management interface.
[edit protocols]
user@PCC# set rsvp interface all
user@PCC# set rsvp interface fxp0.0 disable
4. Enable MPLS on all the interfaces of Router PCC, excluding the management
interface.
[edit protocols]
user@PCC# set mpls interface all
user@PCC# set mpls interface fxp0.0 disable
5. Configure a dynamic LSP and disable automatic path computation for the LSP.
[edit protocols]
user@PCC# set mpls label-switched-path lsp_template_no_cspf template
user@PCC# set mpls label-switched-path lsp_template_no_cspf no-cspf
6. Configure point-to-multipoint LSPs and define external path computing entity for
the LSP.
[edit protocols]
user@PCC# set mpls label-switched-path lsp1-pcc to 128.102.177.16
user@PCC# set mpls label-switched-path lsp2-pcc to 128.102.177.16
user@PCC# set mpls label-switched-path lsp2-pcc lsp-external-controller pccd
7. Enable external path computing for the MPLS LSPs and assign a template for
externally provisioned LSPs.
[edit protocols]
user@PCC# set mpls lsp-external-controller pccd pce-controlled-lsp
pcc_delegated_no_cspf_* label-switched-path-template lsp_template_no_cspf
user@PCC# set mpls lsp-external-controller pccd pce-controlled-lsp
pce_initiated_no_ero_no_cspf_* label-switched-path-template
lsp_template_no_cspf
user@PCC# set mpls lsp-external-controller pccd pce-controlled-lsp
pce_initiated_loose_ero_no_cspf_* label-switched-path-template
lsp_template_no_cspf
8. Configure the LSPs that have local control and are overridden by the PCE-provided
LSP parameters.
[edit protocols]
user@PCC# set mpls path loose-path 1.2.3.2 loose
user@PCC# set mpls path strict-path 1.2.3.2 strict
user@PCC# set mpls path strict-path 2.3.3.2 strict
user@PCC# set mpls path path-B
user@PCC# set mpls path path-C
[edit protocols]
user@PCC# set mpls admin-groups violet 1
user@PCC# set mpls admin-groups indigo 2
user@PCC# set mpls admin-groups blue 3
user@PCC# set mpls admin-groups green 4
user@PCC# set mpls admin-groups yellow 5
user@PCC# set mpls admin-groups orange 6
10. Assign the configured administrative group policies to Router PCC interfaces.
[edit protocols]
user@PCC# set mpls interface ge-0/0/6.0 admin-group violet
user@PCC# set mpls interface ge-0/0/5.0 admin-group indigo
user@PCC# set mpls interface ge-0/0/2.0 admin-group blue
user@PCC# set mpls interface ge-0/0/1.0 admin-group green
user@PCC# set mpls interface ge-0/0/0.0 admin-group yellow
user@PCC# set mpls interface ge-0/0/3.0 admin-group orange
[edit protocols]
user@PCC# set mpls traffic-engineering database import policy TE
[edit protocols]
user@PCC# set bgp group northstar type internal
user@PCC# set bgp group northstar local-address 128.102.180.228
user@PCC# set bgp group northstar neighbor 128.102.180.215
13. Configure traffic engineering for BGP and assign the export policy.
[edit protocols]
user@PCC# set bgp group northstar family traffic-engineering unicast
user@PCC# set bgp group northstar export TE
14. Configure OSPF area 0 on all the point-to-multipoint interfaces of Router PCC.
[edit protocols]
user@PCC# set ospf area 0.0.0.0 interface lo0.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/6.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/5.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/2.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/1.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/0.0
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/3.0
[edit protocols]
user@PCC# set ospf area 0.0.0.0 interface ge-0/0/4.0 interface-type p2p
[edit protocols]
user@PCC# set ospf traffic-engineering
17. Define the PCE that Router PCC connects to, and configure the the PCE parameters.
[edit protocols]
user@PCC# set pcep pce pce1 local-address 10.102.180.228
user@PCC# set pcep pce pce1 destination-ipv4-address 10.102.180.246
user@PCC# set pcep pce pce1 destination-port 4189
user@PCC# set pcep pce pce1 pce-type active
user@PCC# set pcep pce pce1 pce-type stateful
user@PCC# set pcep pce pce1 lsp-provisioning
user@PCC# set pcep pce pce1 lsp-cleanup-timer 0
user@PCC# set pcep pce pce1 delegation-cleanup-timeout 60
18. Configure Router PCC to enable point-to-multipoint LSP capability for external
path computing.
[edit protocols]
set pcep pce pce1 p2mp-lsp-report-capability
[edit policy-options]
user@PCC# set policy-statement TE term 1 from family traffic-engineering
user@PCC# set policy-statement TE term 1 then accept
Results
From configuration mode, confirm your configuration by entering the show interfaces and
show protocols commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
family inet {
address 1.2.2.1/30;
}
family mpls;
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 1.2.5.1/30;
}
family mpls;
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 1.4.0.1/30;
}
family mpls;
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 1.2.1.1/30;
}
family mpls;
}
}
ge-0/0/6 {
unit 0 {
family inet {
address 1.2.0.1/30;
}
family mpls;
}
}
}
}
pce-controlled-lsp pce_initiated_loose_ero_no_cspf_* {
label-switched-path-template {
lsp_template_no_cspf;
}
}
}
traffic-engineering {
database {
import {
policy TE;
}
}
}
admin-groups {
violet 1;
indigo 2;
blue 3;
green 4;
yellow 5;
orange 6;
}
label-switched-path lsp_template_no_cspf {
template;
no-cspf;
}
label-switched-path lsp1-pcc {
to 128.102.177.16;
}
label-switched-path lsp2-pcc {
to 128.102.177.16;
lsp-external-controller pccd;
}
path loose-path {
1.2.3.2 loose;
}
path strict-path {
1.2.3.2 strict;
2.3.3.2 strict;
}
path path-B;
path path-C;
interface all;
interface ge-0/0/6.0 {
admin-group violet;
}
interface ge-0/0/5.0 {
admin-group indigo;
}
interface ge-0/0/2.0 {
admin-group blue;
}
interface ge-0/0/1.0 {
admin-group green;
}
interface ge-0/0/0.0 {
admin-group yellow;
}
interface ge-0/0/3.0 {
admin-group orange;
}
interface fxp0.0 {
disable;
}
}
bgp {
group northstar {
type internal;
local-address 128.102.180.228;
family traffic-engineering {
unicast;
}
export TE;
neighbor 128.102.180.215;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/6.0;
interface ge-0/0/5.0;
interface ge-0/0/2.0;
interface ge-0/0/1.0;
interface ge-0/0/0.0;
interface ge-0/0/3.0;
interface ge-0/0/4.0 {
interface-type p2p;
}
}
}
pcep {
pce pce1 {
local-address 10.102.180.228;
destination-ipv4-address 10.102.180.246;
destination-port 4189;
pce-type active stateful;
lsp-provisioning;
lsp-cleanup-timer 0;
delegation-cleanup-timeout 60;
p2mp-lsp-report-capability;
}
}
Verification
Purpose Verify the LSP type and running state of the point-to-multipoint LSP.
Action From operational mode, run the show mpls lsp extensive command.
128.102.177.16
From: 128.102.180.228, State: Up, ActiveRoute: 0, LSPname: lsp1-pcc
ActivePath: (primary)
LSPtype: Static Configured, Penultimate hop popping
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2)
1.2.1.2 S 2.3.0.2 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
1.2.1.2 2.3.0.2
6 Jul 12 14:44:10.620 Selected as active path
5 Jul 12 14:44:10.617 Record Route: 1.2.1.2 2.3.0.2
4 Jul 12 14:44:10.615 Up
3 Jul 12 14:44:10.175 Originate Call
2 Jul 12 14:44:10.174 CSPF: computation result accepted 1.2.1.2 2.3.0.2
1 Jul 12 14:43:41.442 CSPF failed: no route toward 128.102.177.16[2 times]
Created: Tue Jul 12 14:42:43 2016
128.102.177.16
From: 128.102.180.228, State: Up, ActiveRoute: 0, LSPname: lsp2-pcc
ActivePath: (primary)
LSPtype: Externally controlled - static configured, Penultimate hop popping
LSP Control Status: Externally controlled
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
External Path CSPF Status: external
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
1.2.4.2 2.3.0.2
50 Jul 12 14:50:14.699 EXTCTRL LSP: Sent Path computation request and LSP
status
49 Jul 12 14:50:14.698 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
48 Jul 12 14:49:27.859 EXTCTRL LSP: Sent Path computation request and LSP
status
47 Jul 12 14:49:27.859 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
46 Jul 12 14:49:27.858 EXTCTRL LSP: Sent Path computation request and LSP
status
45 Jul 12 14:49:27.858 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
44 Jul 12 14:49:27.858 EXTCTRL_LSP: Control status became external
43 Jul 12 14:49:03.746 EXTCTRL_LSP: Control status became local
42 Jul 12 14:46:52.367 EXTCTRL LSP: Sent Path computation request and LSP
status
status
10 Jul 12 14:42:43.343 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
9 Jul 12 14:42:43.343 EXTCTRL LSP: Sent Path computation request and LSP
status
8 Jul 12 14:42:43.343 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
7 Jul 12 14:42:43.342 EXTCTRL LSP: Sent Path computation request and LSP
status
6 Jul 12 14:42:43.342 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
5 Jul 12 14:42:43.341 EXTCTRL_LSP: Control status became external
4 Jul 12 14:42:43.337 EXTCTRL_LSP: Control status became local
3 Jul 12 14:42:43.323 EXTCTRL LSP: Sent Path computation request and LSP
status
2 Jul 12 14:42:43.323 EXTCTRL_LSP: Computation request/lsp status contains:
signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0)
priority setup 7 hold 0
1 Jul 12 14:42:43.258 EXTCTRL LSP: Awaiting external controller connection
Created: Tue Jul 12 14:42:43 2016
Total 2 displayed, Up 2, Down 0
Meaning The output displays the lsp2-pcc LSP as the PCE-controlled LSP.
Action From operational mode, run the show path-computation-client active-pce command.
Counters
PCReqs Total: 0 last 5min: 0 last hour: 0
Timers
Local Keepalive timer: 30 [s] Dead timer: 120 [s] LSP cleanup timer:
0 [s]
Remote Keepalive timer: 30 [s] Dead timer: 120 [s] LSP cleanup timer:
0 [s]
Errors
PCErr-recv
PCErr-sent
Type: 1 Value: 2 Count: 1
PCE-PCC-NTFS
PCC-PCE-NTFS
Meaning The output displays the active PCE that Router PCC is connected to, and the pce1 PCE
parameters and state.
Related • Support of the Path Computation Element Protocol for RSVP-TE Overview on page 692
Documentation
A bridge domain is a set of logical interfaces that share the same flooding or broadcast
characteristics. Layer 2 logical interfaces are created by defining one or more logical units
on a physical interface with encapsulation as ethernet-bridge or vlan-bridge. All the
member ports of the bridge domain participate in Layer 2 learning and forwarding. You
can configure one or more bridge domains on ACX Series routers to perform Layer 2
bridging. The Layer 2 bridging functions of ACX Series routers include integrated routing
and bridging (IRB) support for Layer 2 bridging and Layer 3 IP routing on the same
interface. IRB enables you to route packets to another routed interface or to another
bridge domain that has a Layer 3 protocol configured
NOTE: ACX Series routers do not support the creation of bridge domains by
using access and trunk ports.
You can configure E-LAN and E-LINE services by using bridge domains.
On ACX Series routers, you can configure bridge domains by using the following methods:
NOTE: The Layer 2 CLI configurations and show commands for ACX5048
and ACX5096 routers differ compared to other ACX Series routers. For more
information, see “Understanding Layer 2 Next Generation Mode on ACX5048
and ACX5096 Routers” on page 1167.
When you configure E-LAN and E-LINE services using a bridge domain without a vlan-id
number statement, the bridge domain should explicitly be normalized to a service VLAN
ID and TPID by configuring an input VLAN map under a logical interface. Explicit
normalization is required when a logical interface’s outer VLAN ID and TPID is not the
same as the service VLAN ID and TPID of the service being configured using a bridge
domain.
The following input VLAN map functions are supported in ACX Series routers:
• pop—Remove a VLAN tag from the top of the VLAN tag stack.
• swap-swap—Replace both the outer and inner VLAN tags of the frame.
NOTE: push-push does not work on ACX Series routers if the incoming
packet already has a VLAN tag.
The following VLAN map functions are not supported in ACX Series routers:
• swap-push—Replace the outer VLAN tag of the frame and add a new VLAN tag to the
top of the VLAN stack.
• pop-swap—Remove the outer VLAN tag of the frame and replace the inner VLAN tag
of the frame.
• pop-pop—Remove both the outer and inner VLAN tags of the frame.
A bridge domain can also be created by using aggregated Ethernet interfaces. Aggregated
Ethernet interfaces are considered as logical interfaces in a bridge domain.
The following steps outline the process for bridging a packet received over a Layer 2
logical interface:
1. When a packet is received on a physical port, it is accepted only if the VLAN identifier
of the packet matches the VLAN identifier of one of the logical interfaces configured
on that port.
2. If the bridge domain is configured without a vlan-id number statement, then the VLAN
tags are rewritten based on the input VLAN map configured on the logical interface
and normalized to a service VLAN ID.
3. If the bridge domain is configured with a normalizing VLAN identifier by using the
vlan-id number statement, the VLAN tags of the received packet are compared with
the normalizing VLAN identifier. If the VLAN tags of the packet are different from the
normalizing VLAN identifier, the VLAN tags are rewritten as described in
Table 48 on page 758.
4. If the source MAC address of the received packet is not present in the source MAC
table, it is learned based on the normalizing VLAN identifier.
5. The packet is then forwarded toward one or more outbound Layer 2 logical interfaces
based on the destination MAC address. A packet with a known unicast destination
MAC address is forwarded only to one outbound logical interface.
6. If the bridge domain is configured without a vlan-id number statement, then for each
outbound Layer 2 logical interface, the VLAN tags are rewritten based on the output
VLAN map configured on that logical interface.
7. If the bridge domain is configured with a normalizing VLAN identifier by using the
vlan-id number statement, for each outbound Layer 2 logical interface, the normalizing
VLAN identifier configured for the bridge domain is compared with the VLAN tags
configured on that logical interface. If the VLAN tags associated with an outbound
logical interface do not match the normalizing VLAN identifier configured for the bridge
domain, the VLAN tags are rewritten as described in Table 49 on page 758.
Table 48 on page 758 shows specific examples of how the VLAN tags of packets sent to
the bridge domain are processed and translated, depending on your configuration. “–”
means that the statement is not supported for the specified logical interface VLAN
identifier. “No operation” means that the VLAN tags of the received packet are not
translated for the specified input logical interface.
Table 48: Statement Usage and Input Rewrite Operations for VLAN Identifiers for a Bridge
Domain
VLAN Configurations for Bridge Domain
VLAN Identifier of
Logical Interface vlan-id none vlan-id 200
vlan-tags outer 2000 pop 2000, pop 300 pop 2000, swap 300
inner 300 to 200
vlan-tags outer 100 pop 100, pop 400 pop 100, swap 400
inner 400 to 200
vlan-id-range 10-100 – –
Table 49 on page 758 shows specific examples of how the VLAN tags for packets sent
from the bridge domain are processed and translated, depending on your configuration.
“–” means that the statement is not supported for the specified logical interface VLAN
identifier. “No operation” means that the VLAN tags of the outbound packet are not
translated for the specified output logical interface.
Table 49: Statement Usage and Output Rewrite Operations for VLAN Identifiers for a Bridge
Domain
VLAN Configurations for Bridge Domain
VLAN Identifier of
Logical Interface vlan-id none vlan-id 200
vlan-tags outer 2000 push 2000, push 300 swap 200 to 300,
inner 300 push 2000
vlan-tags outer 100 inner 400 push 100, push 400 swap 200 to 400,
push 100
vlan-id-range 10-100 – –
Limitations on Layer 2 bridging—The following Layer 2 bridging limitations apply for ACX
Series Universal Access Routers:
• A bridge domain cannot have two or more logical interfaces that belong to the same
physical interface.
• The maximum number of supported input VLAN maps with TPID swap is 64.
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
When you configure a bridge domain, Layer 2 address learning is enabled by default. The
bridge domain learns unicast media access control (MAC) addresses to avoid flooding
the packets to all the ports in the bridge domain. Each bridge domain creates a source
MAC entry in its source and destination MAC tables for each source MAC address learned
from packets received on the ports that belong to the bridge domain.
NOTE: Traffic is not flooded back onto the interface on which it was received.
You can optionally disable MAC learning either for the entire router or for a specific bridge
domain. You can also configure the following Layer 2 learning and forwarding properties:
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
A bridge domain must include a set of logical interfaces that participate in Layer 2 learning
and forwarding.
[edit]
bridge-domains {
bridge-domain-name {
interface interface-name;
vlan-id (none | number);
vlan-id-list [ vlan-id-numbers ];
}
}
You cannot use the slash (/) character in bridge domain names. If you do, the configuration
does not commit and an error is generated.
For the vlan-id statement, you can specify either a valid VLAN identifier or none.
To include one or more logical interfaces in the bridge domain, specify an interface name
for an Ethernet interface you configured at the [edit bridge-domains bridge-domain-name]
hierarchy level.
To configure a layer 2 logical interface to be included in a bridge domain, you can either
include the encapsulation vlan-bridge statement under the logical interface, or the
encapsulation ethernet-bridge statement under the physical interface.
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
Integrated routing and bridging (IRB) provides simultaneous support for Layer 2 bridging
and Layer 3 routing on the same interface. IRB enables you to route packets to another
routed interface or to another bridge domain that has an IRB interface configured. You
configure a logical routing interface by including the irb statement at the [edit interfaces]
hierarchy level and include that interface in the bridge domain. For more information
about how to configure a routing interface, see the Junos OS Network Interfaces Library
for Routing Devices.
NOTE: You can include only one routing interface in a bridge domain.
• Routing protocols supported on an IRB interface are BGP, ISIS, OSPF, RIP, IGMP, and
PIM.
• Firewall filters (multifield filter) can be used to assign forwarding class and loss
priority. You should define a family inet or inet6 filter and apply it as the input filter
on an IRB logical interface under family inet.
• [edit protocols (bgp | isis | ospf | rip | igmp | pim) interface irb.unit] hierarchy level
In ACX5048 and ACX5096 routers, you can configure IRB at the [edit vlans vlan-name]
l3-interface irb.unit; level.
NOTE: The Layer 2 CLI configurations and show commands for ACX5048
and ACX5096 routers differ compared to other ACX Series routers. For more
information, see “Understanding Layer 2 Next Generation Mode on ACX5048
and ACX5096 Routers” on page 1167.
To configure a bridge domain with IRB support, include the following statements:
[edit]
bridge-domains {
bridge-domain-name {
domain-type bridge;
interface interface-name;
routing-interface routing-interface-name;
vlan-id (none | number);
vlan-tags outer number inner number;
}
}
For each bridge domain that you configure, specify a bridge-domain-name. You must also
specify the value bridge for the domain-type statement.
For the vlan-id statement, you can specify either a valid VLAN identifier or the none option.
The vlan-tags statement enables you to specify a pair of VLAN identifiers; an outer tag
and an inner tag.
NOTE: For a single bridge domain, you can include either the vlan-id statement
or the vlan-tags statement, but not both.
To include one or more logical interfaces in the bridge domain, specify the interface-name
for each Ethernet interface to include that you configured at the [edit interfaces] hierarchy
level.
In Junos OS Release 9.0 and later, IRB interfaces are supported for multicast snooping.
For more information about multicast snooping, see the Multicast Protocols Feature Guide.
NOTE: When you configure multiple IRB logical interfaces, all the IRB logical
interfaces share the same MAC address.
[edit]
interfaces {
ge-1/0/0 {
encapsulation flexible-ethernet-services;
flexible-vlan-tagging;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
}
ge-1/0/1 {
encapsulation flexible-ethernet-services;
flexible-vlan-tagging;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
}
irb {
unit 0 {
family inet {
address 10.0.1.2/24 {
}
}
}
}
bridge-domains {
bd {
domain-type bridge;
vlan-id none;
interface ge-1/0/0.0;
interface ge-1/0/1.0;
routing-interface irb.0;
}
}
Related
Documentation
You can configure VLAN identifiers for a bridge domain for normalization in the following
ways:
• Configure an implicit normalizing VLAN identifier under the bridge domain by using the
vlan-id statement at the [edit bridge-domains bridge-domain-name] hierarchy level.
NOTE: You cannot configure VLAN mapping by using the input-vlan-map and
output-vlan-map statements if you configure a normalizing VLAN identifier
for a bridge domain by using the vlan-id statement.
You can use the vlan-id-list [ vlan-id-numbers ] statement to configure bridging for multiple
VLANs. Configuring this statement creates a bridge domain for:
• Each VLAN in a list and range combination—for example, vlan-id-list [ 50, 100-200,
300 ]
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
You can disable MAC learning in a bridge domain. Disabling dynamic MAC learning
prevents the bridge domain from learning source MAC addresses.
[edit]
bridge-domains {
bridge-domain-name {
bridge-options {
no-mac-learning;
}
}
}
NOTE: When you disable MAC learning, source MAC addresses are not
dynamically learned, and any packets sent to these source addresses are
flooded into the bridge domain.
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series
You can manually add static MAC entries for the logical interfaces in a bridge domain.
You can specify one or more static MAC addresses for each logical interface.
To add a static MAC address for a logical interface in a bridge domain, include the
static-mac mac-address statement at the [edit bridge-domains bridge-domain-name
bridge-options interface interface-name] hierarchy level.
[edit]
bridge-domains {
bridge-domain-name {
bridge-options {
interface interface-name {
static-mac mac-address {
}
}
}
}
}
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series
You can modify the size of the MAC address table for each bridge domain. The default
table size is 5120 addresses per bridge domain. The minimum you can configure is 1
address, and the maximum is 32,000 addresses.
If the MAC table limit is reached, new addresses can no longer be added to the table.
NOTE: Unused MAC addresses are removed from the MAC address table
automatically. This frees space in the table thereby allowing new entries to
be added.
To modify the size of the MAC table, include the mac-table-size limit statement at the
[edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit]
bridge-domains {
bridge-domain-name {
bridge-options {
mac-table-size limit {
packet-action drop;
}
}
}
}
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
You can configure a limit on the number of MAC addresses learned from a specific logical
interface. This feature allows the MAC address table space to be distributed among
different logical interfaces thereby avoiding congestion. The MAC address limit can be
applied for both VLAN and VPLS routing instances and by default the MAC limit depends
on the profile configured. You can limit MAC addresses for a bridge domain and a logical
interface at the same time.
[edit protocols]
l2-learning {
global-no-hw-mac-learning;
}
The following is an example to configure a limit for the number of MAC addresses learned
on a logical interface in a VLAN:
[edit vlans]
vlan10 {
interface ge-0/0/3.1;
interface ge-0/0/1.5;
switch-options {
interface-mac-limit {
10;
}
}
interface ge-0/0/1.5 {
interface-mac-limit {
20;
}
}
}
The following is an example to configure a limit for the number of MAC addresses learned
on a logical interface in VPLS routing instance:
[routing-instance]
v1 {
protocols {
vpls {
interface-mac-limit {
10;
}
interface ge-0/0/1.3 {
interface-mac-limit {
20;
}
}
}
}
}
If you have configured interface MAC address limit for the logical interface in a bridge
domain and global MAC address limit for a bridge domain, then the interface MAC address
limit is considered. The following example shows two MAC address limits configured on
the interface ge-0/0/3.5 with global value as 50 and local as 30. In this case, the MAC
address limit of 30 is considered for the interface ge-0/0/3.5 in the bridge domain.
vlan20 {
interface ge-0/0/1.5;
interface ge-0/0/3.5;
switch-options {
interface-mac-limit {
50;
}
interface ge-0/0/1.5;
interface ge-0/0/3.5 {
interface-mac-limit {
30;
}
}
}
}
VPLS routing instance. This limit is applied to all logical interfaces belonging to the
VPLS for which the separate interface MAC address limit is not configured.
Related
Documentation
In a bridge domain, when a frame is received from a CE interface, it is flooded to the other
CE interfaces and all of the provider edge (PE) interfaces if the destination MAC address
is not learned or if the frame is either broadcast or multicast. If the destination MAC
address is learned on another CE device, such a frame is unicasted to the CE interface
on which the MAC address is learned. This might not be desirable if the service provider
does not want CE devices to communicate with each other directly.
For the no-local-switching option , integrated routing and bridging (IRB) configured on a
bridge domain with this option enabled is not treated as a designated CE or PE interface.
Traffic arriving from a CE or PE interface can navigate towards IRB and traffic that reaches
in the input direction to the IRB can pass out of a CE or PE interface. The disabling of
local switching achieves the functionality of split-horizon in a bridge domain. If
no-local-switching is configured in a bridge domain, , then traffic cannot flow between
CE and CE interfaces. This stoppage of trafic flow includes known unicast and multicast,
unknown unicast and multicast, and broadcast traffic. However, traffic continues to be
transmitted between CE and PE interfaces, and PE and PE interfaces..
Q-in-Q tunneling allows service providers to create a Layer 2 Ethernet connection between
two customer sites. Providers can segregate different customers’ VLAN traffic on a link
(for example, if the customers use overlapping VLAN IDs) or bundle different customer
VLANs into a single service VLAN. Service providers can use Q-in-Q tunneling to isolate
customer traffic within a single site or to enable customer traffic flows across geographic
locations.
Q-in-Q tunneling adds a service VLAN tag before the customer’s 802.1Q VLAN tags. The
Juniper Networks Junos operating system implementation of Q-in-Q tunneling supports
the IEEE 802.1ad standard.
In ACX Series routers, you can configure Q-in-Q tunneling by explicitly configuring an
input VLAN map with push function on customer facing interfaces in a bridge domain.
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
To configure Q-in-Q tunneling, you need to configure the logical interface connected to
the customer network (user-to-network interfaces (UNI)) and the logical interface
connected to the service provider network (network-to-network interface (NNI)).
[edit]
interface ge-1/0/1 {
flxible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id-list 10-20;
input-vlan-map {
push;
vlan-id 500;
}
output-vlan-map pop;
}
}
[edit]
interface ge-1/0/2; {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id 500;
}
}
[edit]
bridge-domains {
qnq-stag-500{
interface ge-1/0/1;
interface ge-1/0/2;
}
}
You can configure Q-in-Q tunneling on aggregated Ethernet interface connected to the
customer network (UNI) and the logical interface connected to the service provider
network (NNI).
• Layer 2 Learning and Forwarding for Bridge Domains Overview on page 759
• Configuring VLAN Identifiers for Bridge Domains in ACX Series on page 764
• Disabling MAC Learning for Bridge Domains on ACX Series on page 765
• Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain in ACX
Series on page 766
• Configuring the Size of the MAC Address Table for Bridge Domains in ACX Series on
page 766
The Junos OS implementation of Layer 2 circuits supports only the remote form of a
Layer 2 circuit; that is, a connection from a local customer edge (CE) router to a remote
CE router.
Related • Configuring the Address for the Neighbor of the Layer 2 Circuit on page 774
Documentation
• Configuring the Neighbor Interface for the Layer 2 Circuit on page 774
• Configuring the Interface Encapsulation Type for Layer 2 Circuits on page 779
All the Layer 2 circuits using a particular remote PE router designated for remote CE
routers are listed under the neighbor statement (“neighbor” designates the PE router).
Each neighbor is identified by its IP address and is usually the end-point destination for
the label-switched path (LSP) tunnel transporting the Layer 2 circuit.
To configure a PE router as a neighbor for a Layer 2 circuit, specify the neighbor address
using the neighbor statement:
neighbor address {
...
}
• Configuring the Interface Encapsulation Type for Layer 2 Circuits on page 779
Each Layer 2 circuit is represented by the logical interface connecting the local provider
edge (PE) router to the local customer edge (CE) router. This interface is tied to the
Layer 2 circuit neighbor configured in “Configuring the Address for the Neighbor of the
Layer 2 Circuit” on page 774.
To configure the interface for a Layer 2 circuit neighbor, include the interface statement:
interface interface-name {
bandwidth (bandwidth | ctnumber bandwidth);
community community-name;
(control-word | no-control-word);
description text;
encapsulation-type type;
ignore-encapsulation-mismatch;
ignore-mtu-mismatch;
mtu mtu-number;
no-revert;
protect-interface interface-name;
pseudowire-status-tlv;
psn-tunnel-endpoint address;
virtual-circuit-id identifier;
}
• Configuring the Encapsulation Type for the Layer 2 Circuit Neighbor Interface on page 777
community community-name;
To emulate the virtual circuit (VC) encapsulation for Layer 2 circuits, a 4-byte control
word is added between the Layer 2 protocol data unit (PDU) being transported and the
VC label that is used for demultiplexing. For most protocols, a null control word consisting
of all zeroes is sent between Layer 2 circuit neighbors.
However, individual bits are available in a control word that can carry Layer 2 protocol
control information. The control information is mapped into the control word, which
allows the header of a Layer 2 protocol to be stripped from the frame. The remaining
data and control word can be sent over the Layer 2 circuit, and the frame can be
reassembled with the proper control information at the egress point of the circuit.
The following Layer 2 protocols map Layer 2 control information into special bit fields in
the control word:
• Frame Relay—The control word supports the transport of discard eligible (DE), forward
explicit congestion notification (FECN), and backward explicit congestion notification
(BECN) information.
• ATM AAL5 mode—The control word supports the transport of sequence number
processing, ATM cell loss priority (CLP), and explicit forward congestion indication
(EFCI) information. When you configure an AAL5 mode Layer 2 circuit, the control
information is carried by default and no additional configuration is needed.
• ATM cell-relay mode—The control word supports sequence number processing only.
When you configure a cell-relay mode Layer 2 circuit, the sequence number information
is carried by default and no additional configuration is needed.
The Junos OS implementation of sequence number processing for ATM cell-relay mode
and AAL5 mode is not the same as that described in Sec. 3.1.2 of the IETF draft
Encapsulation Methods for Transport of Layer 2 Frames Over IP and MPLS Networks. The
differences are as follows:
• A packet that does not have the next incremental sequence number is considered out
of sequence.
• When out-of-sequence packets arrive, the sequence number in the Layer 2 circuit
control word increments by one and becomes the expected sequence number for the
neighbor.
The Junos OS can typically determine whether a neighboring router supports the control
word. However, if you want to explicitly disable its use on a specific interface, include the
no-control-word statement in the configuration.
Related • Configuring the Neighbor Interface for the Layer 2 Circuit on page 774
Documentation
• Configuring the Encapsulation Type for the Layer 2 Circuit Neighbor Interface on page 777
Configuring the Encapsulation Type for the Layer 2 Circuit Neighbor Interface
You can specify the Layer 2 circuit encapsulation type for the interface receiving traffic
from a Layer 2 circuit neighbor. The encapsulation type is carried in the LDP-signaling
messages exchanged between Layer 2 circuit neighbors when pseudowires are created.
The encapsulation type you configure for each Layer 2 circuit neighbor varies depending
on the type of networking equipment or the type of Layer 2 protocol you have deployed
in your network. If you do not specify an encapsulation type for the Layer 2 circuit, the
encapsulation of the CE device interface is used by default.
Specify the encapsulation type for the Layer 2 circuit neighbor interface by including the
encapsulation-type statement:
You can include this statement at the [edit protocols l2circuit neighbor address interface
interface-name] hierarchy levels:
Related • Enabling the Layer 2 Circuit When the Encapsulation Does Not Match on page 780
Documentation
• Enabling the Layer 2 Circuit When the MTU Does Not Match on page 780
By default, the MTU used to advertise a Layer 2 circuit is determined by taking the interface
MTU for the associated physical interface and subtracting the encapsulation overhead
for sending IP packets based on the encapsulation.
However, encapsulations that support multiple logical interfaces (and multiple Layer 2
circuits) rely on the same interface MTU (since they are all associated with the same
physical interface). This can prove to be a limitation for VLAN Layer 2 circuits using the
same Ethernet interface or for Layer 2 circuit DLCIs using the same Frame Relay interface.
This can also affect multivendor environments. For example, if you have three PE devices
supplied by different vendors and one of the devices only supports an MTU of 1500, even
if the other devices support larger MTUs you must to configure the MTU as 1500 (the
smallest MTU of the three PE devices).
You can explicitly configure which MTU is advertised for a Layer 2 circuit, even if the
Layer 2 circuit is sharing a physical interface with other Layer 2 circuits. When you explicitly
configure an MTU for a Layer 2 circuit, be aware of the following:
• An explicitly configured MTU is signaled to the remote PE device. The configured MTU
is also compared to the MTU received from the remote PE device. If there is a conflict,
the Layer 2 circuit is taken down.
• If you configure an MTU for an ATM cell relay interface on an ATM II PIC, the configured
MTU is used to compute the cell bundle size advertised for that Layer 2 circuit, instead
of the default interface MTU.
• A configured MTU is used only in the control plane. It is not enforced in the data plane.
You need to ensure that the CE device for a given Layer 2 circuit uses the correct MTU
for data transmission.
To configure the MTU for a Layer 2 circuit, include the mtu statement at the [edit protocols
l2circuit neighbor address interface interface-name] hierarchy level.
mtu mtu-number;
You can configure a protect interface for the logical interface linking a virtual circuit to
its destination, whether the destination is remote or local. A protect interface provides
a backup for the protected interface in case of failure. Network traffic uses the primary
interface only so long as the primary interface functions. If the primary interface fails,
traffic is switched to the protect interface. The protect interface is optional.
protect-interface interface-name;
For a list of hierarchy levels at which you can include this statement, see the statement
summary section for this statement.
You configure a virtual circuit ID on each interface. Each virtual circuit ID uniquely identifies
the Layer 2 circuit among all the Layer 2 circuits to a specific neighbor. The key to
identifying a particular Layer 2 circuit on a PE router is the neighbor address and the virtual
circuit ID. An LDP-FEC-to-label binding is associated with a Layer 2 circuit based on the
virtual circuit ID in the FEC and the neighbor that sent this binding. The LDP-FEC-to-label
binding enables the dissemination of the VPN label used for sending traffic on that Layer 2
circuit to the remote CE device. When an LDP peer sends a Label Withdraw message for
a Layer 2 circuit FEC with a non zero group ID, the Junos OS software sends the Label
Release message with the group ID for the Layer 2 circuit associated with the FEC.
You also configure a virtual circuit ID for each redundant pseudowire. A redundant
pseudowire is identified by the backup neighbor address and the virtual circuit ID.
virtual-circuit-id identifier;
For a list of hierarchy levels at which you can include this statement, see the statement
summary section for this statement.
The Layer 2 encapsulation type is carried in the LDP forwarding equivalence class (FEC).
You can configure either circuit cross-connect (CCC) or translational cross-connect
(TCC) encapsulation types for Layer 2 circuits. For more information, see the Junos OS
Network Interfaces Library for Routing Devices.
To configure the interface encapsulation for a Layer 2 circuit, include the encapsulation
statement:
encapsulation encapsulation;
You can configure two Layer 2 circuits between the same two routers, and have one
Layer 2 circuit traverse an RSVP LSP and the other traverse an LDP LSP. To accomplish
this, you need to configure two loopback addresses on the local router. You configure
one of the loopback address for the Layer 2 circuit traversing the RSVP LSP. You configure
the other loopback address to handle the Layer 2 circuit traversing the LDP LSP.
You also need to configure a packet switched network (PSN) tunnel endpoint for one of
the Layer 2 circuits. It can be either the Layer 2 circuit traversing the RSVP LSP or the one
traversing the LDP LSP. The PSN tunnel endpoint address is the destination address for
the LSP on the remote router.
To configure the address for the PSN tunnel endpoint, include the psn-tunnel-endpoint
statement:
psn-tunnel-endpoint address;
By default, the PSN tunnel endpoint for a Layer 2 circuit is identical to the neighbor
address, which is also the same as the LDP neighbor address.
The tunnel endpoints on the remote router do not need to be loopback addresses.
The following example illustrates how you might configure a PSN tunnel endpoint:
The Layer 2 circuit configured for the t1-0/2/2.0 interface resolves in the inet3 routing
table to 20.20.20.20. This could be either an RSVP route or a static route with an LSP
next hop.
Related • Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
Documentation
Enabling the Layer 2 Circuit When the MTU Does Not Match
You can configure the Junos OS to allow a Layer 2 circuit to be established even though
the MTU configured on the PE router does not match the MTU configured on the remote
PE router by including the ignore-mtu-mismatch statement at the [edit protocols l2circuit
neighbor address interface interface-name] hierarchy level.
Related • Configuring the MTU Advertised for a Layer 2 Circuit on page 777
Documentation
• Configuring the Media MTU
Enabling the Layer 2 Circuit When the Encapsulation Does Not Match
You can configure the Junos OS to allow a Layer 2 circuit to be established even though
the encapsulation configured on the CE device interface does not match the encapsulation
configured on the Layer 2 circuit interface by including the ignore-encapsulation-mismatch
statement. You can configure the ignore-encapsulation-mismatch statement for the
connection to the remote connection by including the statement at the [edit protocols
l2circuit neighbor address interface interface-name] hierarchy level or for the local
connection by including this statement at the [edit protocols l2circuit local-switching
interface interface-name] hierarchy level.
ignore-encapsulation-mismatch;
For a list of hierarchy levels at which you can include this statement, see the statement
summary section for this statement.
Related • Configuring the Encapsulation Type for the Layer 2 Circuit Neighbor Interface on page 777
Documentation
You can configure a virtual circuit entirely on the local router, terminating the circuit on
a local interface. Possible uses for this feature include being able to enable switching
between Frame Relay DLCIs.
local-switching {
interface interface-name {
description text;
end-interface {
interface interface-name;
no-revert;
protect-interface interface-name;
}
ignore-mtu-mismatch;
no-revert;
protect-interface interface-name;
}
}
• Configuring the Interfaces for the Local Interface Switch on page 781
• Enabling Local Interface Switching When the MTU Does Not Match on page 782
You can also configure virtual circuit interface protection for each local interface:
For more information about how to configure protect interfaces, see Configuring Interfaces
for Layer 2 Circuits.
Typically, when the primary interface goes down, the pseudowire starts using the protect
interface. By default, when the primary interface comes back online, the interface is
switched-over back from the protect interface to the primary interface. To prevent the
switchover back to the primary interface, unless the primary interface goes down, include
the no-revert statement. This prevents loss of traffic during the switchover.
You can configure the no-revert statement both for the starting interface and the ending
interface.
Enabling Local Interface Switching When the MTU Does Not Match
You can configure a local switching interface to ignore the MTU configuration set for the
associated physical interface. This enables you to bring up a circuit between two logical
interfaces that are defined on physical interfaces with different MTU values.
To configure the local switching interface to ignore the MTU configured for the physical
interface, include the ignore-mtu-mismatch statement:
ignore-mtu-mismatch;
Unlike Layer 2 circuit protect interfaces (see Example: Configuring Layer 2 Circuit Protect
Interfaces), which provide traffic protection for paths configured between the PE routers
and CE routers, Layer 2 circuit switching protection provides traffic protection for the
paths configured between the PE routers. In the event the path used by a Layer 2 circuit
fails, traffic can be switched to an alternate path (or protection path). Switching protection
is supported for locally switched Layer 2 circuits and provides 1 to 1 protection for each
Layer 2 circuit interface.
When you enable Layer 2 circuit switching protection, each Layer 2 circuit interface
requires the following paths:
• Protection path—Used by the Layer 2 circuit when the working path fails.
Requirements
This example uses the following hardware and software components:
Overview
Each working path can be configured using a pseudowire configured through an
intermediate PE router (as shown in Figure 43 on page 784). The protection path provides
failure protection for the traffic flowing between the PE routers. Failures are detected
through the link down trap.
Topology
In Figure 43 on page 784, there are two paths running between Router PE1 and Router PE2.
One is the working path between Router PE1 and Router PE2. The other is the protection
path between Router PE1 and Router PE3 to Router PE2.
Configuration
The following section describes how to configure Layer 2 circuit connection protection:
Step-by-Step To configure Layer 2 Circuit switching protection as shown in Figure 43 on page 784 on
Procedure Router PE1:
[edit policy-options]
user@PE1# set policy-statement load-balance then load-balance per-packet
user@PE1# set policy-statement protection-policy term protect from community
example
user@PE1# set policy-statement protection-policy term protect then install-nexthop
lsp-regex lsp-protect-*
[edit routing-options]
user@PE1# set forwarding-table export load-balance
Results From configuration mode on Router PE1, confirm your configuration by entering the show
protocols l2circuit, show policy-options, show routing-options commands. If the output
does not display the intended configuration, repeat the configuration instructions in this
example to correct it.
Accepting Route Updates with Unique Inner VPN Labels in Layer 3 VPNs
For Layer 3 VPNs configured on Juniper Networks routers, Junos OS normally allocates
one inner VPN label for each customer edge (CE)-facing virtual routing and forwarding
(VRF) interface of a provider edge (PE) router. However, other vendors allocate one VPN
label for each route learned over the CE-facing interfaces of a PE router. This practice
increases the number of VPN labels exponentially, which leads to slow system processing
and slow convergence time.
number of routes with unique inner VPN labels that can be processed by a Juniper
Networks router is increased substantially. Common route update elements associated
with Layer 3 VPNs are combined, reducing the number of route updates and individual
states the Juniper Networks router must maintain, and leading to enhanced scaling and
convergence performance.
You can configure the router based on the number of VPN labels you want to manage
and on whether or not you want to create chained composite next hops for IPv6 labeled
routes:
Because using this statement can also enhance the Layer 3 VPN performance
of Juniper Networks routers in networks where only Juniper Networks routers
are deployed, we recommend configuring the statements in these networks
as well.
• MX Series routers
• M120 routers
To accept up to one million Layer 3 VPN route updates with unique inner VPN labels,
configure the l3vpn statement. This statement is supported on indirectly connected PE
routers only. Configuring this statement on a router that is directly connected to a PE
router provides no benefit. You can configure the l3vpn statement on a router with a mix
of links to both directly connected and indirectly connected PE routers.
To configure the router to accept up to one million Layer 3 VPN route updates with unique
inner VPN labels:
NOTE: The vpn-label statement does not provide any functional changes
when used on the MX Series routers. You can omit the configuration of
this statement on MX Series routers.
For more information about configuring more memory for Layer 3 VPN labels, see the
Junos OS Administration Library.
After you have configured the l3vpn statement, you can determine whether or not a Layer
3 VPN route is a part of a composite next hop by examining the display output of the
following commands:
Because using this statements can also enhance the Layer 3 VPN performance
of Juniper Networks routers in networks where only Juniper Networks routers
are deployed, we recommend configuring the statement in these networks
as well.
Using the extended-space statement can double the number of routes with unique inner
VPN labels that can be processed by a Juniper Networks router. However, when configuring
such very large-scale Layer 3 VPN scenarios, keep the following guidelines in mind:
• The chassis must be configured to use the enhanced-ip option in network services
mode.
For more information about configuring chassis network services, see the Junos OS
Administration Library.
• Ensure that you configure per-packet load balancing for associated policies.
For more information about configuring policies, see the Routing Policies, Firewall Filters,
and Traffic Policers Feature Guide.
To configure the router to accept more than one million Layer 3 VPN route updates with
unique inner VPN labels:
[edit chassis]
user@host>set network-services enhanced-ip
After you have completed the configuration, you can determine whether or not a Layer
3 VPN route is a part of a composite next hop by examining the display output of the
following commands:
Enabling Chained Composite Next Hops for IPv6 Labeled Unicast Routes
You can enable chained composite next hops for IPv6 labeled unicast routes by
configuring the labeled-bgp and inet6 statements:
• To enable chained composite next hops for inet6 labeled unicast routes, include the
inet6 statement at the [edit routing-options forwarding-table
chained-composite-next-hop ingress labeled-bgp] hierarchy level. This statement is
disabled by default.
Related • Chained Composite Next Hops for Transit Devices for VPNs
Documentation
• Configuring the Junos OS to Allocate More Memory for Routing Tables, Firewall Filters,
and Layer 3 VPN Labels
By default, when there are multiple equal-cost paths to the same destination for the
active route, Junos OS uses a hash algorithm to choose one of the next-hop addresses
to install in the forwarding table. Whenever the set of next hops for a destination changes
in any way, the next-hop address is rechosen using the hash algorithm.
You can configure Junos OS so that, for the active route, all next-hop addresses for a
destination are installed in the forwarding table. This feature is called per-packet load
balancing. You can use load balancing to spread traffic across multiple paths between
routers.
Figure 44 on page 790 shows a simple load balancing scenario. Device R1 is in AS 65000
and is connected to both Device R2 and Device R3, which are in AS 65001. Device R1 can
be configured to load balance traffic across the two links.
AS 6 4 501
R2
10.0 .1.1
R1 10.0 .1.2
10.0.0 .1
10.0 .2.1
10.0.0 .2
R3
g040 87 5
Starting in Junos OS 13.3R3, for MX Series 3D Universal Edge routers with modular port
concentrators (MPCs) only, you can configure consistent load balancing, which prevents
the reordering of all flows to active paths in an equal-cost multipath (ECMP) group when
one or more next-hop paths fail. Only flows for paths that are inactive are redirected to
another active next-hop path. Flows mapped to servers that remain active are maintained.
This feature applies only to external BGP peers.
To complete the configuration you must apply the routing policy to routes exported from
the routing table to the forwarding table, by including the policy name in the list specified
by the export statement:
export [ policy-names ];
By default, the software ignores port data when determining flows. To enable per-flow
load balancing, you must set the load-balance per-packet action in the routing policy
configuration.
To include port data in the flow determination, include the family inet statement at the
[edit forwarding-options hash-key] hierarchy level:
If you include both the layer-3 and layer-4 statements, the router uses the following
Layer 3 and Layer 4 information to load-balance:
• Source IP address
• Destination IP address
• Protocol
• IP type of service
The router recognizes packets in which all of these layer-3 and layer-4 parameters are
identical, and ensures that these packets are sent out through the same interface. This
prevents problems that might otherwise occur with packets arriving at their destination
out of their original sequence.
This is appropriate behavior for Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP) packets. For Internet Control Message Protocol (ICMP) packets, the field
location offset is the checksum field, which makes each ping packet a separate “flow.”
There are other protocols that can be encapsulated in IP that may have a varying value
in the 32-bit offset. This may also be problematic because these protocols are seen as
a separate flow.
With M Series (with the exception of the M120 router) and T Series routers, the first
fragment is mapped to the same load-balanced destination as the unfragmented packets.
The other fragments can be mapped to other load-balanced destinations.
For the M120 router only, all fragments are mapped to the same load-balanced
destination. This destination is not necessarily the same as that for unfragmented packets.
By default, or if you include only the layer-3 statement, the router uses the incoming
interface index as well as the following Layer 3 information in the packet header to load
balance traffic:
• Source IP address
• Destination IP address
• Protocol
• Source IP address
• Destination IP address
• Protocol
• Traffic class
[edit]
policy-options {
policy-statement load-balancing-policy {
then {
load-balance per-packet;
}
}
}
routing-options {
forwarding-table {
export load-balancing-policy;
}
}
[edit]
policy-options {
policy-statement load-balancing-policy {
from {
route-filter 192.168.10/24 orlonger;
route-filter 10.114/16 orlonger;
}
then {
load-balance per-packet;
}
}
}
routing-options {
forwarding-table {
export load-balancing-policy;
}
}
ACX Series routers can load-balance on a per-packet basis in MPLS. Load balancing can
be performed on information in both the IP header and on up to three MPLS labels,
providing a more uniform distribution of MPLS traffic to next hops. This feature is enabled
on supported platforms by default and requires no configuration.
Load balancing is used to evenly distribute traffic when there is a single next hop over
an aggregated interface or a LAG bundle. Load balancing using MPLS labels is supported
only for LAG interfaces and not for equal-cost multipath (ECMP) links.
By default, when load balancing is used to help distribute traffic, Junos OS employs a
hash algorithm to select a next-hop address to install into the forwarding table. Whenever
the set of next hops for a destination changes in any way, the next-hop address is
reselected by means of the hash algorithm. You can configure how the hash algorithm
is used to load-balance traffic across interfaces in an aggregated Ethernet (ae) interface.
An LSP tends to load-balance its placement by randomly selecting one of the interfaces
in an ae- interface bundle and using it exclusively. The random selection is made
independently at each transit router, which compares Interior Gateway Protocol (IGP)
metrics alone. No consideration is given to bandwidth or congestion levels.
To load-balance based on the MPLS label information, configure the family mpls
statement:
payload {
ether-pseudowire;
ip {
layer-3-only;
port-data {
destination-lsb;
destination-msb;
source-lsb;
source-msb;
}
}
}
}
You can include this statement at the [edit forwarding-options hash-key] hierarchy level.
For Layer 2 VPN/pseudowire tunnel termination, upto two labels are used for hashing
and payload MAC destination and source addresses can be optionally selected. These
controls can be used to support ether-pseudowire knob in family mpls under hash-key
configuration shown above. However, since ACX2000 and ACX4000 also support TDM
pseudowires, the ether-pseudowire knobs needs to be used only when TDM pseudowires
are not being used.
For Layer 3 VPN tunnel termination, upto two labels are used for hasing and payload IP
source and destination addresses and Layer 4 source and destination ports can be
optionally selected. These controls can be used for supporting ip port-data knobs in
family mpls under hash-key configuration shown above. However, since Layer 4 port
MSB and LSB cannot be individually selected, one of destination-lsb or destination-msb
knobs or one of source-lsb or source-msb knobs would select Layer 4 destination or
source ports, respectively.
For LSR case, upto three labels are used for hashing. If a BOS is seen when parsing the
first three labels, BCM examines the first nibble of payload - if the nibble is 4, the payload
is treated as IPv4 and if the first nibble is 6, the payload is treated as IPv6 and in such
cases payload source and destination IP addresses can be speculatively used for hashing.
These controls can be used for supporting ip port-data knobs in family mpls under
hash-key configuration. However, Layer 4 ports cannot be used for hashing in LSR case,
and only layer-3-only knob is applicable. BCM does not claim support for hashing on
fields beyond the three MPLS labels. Load Balancing for a single pseudowire session
does not take place in case of LSR as all the traffic specific to that session will carry the
same set of MPLS labels.
Load balancing on LSR AE interfaces can be achieved for a higher number of MPLS
sessions, that is minimum of 10 sessions. This is applicable for CCC/VPLS/L3VPN. In
case of Layer 3 VPN, the traffic may not be equally distributed across the member links
as the layer 3 addresses also get accounted for (along with the labels) for the hash input
function.
For LER scenarios, in case of ACX5048 and ACX5096, hashing based on Layer 3 and
Layer 4 fields is possible by configuring the payload option under the “family mpls”
hierarchy. Hashing on the LER is not be based on Labels. For Layer 3 service, it is mandatory
to mention the payload as “layer-3-only” and specify “port-data” in case of Layer 4 service.
You can also mention the label count while configuring hash-keys on LER routers.
Table 50 on page 795 provides detailed information about all of the possible MPLS LSP
load-balancing options.
label-l Include the first label in the hash key. Use this option for single label packets.
label-2 Include the second label in the hash key. You must also configure the label-1 option. The entire first label and
the first 16 bits of the second label are used in the hash key.
label-3 Include the third label in the hash key. You must also configure the label-1 option and the label-2 option.
payload Allows you to configure which parts of the IP packet payload to include in the hash key. For the PTX Series
Packet Transport Switch, this value is set by default.
ip Include the IPv4 or IPv6 address in the hash key. You must also configure either label-l or no-labels.
layer-3-only Include only the Layer 3 IP information in the hash key. Excludes all of the port-data bytes from the hash key.
port-data Include the source and destination port field information. By default, the most significant byte and least
significant byte of the source and destination port fields are used in the hash key. To select specific bytes to
use in the hash key, include one or more of the source-msb, source-lsb, destination-msb, and destination-lsb
options at the [edit forwarding-options hash-key family mpls payload ip port-data] hierarchy level. To prevent
all four bytes from being hashed, include the layer-3-only statement at the [edit forwarding-options hash-key
family mpls payload ip] hierarchy level.
destination-lsb Include the least significant byte of the destination port in the hash key. Can be combined with any of the
other port-data options.
destination-msb Include the most significant byte of the destination port in the hash key. Can be combined with any of the
other port-data options.
source-lsb Include the least significant byte of the source port in the hash key. Can be combined with any of the other
port-data options.
source-msb Include the most significant byte of the source port in the hash key. Can be combined with any of the other
port-data options.
To include the IP address as well as the first label in the hash key, configure the label-1
statement and the ip option for the payload statement at the [edit forwarding-options
hash-key family mpls] hierarchy level:
To include the IP address as well as both the first and second labels in the hash key,
configure the label-1 and label-2 options and the ip option for the payload statement at
the [edit forwarding-options hash-key family mpls] hierarchy level:
Ensure proper load balancing by including the label-1, label-2, and label-3 options at the
[edit forwarding-options hash-key family mpls] hierarchy level:
You can configure load balancing for IPv4 traffic over Layer 2 Ethernet pseudowires. You
can also configure load balancing for Ethernet pseudowires based on IP information. The
option to include IP information in the hash key provides support for Ethernet circuit
cross-connect (CCC) connections.
NOTE: This feature is supported only on M120, M320, MX Series, and T Series
routers.
To configure load balancing for IPv4 traffic over Layer 2 Ethernet pseudowires, include
the ether-pseudowire statement at the [edit forwarding-options hash-key family mpls
payload] hierarchy level:
[edit forwarding-options]
hash-key {
family mpls {
(label-1 | no-labels);
payload {
ether-pseudowire;
}
}
}
NOTE: You must also configure either the label-1 or the no-labels statement
at the [edit forwarding-options hash-key family mpls] hierarchy level.
You can also configure load balancing for Ethernet pseudowires based on IP information.
This functionality provides support for load balancing for Ethernet cross-circuit connect
(CCC) connections. To include IP information in the hash key, include the ip statement
at the [edit forwarding-options hash-key family mpls payload] hierarchy level:
[edit forwarding-options]
hash-key {
family mpls {
(label-1 | no-labels);
payload {
ip;
}
}
}
NOTE: You must also configure either the label-1 or no-labels statement at
the [edit forwarding-options hash-key family mpls] hierarchy level.
You can configure load balancing for IPv4 traffic over Ethernet pseudowires to include
only Layer 3 IP information in the hash key. To include only Layer 3 IP information, include
the layer-3-only option at the [edit forwarding-options family mpls hash-key payload ip]
hierarchy level:
[edit forwarding-options]
hash-key {
family mpls {
(label-1 | no-labels);
payload {
ip {
layer-3-only;
}
}
}
}
NOTE: You must also configure either the label-1 or no-labels statement at
the [edit forwarding-options hash-key family mpls] hierarchy level.
The hash key mechanism for load-balancing uses Layer 2 media access control (MAC)
information such as frame source and destination address. To load-balance traffic based
on Layer 2 MAC information, include the family multiservice statement at the
[edit forwarding-options hash-key] hierarchy level:
family multiservice {
destination-mac;
source-mac;
}
To include the destination-address MAC information in the hash key, include the
destination-mac option. To include the source-address MAC information in the hash key,
include the source-mac option.
NOTE: Any packets that have the same source and destination address will
be sent over the same path.
NOTE: You can configure per-packet load balancing to optimize VPLS traffic
flows across multiple paths.
NOTE: Aggregated Ethernet member links will now use the physical MAC
address as the source MAC address in 802.3ah OAM packets.
An equal-cost multipath (ECMP) set is formed when the routing table contains multiple
next-hop addresses for the same destination with equal cost. (Routes of equal cost have
the same preference and metric values.) If there is an ECMP set for the active route, the
Junos OS software uses a hash algorithm to choose one of the next-hop addresses in
the ECMP set to install in the forwarding table.
You can configure the Junos OS so that multiple next-hop entries in an ECMP set are
installed in the forwarding table. On ACX Series routers, per-flow load balancing can be
performed to spread traffic across multiple paths between routing devices. ECMP
flow-based forwarding is supported for IPv4, IPv6, and MPLS packets on aggregated
Ethernet (ae) interfaces.
Load balancing is used to evenly distribute traffic when there are multiple equal-cost
next hops over different interfaces or a single next hop over an aggregated interface. By
default, when load balancing is used to help distribute traffic, Junos OS employs a hash
algorithm to select a next-hop address to install into the forwarding table.
If a next-hop address is no longer part of the ECMP set or if it is removed from the routing
table because of a route change, a flow that uses the next hop is rerouted and the session
is not affected. Rerouting of the flow also occurs if there is a configuration change that
takes away the next-hop address or if an administrator takes down the next-hop interface
without deleting it. If a next-hop address is removed from the routing table because the
interface is deleted or the session is intentionally cleared, the session is killed without
being rerouted.
To select which packet header data to use for per-flow load balancing, include the
hash-key statement at the [edit forwarding-options] hierarchy level. To load-balance
IPv4 traffic by using the port data into the hash key, include the family-inet statement at
the [edit forwarding-options hash-key] hierarchy level. You can incorporate either the
Layer 3 IP port data, or the Layer 4 TCP or UDP port data into the hash key. To
load-balance based on the MPLS label information, configure the family mpls statement
at the [edit forwarding-options hash-key] hierarchy level.
To view the details of the ECMP next hops and to obtain information for debugging any
problem with the ECMP functionality, issue the show route or the show route summary
command.
The maximum number of next-hop addresses in an ECMP set that can be installed in
the forwarding table of ACX Series routers is 16. A maximum of 2047 ECMP next-hops
are supported.
Hierarchical LDP-based VPLS requires a full mesh of tunnel LSPs between all the PE
routers that participate in the VPLS service. For each VPLS service, n*(n-1)/2 pseudowires
must be set up between the PE routers. Although the full mesh requirement creates
signaling overhead, the larger negative impact to large-scale deployment is the packet
replication requirements for each provisioned pseudowire on a PE router. Using hierarchical
connectivity reduces signaling and replication overhead to facilitate large-scale
deployments. .
In a typical IPTV solution, IPTV sources are in the public domain and the subscribers are
in the private VPN domain. The objective is to deliver the multicast streams originated
from the IPTV source to the set-top boxes or subscribers in the private domain. Generally,
for an efficient delivery of multicast data from the IP Sources to the access devices (ACX
in this case), P2MP LSPs and mVPN is used. The subscriber devices could then be
connected to a VPLS or a Layer 3 VPN domain in Access router and they could be
configured to import the multicast routes from an MVPN instance. Because VPLS and
MVPN are not supported on ACX routers, an alternative approach can be used to achieve
H-VPLS capabilities. The support for PIM snooping in Layer 3 interfaces, IGMP snooping
in Layer 2 networks, IRB interfaces, and logical tunnel interfaces enables HVLS support.
An ACX router receives the multicast data on the default VRP context and the data gets
forwarded on to the BD through IRB and gets replicated on the BD ports based on the
membership detected through IGMP snooping. Unicast control traffic between Subscriber
devices and the IPTV subscriber management server goes through the private VPN
domain. Aggregation routers have VPLS full-mesh connectivity between each other and
ACX works as H-VPLS MTU. There is a PW setup between ACX and the aggregation
router. LT interface does the stitching of the Bridge domain with the PW
pseudowire. ACX2 is connected to two MX Series routers, MX2 and MX3. Connection to
ACX2 to MX2 is through an active pseudowire. ACX2 is linked to MX3 using a standby
pseudowire. MX2 and MX3 are connected to MX1, which is the root of the LSP. MX1 is
linked to an IPTV source.
Point-to-multipoint (P2MP) traffic engineering (TE) LSP is setup from the MX router
(MX-1 is connected to the IPTV source) to the aggregation MX routers (MX-2 & MX-3).
MX-1 is the root of the LSP. MX-2 and MX-3 are the leaves. Leaves cannot be configured
statically or dynamically.
• PIM can be enabled between MX-1 and IPTV Source and MX-1 is the DR for the Multicast
source.
• mVPN is configured on the default VRF routing instance. Selective tree can be used
for optimal routing.
• PIM-SM is running in the Access network between access routers (ACX-1 and ACX-2)
and aggregation routers (MX-1 and MX-2).
• RPF check is disabled for the multicast groups in aggregation routers for it to accept
the data from remote source.
ACX has a bridge-domain and subscriber devices are connected to the BD ports. This
enables the subscribers to be on the same IP subnet. (This method of configuration
suits a topology in which you want all the subscribers connected to the ACXs in a single
access ring to be on the same subnet. This makes the DHCP server pool allocation
policy easier). No local switching is enabled on the bridge domain, to ensure that
subscriber to subscriber communication does not occur locally through the bridge
domain.
• Bridge domain has the IRB configuration providing connectivity to the default VRF
router instance. IGMP is enabled on the IRB interface. This enables the IGMP join
messages send by the subscriber devices to be processed by the routing module and
in turn triggers a PIM join towards RP in the default routing instance.
• IGMP snooping is enabled on the bridge domain for an optimal forwarding of multicast
data at the BD level.
• ACX router receives the multicast data on the default VRP context and the data gets
forwarded on to the BD through IRB and gets replicated on the BD ports based on the
membership detected through IGMP snooping.
• Unicast control traffic between Subscriber devices and the IPTV subscriber
management server goes through the private VPN domain.
• Aggregation routers have VPLS full-mesh connectivity between each other and ACX
works as H-VPLS MTU.
• There is a PW set up between ACX and the aggregation router. LT interface does the
stitching of the Bridge domain with the PW.
• An active and a standby pseudowire are set up between ACX and aggregation routers
to support redundancy for the control traffic.
• PW terminates into the VPLS instance in the aggregation router. PWs from multiple
ACX routers are terminated to the same VPLS instance as all the subscribers across
all ACX boxes connected to a same aggregation router are in the same subnet.
• VPLS instance in the aggregation router is connected to the L3VPN instance through
IRB interface which has IP address from the same subnet as the subscribers. Subscriber
management station that is controlling the subscribers belong to a particular customer
is connected to this Layer 3 VPN domain.
• Control traffic is limited to 1G or 10G bandwidth based on the logical tunnel (lt-)
interface limitation.
• Multicast data delivery is based on PIM on the access network. Therefore, the
convergence time is directly related to the convergence time of the IGP protocol
configured on the access network.
• Two versions of multicast solutions must be implemented in the provider network for
the end-to-end solution to work. Also, you must set up PIM- based solution on the
access network and MVPN-based solution on the aggregation or core network. This
topology is considered a configuration overhead.
• You can implement an IPTV framework without the MVPN and VPLS support on ACX
routers.
• IGMP snooping is supported to ensure that the multicast data is not forwarded to the
subscribers that are not registered for that data.
• An IRB interface is used for only multicast data delivery from the default VRF context.
Observe the following guidelines while configuring unicast RPF on ACX Series routers:
• The RPF check to be used when routing is asymmetrical is not supported because the
unicast-reverse-path (active-paths | feasible-paths) statement at the [edit
routing-instances routing-instance-name instance-type name routing-options
forwarding-table] hierarchy level is not supported.
• Even if uRPF checking is enabled, the reverse path checking is not performed if the
following conditions apply:
• The destination IP address is not a unicast address. This applies for both IPV4 and
IPV6 packets.
• The source IP address is IPV6 and the address is a link local address (FE80::/10)
• If you enable/disable unicast RPF on live traffic, some packets are dropped while the
packet forwarding components are updating. This behavior occurs because route
reinstallation is initiated while you enable or disable uRPF.
• uRPF is supported at the logical interface level. Due to hardware limitations, support
is available only at the logical interface level.
• Strict mode on ECMP routes is not supported in ACX. This condition occurs because
the hardware treats ECMP routes as Loose Mode although the port is configured as
Strict mode. Because ECMP uses multiple physical paths for the route the reverse path
check results in utilizing many paths (routes) and the source port validation method
is not used in case of Strict mode. As a result, such a network scenario operates in the
same manner as loose mode.
• When the strict mode is enabled on the interface, if the packet is coming with an SIP
address which ARP resolution is pending will be dropped as it points to RESOLVE_NH.
• uRPF fail filter can be configured for family <inet | inet6> in ACX.
NOTE: The uRPF fail filter cannot match packets failed at ingress port
check (strict mode).
The uRPF fail filter can match packets failing source IP lookup but cannot
match packets failing the input interface check (strict mode).
The uRPF fail filter applies only to interface-specific instances of the firewall
filter.
The uRPF fail filters do not support reject and routing-instance actions.
• uRPF can be configured for family <inet | inet6> on IRB interfaces in ACX.
• uRPF implementation in ACX does not consider all feasible paths for reverse path
verification and only active path based verification is supported.
• You can use either the show interfaces extensive command or the show interfaces detail
command to verify that unicast RPF is enabled and working on the interface. In the
Flags section of the output, if unicast reverse-path forwarding (RPF) is explicitly
configured on the specified interface, the uRPF flag is displayed. If unicast RPF was
configured on a different interface (and therefore is enabled on all switch interfaces)
but was not explicitly configured on the specified interface, the uRPF flag is not
displayed even though unicast RPF is enabled.
• The uRPF detail in the Flags section of the output of the show interfaces (detail |
extensive) commands is displayed only for logical interfaces on which uRPF is
configured. Otherwise, this information is not shown.
Related •
Documentation
NOTE: If you want to configure unicast RPF, your router must be equipped
with the Internet Processor II application-specific integrated circuit (ASIC).
If you enable unicast RPF on live traffic, some packets are dropped while the
packet forwarding components are updating.
For transit packets exiting the router through the tunnel, forwarding path
features, such as RPF, forwarding table filtering, source class usage, and
destination class usage are not supported on the interfaces you configure as
the output interface for tunnel traffic. For firewall filtering, you must allow
the output tunnel packets through the firewall filter applied to input traffic
on the interface that is the next-hop interface towards the tunnel destination.
• Unicast RPF with default routes—unicast RPF check will not consider the default route
for its reverse path checking. That means packet will be accepted only if at least route
prefix is present in the routing table.(Loose Mode)
• Unicast RPF with filter-based forwarding—unicast RPF is applied in the Layer 3 lookup
stage in which all the filters are already applied and the corresponding VRF is identified.
So it always uses the route table with respect to the VRF it belongs to. The reverse
path check fails even it has valid route in other VRF table also.
• Unicast RPF with virtual router or VRF—unicast RPF is applied in the Layer 3 lookup
stage in which the corresponding VRF/VR is identified. So it always uses the route table
with respect to the VRF or virtual router it belongs to. The reverse path check fails even
it has a valid route in other VRF table.
• Unicast RPF with IPV6—unicast RPF is performed for IPV6 global unicast and unique
local address only. For the link local IPV6 address, unicast RPF is not performed.
If the incoming packet fails the unicast RPF check, the packet is not accepted on the
interface. When a packet is not accepted on an interface, unicast RPF counts the packet
and sends it to an optional fail filter. If the fail filter is not configured, the default action
is to silently discard the packet.
The optional fail filter allows you to apply a filter to packets that fail the unicast RPF
check. You can define the fail filter to perform any filter operation, including accepting,
rejecting, logging, sampling, or policing.
When unicast RPF is enabled on an interface, Bootstrap Protocol (BOOTP) packets and
Dynamic Host Configuration Protocol (DHCP) packets are not accepted on the interface.
To allow the interface to accept BOOTP packets and DHCP packets, you must apply a
fail filter that accepts all packets with a source address of 0.0.0.0 and a destination
address of 255.255.255.255.
For more information about unicast RPF, see the Junos OS Routing Protocols Library. For
more information about defining fail filters, see the Routing Policies, Firewall Filters, and
Traffic Policers Feature Guide.
rpf-check;
You can include this statement at the [edit interfaces interface-name unit
logical-unit-number family (inet | inet6)] hierarchy level.
mode loose;
You can include this statement at the [edit interfaces interface-name unit
logical-unit-number family (inet | inet6) rpf-check] hierarchy level.
To determine whether the default route uses an interface, enter the show route command:
address is the next-hop address of the configured default route. The default route uses
the interfaces shown in the output of the show route command.
The following sections describe how unicast RPF behaves when a default route uses an
interface and when a default route does not use an interface:
If you configure a default route that uses an interface configured with unicast RPF, unicast
RPF behaves as follows:
• Loose mode—All packets are automatically accepted. For this reason, we recommend
that you not configure unicast RPF loose mode on interfaces that the default route
uses.
• The source address of the packet matches any of the routes (either default or
learned) that can be originated from the interface. Note that routes can have multiple
destinations associated with them; therefore, if one of the destinations matches the
incoming interface of the packet, the packet is accepted.
• The source address of the packet does not match any of the routes.
• The source address of the packet does not match a prefix in the routing table.
• The interface does not expect to receive a packet with this source address prefix.
If you do not configure a default route, or if the default route does not use an interface
configured with unicast RPF, unicast RPF behaves as described in “Configuring Unicast
RPF Strict Mode” on page 805 and “Configuring Unicast RPF Loose Mode” on page 806. To
summarize, unicast RPF without a default route behaves as follows:
• Strict mode—The packet is not accepted when either of the following is true:
• The packet has a source address that does not match a prefix in the routing table.
• The interface does not expect to receive a packet with this source address prefix.
• Loose mode—The packet is not accepted when the packet has a source address that
does not match a prefix in the routing table.
You can configure unicast RPF only on the interfaces you specify in the routing instance.
This means the following:
• For virtual-router routing instances, unicast RPF is supported on all interfaces you
specify in the routing instance.
• If an input filter forwards packets anywhere other than the routing instance the input
interface is configured for, the unicast RPF check is not performed.
For more information about VPNs and virtual-router routing instances, see the Junos OS
VPNs Library for Routing Devices. For more information about FBF, see the Junos OS
Routing Protocols Library.
[edit interfaces]
so-0/0/0 {
unit 0 {
family inet {
rpf-check;
}
}
}
[edit routing-instance]
VPN-A {
interface so-0/0/0.0;
}
For more information about unicast RPF, see the Junos OS Routing Protocols Library. For
more information about defining fail filters, see the Routing Policies, Firewall Filters, and
Traffic Policers Feature Guide.
For information about configuring a firewall filters, see “Guidelines for Configuring Firewall
Filters” on page 1044.
To configure unicast RPF fail filter, include the fail-filter statement at the [edit interfaces
interface-name unit logical-unit-number family (inet | inet6) rpf-check] hierarchy level.
Purpose Verify that unicast reverse-path forwarding (RPF) is enabled and is working on the
interface.
Action Use one of the show interfaces interface-name commands with either the extensive or
detail options to verify that unicast RPF is enabled and working on the switch. The example
below displays output from the show interfaces ge- extensive command.
0 best-effort 0 0 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
7 network-cont 0 0 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 0
Code violations 0
Filter statistics:
Input packet count 0
Input packet rejects 0
Input DA rejects 0
Input SA rejects 0
Output packet count 0
Output packet pad count 0
Output packet error count 0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 1
Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) (Generation 135)
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Protocol inet, Generation: 144, Route table: 0
Flags: uRPF
Addresses, Flags: Is-Preferred Is-Primary
Meaning The show interfaces ge-1/0/10 extensive command (and the show interfaces ge-1/0/10
detail command) displays in-depth information about the interface. The Flags: output
field near the bottom of the display reports the unicast RPF status. If unicast RPF has
not been enabled, the uRPF flag is not displayed.
On EX3200 and EX4200 switches, unicast RPF is implicitly enabled on all switch
interfaces, including aggregated Ethernet interfaces (also referred to as link aggregation
groups or LAGs) and routed VLAN interfaces (RVIs) when you enable unicast RPF on a
single interface. However, the unicast RPF status is shown as enabled only on interfaces
for which you have explicitly configured unicast RPF. Thus, the uRPF flag is not displayed
on interfaces for which you have not explicitly configured unicast RPF even though unicast
RPF is implicitly enabled on all interfaces on EX3200 and EX4200 switches.
In Junos OS, Layer 3 VPNs are based on RFC 4364. RFC 4364 defines a mechanism by
which service providers can use their IP backbones to provide VPN services to their
customers. A Layer 3 VPN is a set of sites that share common routing information and
whose connectivity is controlled by a collection of policies. The sites that make up a
Layer 3 VPN are connected over a provider’s existing public Internet backbone.
RFC 4364 VPNs are also known as BGP/MPLS VPNs because BGP is used to distribute
VPN routing information across the provider’s backbone, and MPLS is used to forward
VPN traffic across the backbone to remote VPN sites.
Customer networks, because they are private, can use either public addresses or private
addresses, as defined in RFC 1918, Address Allocation for Private Internets. When customer
networks that use private addresses connect to the public Internet infrastructure, the
private addresses might overlap with the same private addresses used by other network
users. MPLS/BGP VPNs solve this problem by adding a VPN identifier prefix to each
address from a particular VPN site, thereby creating an address that is unique both within
the VPN and within the public Internet. In addition, each VPN has its own VPN-specific
routing table that contains the routing information for that VPN only.
Route distribution within a VPN is controlled through BGP extended community attributes.
RFC 4364 defines the following three attributes used by VPNs:
• Target VPN—Identifies a set of sites within a VPN to which a provider edge (PE) router
distributes routes. This attribute is also called the route target. The route target is used
by the egress PE router to determine whether a received route is destined for a VPN
that the router services.
Figure 45 on page 815 illustrates the function of the route target. PE Router PE1 adds
the route target “VPN B” to routes received from the customer edge (CE) router at
Site 1 in VPN B. When it receives the route, the egress router PE2 examines the route
target, determines that the route is for a VPN that it services, and accepts the route.
When the egress router PE3 receives the same route, it does not accept the route
because it does not service any CE routers in VPN B.
• VPN of origin—Identifies a set of sites and the corresponding route as having come
from one of the sites in that set.
• Site of origin—Uniquely identifies the set of routes that a PE router learned from a
particular site. This attribute ensures that a route learned from a particular site through
a particular PE-CE connection is not distributed back to the site through a different
PE-CE connection. It is particularly useful if you are using BGP as the routing protocol
between the PE and CE routers and if different sites in the VPN have been assigned
the same autonomous system (AS) numbers.
Because Layer 3 VPNs connect private networks—which can use either public addresses
or private addresses, as defined in RFC 1918 (Address Allocation for Private Internets)—over
the public Internet infrastructure, when the private networks use private addresses, the
addresses might overlap with the addresses of another private network.
Figure 46 on page 816 illustrates how private addresses of different private networks can
overlap. Here, sites within VPN A and VPN B use the address spaces 10.1.0.0/16,
10.2.0.0/16, and 10.3.0.0/16 for their private networks.
To avoid overlapping private addresses, you can configure the network devices to use
public addresses instead of private addresses. However, this is a large and complex
undertaking. The solution provided in RFC 4364 uses the existing private network numbers
to create a new address that is unambiguous. The new address is part of the VPN-IPv4
address family, which is a BGP address family added as an extension to the BGP protocol.
In VPN-IPv4 addresses, a value that identifies the VPN, called a route distinguisher, is
prefixed to the private IPv4 address, providing an address that uniquely identifies a private
IPv4 address.
Only the PE routers need to support the VPN-IPv4 address extension to BGP. When an
ingress PE router receives an IPv4 route from a device within a VPN, it converts it into a
VPN-IPv4 route by adding the route distinguisher prefix to the route. The VPN-IPv4
addresses are used only for routes exchanged between PE routers. When an egress PE
router receives a VPN-IPv4 route, it converts the VPN-IPv4 route back to an IPv4 route
by removing the route distinguisher before announcing the route to its connected CE
routers.
• Route distinguisher is a 6-byte value that you can specify in one of the following formats:
nonprivate AS number, preferably the Internet service provider’s (ISP’s) own or the
customer’s own AS number.
Figure 46 on page 816 illustrates how the AS number can be used in the route distinguisher.
Suppose that VPN A is in AS 65535 and that VPN B is in AS 666 (both these AS numbers
belong to the ISP), and suppose that the route distinguisher for Site 2 in VPN A is 65535:02
and that the route distinguisher for Site 2 in VPN B is 666:02. When Router PE2 receives
a route from the CE router in VPN A, it converts it from its IP address of 10.2.0.0 to a
VPN-IPv4 address of 65535:02:10.2.0.0. When the PE router receives a route from VPN
B, which uses the same address space as VPN A, it converts it to a VPN-IPv4 address of
666:02:10.2.0.0.
If the IP address is used in the route distinguisher, suppose Router PE2’s IP address is
172.168.0.1. When the PE router receives a route from VPN A, it converts it to a
VPN-IPv4 address of 172.168.0.1:0:10.2.0.0/16, and it converts a route from VPN B to
172.168.0.0:1:10.2.0.0/16.
Route distinguishers are used only among PE routers to IPv4 addresses from different
VPNs. The ingress PE router creates a route distinguisher and converts IPv4 routes received
from CE routers into VPN-IPv4 addresses. The egress PE routers convert VPN-IPv4 routes
into IPv4 routes before announcing them to the CE router.
Because VPN-IPv4 addresses are a type of BGP address, you must configure IBGP sessions
between pairs of PE routers so that the PE routers can distribute VPN-IPv4 routes within
the provider’s core network. (All PE routers are assumed to be within the same AS.)
You define BGP communities to constrain the distribution of routes among the PE routers.
Defining BGP communities does not, by itself, distinguish IPv4 addresses.
Figure 47 on page 818 illustrates how Router PE1 adds the route distinguisher
10458:22:10.1/16 to routes received from the CE router at Site 1 in VPN A and forwards
these routes to the other two PE routers. Similarly, Router PE1 adds the route distinguisher
10458:23:10.2/16 to routes received by the CE router at Site 1 in VPN B and forwards these
routes to the other PE routers.
To separate a VPN’s routes from routes in the public Internet or those in other VPNs, the
PE router creates a separate routing table for each VPN, called a VPN routing and
forwarding (VRF) table. The PE router creates one VRF table for each VPN that has a
connection to a CE router. Any customer or site that belongs to the VPN can access only
the routes in the VRF tables for that VPN.
Figure 48 on page 819 illustrates the VRF tables that are created on the PE routers. The
three PE routers have connections to CE routers that are in two different VPNs, so each
PE router creates two VRF tables, one for each VPN.
Each VRF table is populated from routes received from directly connected CE sites
associated with that VRF routing instance and from routes received from other PE routers
that passed BGP community filtering and are in the same VPN.
Each PE router also maintains one global routing table (inet.0) to reach other routers in
and outside the provider’s core network.
Each customer connection (that is, each logical interface) is associated with one VRF
table. Only the VRF table associated with a customer site is consulted for packets from
that site.
You can configure the router so that if a next hop to a destination is not found in the
VRF table, the router performs a lookup in the global routing table, which is used for
Internet access.
• bgp.l3vpn.0—Stores all VPN-IPv4 unicast routes received from other PE routers. (This
table does not store routes received from directly connected CE routers.) This table is
present only on PE routers.
When a PE router receives a route from another PE router, it places the route into its
bgp.l3vpn.0 routing table. The route is resolved using the information in the inet.3 routing
table. The resultant route is converted into IPv4 format and redistributed to all
routing-instance-name.inet.0 routing tables on the PE router if it matches the VRF import
policy.
The bgp.l3vpn.0 table is also used to resolve routes over the MPLS tunnels that connect
the PE routers. These routes are stored in the inet.3 routing table. PE-to-PE router
connectivity must exist in inet.3 (not just in inet.0) for VPN routes to be resolved properly.
When a router is advertising non-local VPN-IPv4 unicast routes and the router is a
route reflector or is performing external peering, the VPN-IPv4 unicast routes are
automatically exported into the VPN routing table (bgp.l3vpn.0). This enables the
router to perform path selection and advertise from the bgp.l3vpn.0 routing table.
To determine whether to add a route to the bgp.l3vpn.0 routing table, the Junos OS
checks it against the VRF instance import policies for all the VPNs configured on the
PE router. If the VPN-IPv4 route matches one of the policies, it is added to the
bgp.l3vpn.0 routing table. To display the routes in the bgp.l3vpn.0 routing table, use
the show route table bgp.l3vpn.0 command.
When a CE router advertises to a PE router, the PE router places the route into the
corresponding routing-instance-name.inet.0 routing table and advertises the route to
other PE routers if it passes a VRF export policy. Among other things, this policy tags
the route with the route distinguisher (route target) that corresponds to the VPN site
to which the CE belongs. A label is also allocated and distributed with the route. The
bgp.l3vpn.0 routing table is not involved in this process.
To display the routes in the routing-instance-name.inet.0 table, use the show route table
routing-instance-name.inet.0 command.
• inet.3—Stores all MPLS routes learned from LDP and RSVP signaling done for VPN
traffic. The routing table stores the MPLS routes only if the traffic-engineering bgp-igp
option is not enabled.
For VPN routes to be resolved properly, the inet.3 table must contain routes to all the
PE routers in the VPN.
To display the routes in the inet.3 table, use the show route table inet.3 command.
• inet.0—Stores routes learned by the IBGP sessions between the PE routers. To provide
Internet access to the VPN sites, configure the routing-instance-name.inet.0 routing
table to contain a default route to the inet.0 routing table.
To display the routes in the inet.0 table, use the show route table inet.0 command.
The following routing policies, which are defined in VRF import and export statements,
are specific to VRF tables.
VPN route processing differs from normal BGP route processing in one way. In BGP, routes
are accepted if they are not explicitly rejected by import policy. However, because many
more VPN routes are expected, the Junos OS does not accept (and hence store) VPN
routes unless the route matches at least one VRF import policy. If no VRF import policy
explicitly accepts the route, it is discarded and not even stored in the bgp.l3vpn.0 table.
As a result, if a VPN change occurs on a PE router—such as adding a new VRF table or
changing a VRF import policy—the PE router sends a BGP route refresh message to the
other PE routers (or to the route reflector if this is part of the VPN topology) to retrieve
all VPN routes so they can be reevaluated to determine whether they should be kept or
discarded.
Within a VPN, the distribution of VPN-IPv4 routes occurs between the PE and CE routers
and between the PE routers (see Figure 49 on page 822).
The connection between the CE and PE routers can be a remote connection (a WAN
connection) or a direct connection (such as a Frame Relay or Ethernet connection).
• OSPF
• RIP
• BGP
• Static route
Figure 50 on page 823 illustrates how routes are distributed from CE routers to PE routers.
Router PE1 is connected to two CE routers that are in different VPNs. Therefore, it creates
two VRF tables, one for each VPN. The CE routers announce IPv4 routes. The PE router
installs these routes into two different VRF tables, one for each VPN. Similarly, Router
PE2 creates two VRF tables into which routes are installed from the two directly connected
CE routers. Router PE3 creates one VRF table because it is directly connected to only
one VPN.
VPN A site 2
CE CE
P P PE2
PE1 P
CE P PE3 CE
g017159
VPN B site 1 VPN A site 3
The remote PE router places the route into its bgp.l3vpn.0 table if the route passes the
import policy on the IBGP session between the PE routers. At the same time, it checks
the route against the VRF import policy for the VPN. If it matches, the route distinguisher
is removed from the route, and it is placed into the VRF table (the
routing-instance-name.inet.0 table) in IPv4 format.
Figure 51 on page 824 illustrates how Router PE1 distributes routes to the other PE routers
in the provider’s core network. Router PE2 and Router PE3 each have VRF import policies
that they use to determine whether to accept routes received over the IBGP sessions
and install them in their VRF tables.
When a PE router receives routes advertised from a directly connected CE router (Router
PE1 in Figure 51 on page 824), it uses the following procedure to examine the route, convert
it to a VPN route, and distribute it to the remote PE routers:
1. The PE router checks the received route using the VRF export policy for that VPN.
2. If the received route matches the export policy, the route is processed as follows:
a. The route is converted to VPN-IPv4 format—that is, the 8-byte route distinguisher
is prepended to the 4-byte VPN prefix to form the 12-byte VPN-IPv4 address.
c. The PE router advertises the route in VPN-IPv4 format to the remote PE routers.
The routes are distributed using IBGP sessions, which are configured in the provider’s
core network.
3. If the route does not match the export policy, it is not exported to the remote PE
routers, but can still be used locally for routing—for example,if two CE routers in the
same VPN are directly connected to the same PE router.
When the remote PE router receives routes advertised from another PE router (Routers
PE2 and PE3 in Figure 51 on page 824), it uses the following procedure to process the route:
1. If the route is accepted by the import policy on the IBGP session between the PE
routers, the remote PE router places the route into its bgp.l3vpn.0 table.
2. The remote PE router checks the route’s route target community against the VRF
import policy for the VPN.
3. If it matches, the route distinguisher is removed from the route, and it is placed into
the VRF table (the routing-instance-name.inet.0 table) in IPv4 format.
PE routers can communicate with CE routers using one of the following routing protocols:
• OSPF
• RIP
• BGP
• Static route
Figure 52 on page 826 illustrates how the three PE routers announce their routes to their
connected CE routers.
The PE routers in the provider’s core network are the only routers that are configured to
support VPNs and hence are the only routers to have information about the VPNs. From
the point of view of VPN functionality, the provider (P) routers in the core—those P routers
that are not directly connected to CE routers—are merely routers along the tunnel between
the ingress and egress PE routers.
The tunnels can be either LDP or MPLS. Any P routers along the tunnel must support the
protocol used for the tunnel, either LDP or MPLS.
• Outer label—Label assigned to the address of the BGP next hop by the IGP next hop
• Inner label—Label that the BGP next hop assigned for the packet’s destination address
Figure 54 on page 827 illustrates how the labels are assigned and removed:
2. Router PE1 then identifies the IGP route to the BGP next hop and assigns a second
label that corresponds to the LSP of the BGP next hop. This label is the outer label.
3. The inner label remains the same as the packet traverses the LSP tunnel. The outer
label is swapped at each hop along the LSP and is then popped by the penultimate
hop router (the third P router).
4. Router PE2 pops the inner label from the route and forwards the packet to Router Y.
To implement Layer 3 VPNs in the JUNOS Software, you configure one routing instance
for each VPN. You configure the routing instances on PE routers only. Each VPN routing
instance consists of the following components:
• VRF table—On each PE router, you configure one VRF table for each VPN.
• Set of interfaces that use the VRF table—The logical interface to each directly
connected CE router must be associated with a VRF table. You can associate more
than one interface with the same VRF table if more than one CE router in a VPN is
directly connected to the PE router.
• Policy rules—These control the import of routes into and the export of routes from the
VRF table.
• One or more routing protocols that install routes from CE routers into the VRF
table—You can use the BGP, OSPF, and RIP routing protocols, and you can use static
routes.
You can configure a VPN tunnel to facilitate VRF table lookup based on MPLS labels.
You might want to enable this functionality to forward traffic on a PE-router-to-CE-device
interface in a shared medium, where the CE device is a Layer 2 switch without IP
capabilities (for example, a metro Ethernet switch), or to perform egress filtering at the
egress PE router.
To configure Layer 3 virtual private network (VPN) functionality, you must enable VPN
support on the provider edge (PE) router. You must also configure any provider (P) routers
that service the VPN, and you must configure the customer edge (CE) routers so that
their routes are distributed into the VPN.
description text;
instance-type vrf;
interface interface-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor ip-address;
}
multihop ttl-value;
}
(ospf | ospf3) {
area area {
interface interface-name;
}
domain-id domain-id;
domain-vpn-tag number;
sham-link {
local address;
}
sham-link-remote address <metric number>;
}
rip {
rip-configuration;
}
}
route destination-prefix {
policy [ policy-names ];
static-options;
}
}
vrf-advertise-selective {
family {
inet-mvpn;
inet6-mvpn;
}
}
vrf-export [ policy-names ];
vrf-import [ policy-names ];
vrf-target (community | export community-name | import community-name);
vrf-table-label;
For Layer 3 VPNs, only some of the statements in the [edit routing-instances] hierarchy
are valid. For the full hierarchy, see Junos OS Routing Protocols Library.
In addition to these statements, you must enable a signaling protocol, IBGP sessions
between the PE routers, and an interior gateway protocol (IGP) on the PE and P routers.
Many of the configuration procedures for Layer 3 VPNs are common to all types of VPNs.
For the PE router to distribute VPN-related routes to and from connected CE routers, you
must configure routing within the VPN routing instance. You can configure a routing
protocol—BGP, OSPF, or RIP—or you can configure static routing. For the connection to
each CE router, you can configure only one type of routing.
The following sections explain how to configure VPN routing between the PE and CE
routers:
bgp {
group group-name {
peer-as as-number;
neighbor ip-address;
}
}
Please be aware of the following limitations regarding configuring BGP for routing
instances:
• In a VRF routing instance, do not configure the local autonomous system (AS) number
using an AS number that is already in use by a remote BGP peer in a separate VRF
routing instance. Doing so creates an autonomous system loop where all the routes
received from this remote BGP peer are hidden.
You configure the local AS number using either the autonomous-system statement
at the [edit routing-instances routing-instance-name routing-options] hierarchy level
or the local-as statement at any of the following hierarchy levels:
You configure the AS number for a BGP peer using the peer-as statement at the [edit
routing-instances routing-instance-name protocols bgp group group-name] hierarchy
level.
The following sections describe how to configure OSPF as a routing protocol between
the PE and the CE routers:
To configure OSPF version 2 as the routing protocol between a PE and CE router, include
the ospf statement:
ospf {
area area {
interface interface-name;
}
}
To configure OSPF version 3 as the routing protocol between a PE and CE router, include
the ospf3 statement:
ospf3 {
area area {
interface interface-name;
}
}
The following sections describe OSPF sham links and how to configure them:
Figure 55 on page 833 provides an illustration of when you might configure an OSPF sham
link. Router CE1 and Router CE2 are located in the same OSPF area. These CE routers are
linked together by a Layer 3 VPN over Router PE1 and Router PE2. In addition, Router CE1
and Router CE2 are connected by an intra-area link used as a backup.
OSPF treats the link through the Layer 3 VPN as an interarea link. By default, OSPF prefers
intra-area links to interarea links, so OSPF selects the backup intra-area link as the active
path. This is not acceptable in configurations where the intra-area link is not the expected
primary path for traffic between the CE routers.
An OSPF sham link is also an intra-area link, except that it is configured between the PE
routers as shown in Figure 55 on page 833. You can configure the metric for the sham link
to ensure that the path over the Layer 3 VPN is preferred to a backup path over an
intra-area link connecting the CE routers.
You should configure an OSPF sham link under the following circumstances:
If there is no intra-area link between the CE routers, you do not need to configure an OSPF
sham link.
For more information about OSPF sham links, see the Internet draft
draft-ietf-l3vpn-ospf-2547-01.txt, OSPF as the PE/CE Protocol in BGP/MPLS VPNs.
The sham link is an unnumbered point-to-point intra-area link and is advertised by means
of a type 1 link-state advertisement (LSA). Sham links are valid only for routing instances
and OSPF version 2.
Each sham link is identified by a combination of the local and remote sham link end-point
address and the OSPF area to which it belongs. Sham links must be configured manually.
You configure the sham link between two PE routers, both of which are within the same
VRF routing instance.
You need to specify the address for the local end point of the sham link. This address is
used as the source for the sham link packets and is also used by the remote PE router as
the sham link remote end-point.
The OSPF sham link’s local address must be specified with a loopback address for the
local VPN. The route to this address must be propagated by BGP. Specify the address
for the local end point using the local option of the sham-link statement:
sham-link {
local address;
}
The OSPF sham link’s remote address must be specified with a loopback address for
the remote VPN. The route to this address must be propagated by BGP. To specify the
address for the remote end point, include the sham-link-remote statement:
Optionally, you can include the metric option to set a metric value for the remote end
point. The metric value specifies the cost of using the link. Routes with lower total path
metrics are preferred over those with higher path metrics.
You can configure a value from 1 through 65,535. The default value is 1.
The following is the loopback interface configuration on the PE router. The address
configured is for the local end point of the OSPF sham link:
[edit]
interfaces {
lo0 {
unit 1 {
family inet {
address 10.1.1.1/32;
}
}
}
}
The following is the routing instance configuration on the PE router, including the
configuration for the OSPF sham link. The sham-link local statement is configured with
the address for the local loopback interface:
[edit]
routing-instances {
example-sham-links {
instance-type vrf;
interface e1-1/0/2.0;
interface lo0.1;
route-distinguisher 3:4;
vrf-import vpn-red-import;
vrf-export vpn-red-export;
protocols {
ospf {
sham-link local 10.1.1.1;
area 0.0.0.0 {
sham-link-remote 10.2.2.2 metric 1;
interface e1-1/0/2.0 metric 1;
}
}
}
}
}
(VRF) table in a PE router associated with an OSPF instance is configured with the same
OSPF domain ID. The default OSPF domain ID is the null value 0.0.0.0. As shown in
Table 51 on page 836, a route with a null domain ID is handled differently from a route
without any domain ID at all.
You can configure an OSPF domain ID for both version 2 and version 3 of OSPF. The only
difference in the configuration is that you include statements at the [edit routing-instances
routing-instance-name protocols ospf] hierarchy level for OSPF version 2 and at the
[edit routing-instances routing-instance-name protocols ospf3] hierarchy level for OSPF
version 3. The configuration descriptions that follow present the OSPF version 2 statement
only. However, the substatements are also valid for OSPF version 3.
domain-id domain-Id;
You can set a VPN tag for the OSPF external routes generated by the PE router to prevent
looping. By default, this tag is automatically calculated and needs no configuration.
However, you can configure the domain VPN tag for Type 5 LSAs explicitly by including
the domain-vpn-tag statement:
no-domain-vpn-tag number;
32
The range is 1 through 4,294,967,295 (2 – 1). If you set VPN tags manually, you must
set the same value for all PE routers in the VPN.
For an example of this type of configuration, see Configuring an OSPF Domain ID for a
Layer 3 VPN.
The default behavior of an OSPF domain ID causes some problems for hub-and-spoke
Layer 3 VPNs configured with OSPF between the hub PE router and the hub CE router
when the routes are not aggregated. A hub-and-spoke configuration has a hub PE router
with direct links to a hub CE router. The hub PE router receives Layer 3 BGP updates from
the other remote spoke PE routers, and these are imported into the spoke routing instance.
From the spoke routing instance, the OSPF LSAs are originated and sent to the hub CE
router.
The hub CE router typically aggregates these routes, and then sends these newly
originated LSAs back to the hub PE router. The hub PE router exports the BGP updates
to the remote spoke PE routers containing the aggregated prefixes. However, if there are
nonaggregated Type 3 summary LSAs or external LSAs, two issues arise with regard to
how the hub PE router originates and sends LSAs to the hub CE router, and how the hub
PE router processes LSAs received from the hub CE router:
• By default, all LSAs originated by the hub PE router in the spoke routing instance have
the DN bit set. Also, all externally originated LSAs have the VPN route tag set. These
settings help prevent routing loops. For Type 3 summary LSAs, routing loops are not
a concern because the hub CE router, as an area border router (ABR), reoriginates the
LSAs with the DN bit clear and sends them back to the hub PE router. However, the
hub CE router does not reoriginate external LSAs, because they have an AS flooding
scope.
You can originate the external LSAs (before sending them to the hub CE router) with
the DN bit clear and the VPN route tag set to 0 by altering the hub PE router’s routing
instance configuration. To clear the DN bit and set the VPN route tag to zero on external
LSAs originated by a PE router, configure 0 for the domain-vpn-tag statement at the
[edit routing-instances routing-instance-name protocols ospf] hierarchy level. You should
include this configuration in the routing instance on the hub PE router facing the hub
CE router where the LSAs are sent. When the hub CE router receives external LSAs
from the hub PE router and then forwards them back to the hub PE router, the hub PE
router can use the LSAs in its OSPF route calculation.
• When LSAs flooded by the hub CE router arrive at the hub PE router’s routing instance,
the hub PE router, acting as an ABR, does not consider these LSAs in its OSPF route
calculations, even though the LSAs do not have the DN bits set and the external LSAs
do not have a VPN route tag set. The LSAs are assumed to be from a disjoint backbone
area.
You can change the configuration of the PE router’s routing instance to cause the PE
router to act as a non-ABR by including the disable statement at the [edit
routing-instances routing-instance-name protocols ospf domain-id] hierarchy level. You
make this configuration change to the hub PE router that receives the LSAs from the
hub CE router.
By making this configuration change, the PE router’s routing instance acts as a non-ABR.
The PE router then considers the LSAs arriving from the hub CE router as if they were
coming from a contiguous nonbackbone area.
To configure RIP as the routing protocol between the PE and the CE router, include the
rip statement:
rip {
group group-name {
export policy-names;
neighbor interface-name;
}
}
By default, RIP does not advertise the routes it receives. To advertise routes from a PE
router to a CE router, you need to configure an export policy on the PE router for RIP. For
information about how to define policies for RIP, see Example: Applying Policies to RIP
Routes Imported from Neighbors.
export [ policy-names ];
You can include this statement for RIP at the following hierarchy levels:
To install routes learned from a RIP routing instance into multiple routing tables, include
the rib-group and group statements:
• [edit protocols]
rib-groups group-name;
• [edit routing-options]
To add a routing table to a routing table group, include the import-rib statement. The
first routing table name specified under the import-rib statement must be the name of
the routing table you are configuring. For more information about how to configure routing
tables and routing table groups, see Junos OS Routing Protocols Library.
import-rib [ group-names ];
RIP instances are supported only for VRF instance types. You can configure multiple
instances of RIP for VPN support only. You can use RIP in the customer edge-provider
edge (CE-PE) environment to learn routes from the CE router and to propagate the PE
router’s instance routes in the CE router.
RIP routes learned from neighbors configured under any instance hierarchy are added to
the instance’s routing table, instance-name.inet.0.
RIP does not support routing table groups; therefore, it cannot import routes into multiple
tables as the OSPF or OSPFv3 protocol does.
To configure a static route between the PE and the CE routers, include the static
statement:
static {
route destination-prefix {
next-hop [ next-hops ];
static-options;
}
}
For more information about configuring routing protocols and static routes, see Junos
OS Routing Protocols Library.
Limiting the Number of Paths and Prefixes Accepted from CE Routers in Layer 3 VPNs
You can configure a maximum limit on the number of prefixes and paths that can be
installed into the routing tables. Using prefix and path limits, you can curtail the number
of prefixes and paths received from a CE router in a VPN. Prefix and path limits apply
only to dynamic routing protocols, and are not applicable to static or interface routes.
To limit the number of paths accepted by a PE router from a CE router, include the
maximum-paths statement:
For a list of hierarchy levels at which you can configure this statement, see the statement
summary section for this statement.
Specify the log-only option to generate warning messages only (an advisory limit). Specify
the threshold option to generate warnings before the limit is reached. Specify the
log-interval option to configure the minimum time interval between log messages.
There are two modes for route limits: advisory and mandatory. An advisory limit triggers
warnings. A mandatory limit rejects additional routes after the limit is reached.
To limit the number of prefixes accepted by a PE router from a CE router, include the
maximum-prefixes statement:
For a list of hierarchy levels at which you can configure this statement, see the statement
summary section for this statement.
There are two modes for route limits: advisory and mandatory. An advisory limit triggers
warnings. A mandatory limit rejects additional routes after the limit is reached.
A mandatory path or prefix limit, in addition to triggering a warning message, rejects any
additional paths or prefixes once the limit is reached.
You can also configure the following options for both the maximum-paths and
maximum-prefixes statements:
• log-interval—Specify the interval at which log messages are sent. This option generates
warning messages only (an advisory limit).
Specify the log-interval option to configure the minimum time interval between log
messages.
The interfaces between the PE and CE routers of a Layer 3 VPN can be configured to
carry IP version 6 (IPv6) traffic. IP allows numerous nodes on different networks to
interoperate seamlessly. IPv4 is currently used in intranets and private networks, as well
as the Internet. IPv6 is the successor to IPv4, and is based for the most part on IPv4.
IPv6 for Layer 3 VPNs is supported for BGP and for static routes.
IPv6 over Layer 3 VPNs is described in RFC 4659, BGP-MPLS IP Virtual Private Network
(VPN) Extension for IPv6 VPN.
Related • Routing Policies, Firewall Filters, and Traffic Policers Feature Guide
Documentation
• Junos OS Routing Protocols Library
A Layer 3 virtual private network (VPN) routing instance is a collection of routing tables,
interfaces, and routing protocol parameters. The interfaces belong to the routing tables,
and the routing protocol parameters control the information in the routing tables. In the
case of MPLS VPNs, each VPN has a VPN routing and forwarding (VRF) routing instance.
A VRF routing instance consists of one or more routing tables, a derived forwarding table,
the interfaces that use the forwarding table, and the policies and routing protocols that
determine what goes into the forwarding table. Because each instance is configured for
a particular VPN, each VPN has separate tables, rules, and policies that control its
operation. A separate VRF table is created for each VPN that has a connection to a
customer edge (CE) router. The VRF table is populated with routes received from directly
connected CE sites associated with the VRF routing instance, and with routes received
from other provider edge (PE) routers in the same VPN.
The standard or the global instance is called as the default routing instance. By default,
all interfaces are associated with the default routing instance and default routing
information base (RIB) (inet0). Routing options and routing policies supported on the
default routing instance are also applicable to other routing instances.
A VRF routing instance is a BGP and MPLS VPN environment in which BGP is used to
exchange IP VPN routes and discover the remote site, and in which VPN traffic traverses
an MPLS tunnel in an IP and MPLS backbone. You can enable an ACX Series router to
function as a PE router by configuring VRF routing instances.
You can configure routing instances on ACX Series routers at the [edit routing-instances
routing-instance-name protocols] hierarchy level for unicast IPv4, multicast IPv4, unicast
IPv6, and multicast IPv6 address families. If you do not explicitly specify the address
family in an IPv4 or an IPv6 environment, the router is configured to exchange unicast
IPv4 or unicast IPv6 addresses by default. You can also configure the router to exchange
unicast IPv4 and unicast IPv6 routes in a specified VRF routing instance. If you specify
the multicast IPv4 or multicast IPv6 address family in the configuration, you can use BGP
to exchange routing information about how packets reach a multicast source, instead
of a unicast destination, for transmission to endpoints.
NOTE: Only the forwarding and virtual router routing instances support
unicast IPv6 and multicast IPv6 address families. Unicast IPv6 and multicast
IPv6 address families are not supported for VRF routing instances.
You can configure the following types of Layer 3 routing instances on ACX Series routers:
• Virtual router—A virtual router routing instance is similar to a VRF instance type, but is
used for non-VPN-related applications. There are no VRF import, VRF export, VRF
target, or route distinguisher requirements for this instance type. For this instance type,
there is a one-to-one mapping between an interface and a routing instance. This routing
instance type is used for routing and forwarding virtualization without VPNs (which is
achieved by using the VRF-Lite application).
• VRF—Use the VRF routing instance type for Layer 3 VPN implementations. This routing
instance type has a VPN routing table as well as a corresponding VPN forwarding table.
For this instance type, there is a one-to-one mapping between an interface and a
routing instance. Each VRF routing instance corresponds with a forwarding table. The
routes for each interface are installed in the forwarding table that is associated with
the VRF routing instance. This routing instance type is used to implement BGP or MPLS
VPNs in service provider networks or in big enterprise topologies.
Consider a sample VRF configuration scenario in which you want to configure two virtual
routers, one to transmit voice and data traffic and another to carry management traffic.
With such a configuration, the user and management networks are virtually separated,
although the physical infrastructure is unified and cohesive. Virtual router routing instances
enable you to isolate traffic without using multiple devices to segment your networks.
The virtual routers do not create IP, MPLS, or GRE tunnels, and automatic discovery of
remote sites that belong to the same network is not available. You must configure
interfaces that are part of a virtual network in a streamlined manner to suit your topology
requirements.
The following limitations apply to VRF routing instances that you configure on ACX Series
routers:
• You cannot establish a communication between two virtual routing instances that are
connected by external loopback.
In the Layer 3 lookup, up to 128 VRF tables are supported. Virtual routers without routing
protocols enabled (based on static routes) support 64 VRF tables and virtual routers
with all functions enabled within the routing instances support 16 VRF tables. When you
enable VRF table labels and you do not explicitly apply a classifier configuration to the
routing instance, the default MPLS EXP classifier is applied to the routing instance. You
can override the default MPLS EXP classifier and apply a custom classifier to the routing
instance. To perform this operation, you can filter the packets based on the IP header,
choose the VRF, and based on the selected VRF, create an EXP classifier and associate
it with the routing instance.
You can configure IP version 6 (IPv6) between the PE and CE routers of a Layer 3 VPN.
The PE router must have the PE router to PE router BGP session configured with the
family inet6-vpn statement. The CE router must be capable of receiving IPv6 traffic. You
can configure BGP or static routes between the PE and CE routers.
The following sections explains how to configure IPv6 VPNs between the PE routers:
family inet6-vpn {
(any | multicast | unicast) {
aggregate-label community community-name;
prefix-limit maximum prefix-limit;
rib-group rib-group-name;
}
}
For a list of hierarchy levels at which you can configure this statement, see the statement
summary section for this statement.
ipv6-tunneling;
For more information about IPv6, see Junos OS Routing Protocols Library.
The following sections explain how to configure BGP and static routes:
To configure BGP in the Layer 3 VPN routing instance to handle IPv6 routes, include the
bgp statement:
bgp {
group group-name {
local-address IPv6-address;
family inet6 {
unicast;
}
peer-as as-number;
neighbor IPv6-address;
}
}
To configure BGP in the Layer 3 VPN routing instance to handle both IPv4 and IPv6 routes,
include the bgp statement:
bgp {
group group-name {
local-address IPv4-address;
family inet {
unicast;
}
family inet6 {
unicast;
}
peer-as as-number;
neighbor address;
}
}
To configure OSPF version 3 in the Layer 3 VPN routing instance to handle IPv6 routes,
include the ospf3 statement:
ospf3 {
area area-id {
interface interface-name;
}
}
For complete configuration guidelines for this statement, see the Junos OS Routing
Protocols Library.
To configure a static route to the CE router in the Layer 3 VPN routing instance, include
the routing-options statement:
routing-options {
rib routing-table.inet6.0 {
static {
defaults {
static-options;
}
}
}
}
To configure the interface to handle IPv6 routes, include the family inet6 statement:
family inet6 {
address ipv6-address;
}
If you have configured the Layer 3 VPN to handle both IPv4 and IPv6 routes, configure
the interface to handle both IPv4 and IPv6 routes by including the unit statement:
unit unit-number {
family inet {
address ipv4-address;
}
family inet6 {
address ipv6-address;
}
}
You can configure an EBGP or IBGP multihop session between the PE and CE routers of
a Layer 3 VPN. This allows you to have one or more routers between the PE and CE
routers. Using IBGP between PE and CE routers does not require the configuration of any
additional statements. However, using EBGP between the PE and CE routers requires
the configuration of the multihop statement.
To configure an external BGP multihop session for the connection between the PE and
CE routers, include the multihop statement on the PE router. To help prevent routing
loops, you have to configure a time-to-live (TTL) value for the multihop session:
multihop ttl-value;
For the list of hierarchy levels at which you can configure this statement, see the summary
section for this statement.
Configuring an independent domain allows you to keep the AS paths of the independent
domain from being shared with the AS path and AS path attributes of other domains,
including the master routing instance domain.
If you are using BGP on the router, you must configure an AS number.
When you configure BGP as the routing protocol between a PE router and a CE router in
a Layer 3 VPN, you typically configure external peering sessions between the Layer 3 VPN
service provider and the customer network ASs.
If the customer network has several sites advertising routes through an external BGP
session to the service provider network and if the same AS is used by all the customer
sites, the CE routers reject routes from the other CE routers. They detect a loop in the
BGP AS path attribute.
To prevent the CE routers from rejecting each other’s routes, you could configure the
following:
• PE routers advertising routes received from remote PE routers can remap the customer
network AS number to its own AS number.
• The customer network can be configured with different AS numbers at each site.
These types of configurations can work when there are no BGP routing exchanges between
the customer network and other networks. However, they do have limitations for customer
networks that use BGP internally for purposes other than carrying traffic between the
CE routers and the PE routers. When those routes are advertised outside the customer
network, the service provider ASs are present in the AS path.
To improve the transparency of Layer 3 VPN services for customer networks, you can
configure the routing instance for the Layer 3 VPN to isolate the customer’s network
attributes from the service provider’s network attributes.
When you include the independent-domain statement in the Layer 3 VPN routing instance
configuration, BGP attributes received from the customer network (from the CE router)
are stored in a BGP attribute (ATTRSET) that functions like a stack. When that route is
advertised from the remote PE router to the remote CE router, the original BGP attributes
are restored. This is the default behavior for BGP routes that are advertised to Layer 3
VPNs located in different domains.
independent-domain;
The independent domain uses the transitive path attribute 128 (attribute set) to tunnel
the independent domain’s BGP attributes through the Internal BGP (IBGP) core. In Junos
OS Release 10.3 and later, if BGP receives attribute 128 and you have not configured an
independent domain in any routing instance, BGP treats the received attribute 128 as an
unknown attribute.
Related • Example: Tunneling Layer 3 VPN IPv6 Islands over an IPv4 Core Using IBGP and
Documentation Independent Domains
• Disabling Attribute Set Messages on Independent AS Domains for BGP Loop Detection
You can control label-advertisements on MPLS ingress and AS border routers (ASBRs).
Labels can be assigned on a per–next-hop (by default) or on a per-table basis (by
configuring the vrf-table-label statement). This choice affects all routes of a given routing
instance. You can also configure a policy to generate labels on a per-route basis by
specifying a label allocation policy.
To specify a label allocation policy for the routing instance, configure the label statement
and specify a label allocation policy using the allocation option:
label {
allocation label-allocation-policy;
}
To configure the label allocation policy, include the label-allocation statement at the
[edit policy-options policy-statement policy-statement-name term term-name then]
hierarchy level. You can configure the label allocation mode as either per-nexthop or
per-table.
For a VPN option B ASBR, labels for transit routes are substituted for a local virtual tunnel
label or vrf-table-label label. When a VRF table is configured on the ASBR (this type of
configuration is uncommon for the option B model), the ASBR does not generate MPLS
swap or swap and push state for transit routes. Instead, the ASBR re-advertises a local
virtual-tunnel or vrf-table-label label and forwards that transit traffic based on IP
forwarding tables. The label substitution helps to conserve labels on Juniper Networks
routers.
However, this type of label substitution effectively breaks the MPLS forwarding path,
which becomes visible when using an MPLS OAM command such as LSP ping. You can
configure the way in which labels are substituted on a per-route basis by specifying a
label substitution policy.
To specify a label substitution policy for the routing instance, configure the label statement
and specify a label substitution policy using the substitution option:
label {
substitution label-substitution-policy;
}
The label substitution policy is used to determine whether or not a label should be
substituted on an ASBR router. The results of the policy operation are either accept (label
substitution is performed) or reject (label substitution is not performed). The default
behavior is accept. The following set command example illustrates how you can configure
Protocol-independent load balancing for Layer 3 VPNs allows the forwarding next hops
of both the active route and alternative paths to be used for load balancing.
Protocol-independent load balancing works in conjunction with Layer 3 VPNs. It supports
the load balancing of VPN routes independently of the assigned route distinguisher. When
protocol-independent load balancing is enabled, both routes to other PE routers and
routes to directly connected CE routers are load-balanced.
When load-balancing information is created for a given route, the active path is marked
as Routing Use Only in the output of the show route table command.
• IPv4—You only need to configure the multipath statement at either the [edit
routing-instances routing-instance-name routing-options] hierarchy level or the [edit
routing-instances routing-instance-name routing-options rib routing-table-name] hierarchy
level.
• IPv6—You need to configure the multipath statement at both the [edit routing-instances
routing-instance-name routing-options] hierarchy level and the [edit routing-instances
routing-instance-name routing-options rib routing-table-name] hierarchy level.
To configure protocol-independent load balancing for Layer 3 VPNs, include the multipath
statement:
multipath {
vpn-unequal-cost equal-external-internal;
}
When you include the multipath statement at the following hierarchy levels,
protocol-independent load balancing is applied to the default routing table for that
routing instance (routing-instance-name.inet.0):
When you include the multipath statement at the following hierarchy levels,
protocol-independent load balancing is applied to the specified routing table:
• When you include it, protocol-independent load balancing is applied to VPN routes
that are equal until the IGP metric with regard to route selection.
• When you do not include it, protocol-independent load balancing is applied to VPN
routes that are equal until the router identifier with regard to route selection.
For example, a PE router has the following VRF routing instance configured:
[edit routing-instances]
load-balance-example {
instance-type vrf;
interface fe-0/1/1.0;
interface fe-0/1/1.1;
route-distinguisher 2222:2;
vrf-target target:2222:2;
routing-options {
multipath;
}
protocols {
bgp {
group group-example {
import import-policy;
family inet {
unicast;
}
export export-policy;
peer-as 4444;
local-as 3333;
multipath;
as-override;
neighbor 10.12.33.22;
}
}
}
}
When you include the multipath statement in the VRF routing instance configuration, the
paths are no longer marked as BGP paths but are instead marked as multipath paths.
Packets from the PE router are not load-balanced.
To ensure that VPN load-balancing functions as expected, do not include the from
protocol statement in the policy statement configuration. The policy statement should
be configured as follows:
For more information about how to configure per-packet load balancing, see the Routing
Policies, Firewall Filters, and Traffic Policers Feature Guide.
Configuring the Algorithm That Determines the Active Route to Evaluate AS Numbers
in AS Paths for VPN Routes
By default, the third step of the algorithm that determines the active route evaluates the
length of the AS path but not the contents of the AS path. In some VPN scenarios with
BGP multiple path routes, it can also be useful to compare the AS numbers of the AS
paths and to have the algorithm select the route whose AS numbers match.
To configure the algorithm that selects the active path to evaluate the AS numbers in
AS paths for VPN routes:
Accepting Route Updates with Unique Inner VPN Labels in Layer 3 VPNs
For Layer 3 VPNs configured on Juniper Networks routers, Junos OS normally allocates
one inner VPN label for each customer edge (CE)-facing virtual routing and forwarding
(VRF) interface of a provider edge (PE) router. However, other vendors allocate one VPN
label for each route learned over the CE-facing interfaces of a PE router. This practice
increases the number of VPN labels exponentially, which leads to slow system processing
and slow convergence time.
You can configure the router based on the number of VPN labels you want to manage
and on whether or not you want to create chained composite next hops for IPv6 labeled
routes:
Because using this statement can also enhance the Layer 3 VPN performance
of Juniper Networks routers in networks where only Juniper Networks routers
are deployed, we recommend configuring the statements in these networks
as well.
• MX Series routers
• M120 routers
To accept up to one million Layer 3 VPN route updates with unique inner VPN labels,
configure the l3vpn statement. This statement is supported on indirectly connected PE
routers only. Configuring this statement on a router that is directly connected to a PE
router provides no benefit. You can configure the l3vpn statement on a router with a mix
of links to both directly connected and indirectly connected PE routers.
To configure the router to accept up to one million Layer 3 VPN route updates with unique
inner VPN labels:
NOTE: The vpn-label statement does not provide any functional changes
when used on the MX Series routers. You can omit the configuration of
this statement on MX Series routers.
For more information about configuring more memory for Layer 3 VPN labels, see the
Junos OS Administration Library.
After you have configured the l3vpn statement, you can determine whether or not a Layer
3 VPN route is a part of a composite next hop by examining the display output of the
following commands:
Because using this statements can also enhance the Layer 3 VPN performance
of Juniper Networks routers in networks where only Juniper Networks routers
are deployed, we recommend configuring the statement in these networks
as well.
Using the extended-space statement can double the number of routes with unique inner
VPN labels that can be processed by a Juniper Networks router. However, when configuring
such very large-scale Layer 3 VPN scenarios, keep the following guidelines in mind:
• The chassis must be configured to use the enhanced-ip option in network services
mode.
For more information about configuring chassis network services, see the Junos OS
Administration Library.
• Ensure that you configure per-packet load balancing for associated policies.
For more information about configuring policies, see the Routing Policies, Firewall Filters,
and Traffic Policers Feature Guide.
To configure the router to accept more than one million Layer 3 VPN route updates with
unique inner VPN labels:
[edit chassis]
user@host>set network-services enhanced-ip
After you have completed the configuration, you can determine whether or not a Layer
3 VPN route is a part of a composite next hop by examining the display output of the
following commands:
Enabling Chained Composite Next Hops for IPv6 Labeled Unicast Routes
You can enable chained composite next hops for IPv6 labeled unicast routes by
configuring the labeled-bgp and inet6 statements:
• To enable chained composite next hops for inet6 labeled unicast routes, include the
inet6 statement at the [edit routing-options forwarding-table
chained-composite-next-hop ingress labeled-bgp] hierarchy level. This statement is
disabled by default.
Related • Chained Composite Next Hops for Transit Devices for VPNs
Documentation
• Configuring the Junos OS to Allocate More Memory for Routing Tables, Firewall Filters,
and Layer 3 VPN Labels
• CoS on ACX Series Universal Access Routers Features Overview on page 864
• Understanding CoS CLI Configuration Statements on ACX Series Universal Access
Routers on page 865
• Configuring CoS on ACX Series Universal Access Routers on page 866
• Classifiers and Rewrite Rules at the Global, Physical and Logical Interface Levels
Overview on page 871
• Configuring Classifiers and Rewrite Rules at the Global and Physical Interface
Levels on page 872
• Understanding Schedulers Overview on page 874
• Configuring Shared and Dedicated Buffer Memory Pools on page 876
• CoS for PPP and MLPPP Interfaces on ACX Series Routers on page 877
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX
Series on page 889
• Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in ACX
Series on page 889
• Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host Outbound
Traffic on the Interface in ACX Series on page 890
• Overview of Assigning Service Levels to Packets Based on Multiple Packet Header
Fields on page 891
• Configuring Multifield Classifiers on page 892
• Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
• Configuring Fixed Classification on an ATM IMA Pseudowire on page 897
• Example: Configuring Fixed Classification on an ATM IMA Pseudowire on page 898
• Configuring Shaping on an ATM IMA Pseudowire on page 901
• Example: Configuring Shaping on an ATM IMA Pseudowire on page 902
• Understanding RED Drop Profiles Overview on page 907
• Configuring RED Drop Profiles on page 907
• Controlling Network Access Using Traffic Policing Overview on page 908
• Configuring Policing on an ATM IMA Pseudowire on page 912
The following key CoS features are supported on ACX Series Universal Access Routers:
• Fixed classification for all ingress packets traversing a logical interface to a single
forwarding class. Fixed classification is supported on all interface types.
• EXP bits located in each MPLS label and used to encode the CoS value of a packet as
it traverses a label-switched path (LSP). To configure global EXP bits, include the exp
statement at the [edit class-of-service system-defaults classifiers] hierarchy level.
• Rewrite rules at the physical and logical interface levels including the following: IP
type-of-service (ToS), DSCP, MPLS EXP bit value, and IEEE 802.1p bit value.
• Attachment of the following rewrite rules to the physical interface at the [edit
class-of-service interfaces interface-name rewrite-rules] hierarchy level: IP ToS, DSCP,
and IEEE 802.1p bit value.
• Rewrite rules for MPLS EXP bits on the logical interface at the [edit class-of-service
interfaces interface-name unit unit-number rewrite-rule] hierarchy level.
NOTE: Fine-grained rewrite is not possible, even when you use multifield
filters, because of the application-specific integrated circuit (ASIC)
limitation.
• Three weighted random early detection (WRED) curves for TCP and one WRED curve
for non-TCP. There are two fill levels and two drop probabilities per WRED curve; the
drop probability corresponding to the first fill must be zero.
• Per-queue committed information rate (CIR) and peak information rate (PIR).
• Per-physical-port shaping.
• Per-egress-queue enqueue statistics in packets, bytes, packets per second (pps), and
bits per second (bps).
Related •
Documentation • Understanding CoS CLI Configuration Statements on ACX Series Universal Access
Routers on page 865
ACX Series Universal Access Routers have some statements or statement options
supported on other platforms that are not supported or may not have effect on ACX
Series devices.
The following CLI options are not applicable to ACX Series Universal Access Routers:
At the [edit class-of-service classifiers type classifier-name] hierarchy level, the dscp-ipv6
and ieee-802.1ad classifier types are not supported. For the dscp classifier type, only the
outer tag is supported.
The following CLI stanza is not applicable to ACX Series Universal Access Routers.
The following CLI statements are not applicable to ACX Series Universal Access Routers.
Related • CoS on ACX Series Universal Access Routers Features Overview on page 864
Documentation
• Configuring CoS on ACX Series Universal Access Routers on page 866
encode the CoS value of a packet as it traverses an LSP. To configure global EXP bits,
include the exp statement at the [edit class-of-service system-defaults classifiers]
hierarchy level.
[edit]
user@host# edit class-of-service
[edit class-of-service]
user@host# edit rewrite-rules (dscp | inet-precedence) rewrite-name
user@host# edit forwarding-class class-name
user@host# set loss-priority low class-name code-points (alias | bits)
[edit class-of-service]
user@host# edit classifiers (dscp | inet-precedence) classifier-name
user@host# edit forwarding-classes class-name
user@host# set loss-priority class-name code-points (alias | bits)
[edit class-of-service]
user@host# edit forwarding-classes class queue-number queue-number
[edit class-of-service]
user@host# edit forwarding-class class-name
user@host# set loss-priority low class-name code-points (alias | bits)
[edit ]
user@host# edit class-of-service system-defaults classifiers exp classifier-name
• Diffserv code point (DSCP)-based BA classification and rewrites on NNI ports for IP
control traffic at port level.
• EXP-based global behavior aggregate (BA) classification and rewrites on NNI ports
for customer traffic from F1 to F2 by using pseudowire.
[edit]
class-of-service {
classifiers {
dscp dscp-classf-core {
forwarding-class be {
loss-priority low code-points 011101;
}
forwarding-class be1 {
loss-priority high code-points 010101;
}
forwarding-class ef {
loss-priority low code-points 001101;
}
forwarding-class ef2 {
loss-priority high code-points 000101;
}
forwarding-class af {
loss-priority low code-points 011001;
}
forwarding-class af1 {
loss-priority high code-points 010001;
}
forwarding-class nc {
loss-priority low code-points 001001;
}
forwarding-class nc3 {
loss-priority high code-points 000001;
}
}
exp exp-rewrite-core {
forwarding-class be {
loss-priority low code-point 111;
}
forwarding-class be1 {
loss-priority high code-point 110;
}
forwarding-class ef {
loss-priority low code-point 101;
}
forwarding-class ef2 {
loss-priority high code-point 100;
}
forwarding-class af {
loss-priority low code-point 011;
}
forwarding-class af1 {
loss-priority high code-point 010;
}
forwarding-class nc {
loss-priority low code-point 001;
}
forwarding-class nc3 {
loss-priority high code-point 000;
}
}
}
forwarding-classes {
class be queue-num 0;
class ef queue-num 1;
class af queue-num 2;
class nc queue-num 3;
class be1 queue-num 4;
class ef1 queue-num 5;
class af1 queue-num 6;
class nc1 queue-num 7;
class be2 queue-num 0;
class ef2 queue-num 1;
class af2 queue-num 2;
class nc2 queue-num 3;
class be3 queue-num 4;
class ef3 queue-num 5;
class af3 queue-num 6;
class nc3 queue-num 7;
}
rewrite-rules {
dscp dscp-rewrite-core {
forwarding-class be {
loss-priority low code-point 100000;
}
forwarding-class be1 {
loss-priority high code-point 100001;
}
forwarding-class ef {
loss-priority low code-point 100010;
}
forwarding-class ef2 {
loss-priority high code-point 100011;
}
forwarding-class af {
loss-priority low code-point 100100;
}
forwarding-class af1 {
loss-priority high code-point 100101;
}
forwarding-class nc {
loss-priority low code-point 100110;
}
forwarding-class nc3 {
loss-priority high code-point 100111;
}
exp exp-rewrite-core {
forwarding-class be {
loss-priority low code-point 111;
}
forwarding-class be1 {
loss-priority high code-point 110;
}
forwarding-class ef {
loss-priority low code-point 101;
}
forwarding-class ef2 {
loss-priority high code-point 100;
}
forwarding-class af {
loss-priority low code-point 011;
}
forwarding-class af1 {
loss-priority high code-point 010;
}
forwarding-class nc {
loss-priority low code-point 001;
}
forwarding-class nc3 {
loss-priority high code-point 000;
}
}
}
class-of-service {
interfaces {
ge-1/0/1 {
unit 0 {
forwarding-class be;
}
}
ge-1/0/2 {
classifiers {
dscp dscp-classf-core;
}
rewrite-rules {
dscp dscp-rewrite-core;
}
unit 0 {
rewrite-rules {
exp exp-rewrite-core;
}
}
}
}
system-defaults {
classifiers {
exp exp-classf-core;
}
}
}
class-of-service {
interfaces {
ge-1/0/4 {
unit 0 {
forwarding-class be;
}
}
ge-1/0/3 {
classifiers {
dscp dscp-classf-core;
}
rewrite-rules {
dscp dscp-rewrite-core;
}
unit 0 {
rewrite-rules {
exp exp-rewrite-core;
}
}
}
}
system-defaults {
classifiers {
exp exp-classf-core;
}
}
}
Related • CoS on ACX Series Universal Access Routers Features Overview on page 864
Documentation
• Understanding CoS CLI Configuration Statements on ACX Series Universal Access
Routers on page 865
Classifiers and Rewrite Rules at the Global, Physical and Logical Interface Levels
Overview
On ACX Series Universal Access Routers and EX Series switches, CoS supports
classification and rewrite at the global level and physical interface levels.
The IEEE 802.1ad classifier uses IEEE 802.1p and DEI bits together.
NOTE: You cannot configure both IEEE 802.1p and IEEE 802.1ad classifiers
together at the physical interface level.
At a logical interface level, you can define the fixed classification and EXP rewrites.
To configure global EXP classifiers, include the classfiers exp classifier-name statement
at the [edit class-of-service system-defaults] hierarchy level.
To configure classifiers or rewrite rules at the physical interface, include either the
classifiers statement or the rewrite-rules statement at the [edit class-of-service]
interfaces interface-name ] hierarchy level.
To configure fixed classifiers at the logical interface, include the [edit class-of-service
interfaces interface-name unit number forwarding-class fc] or the rewrite-rules
statement at the [edit class-of-service interfaces interface-name ] hierarchy level.
To configure EXP rewrite at the logical interface, include the [edit class-of-service
interfaces interface-name unit number rewrite-rules exp rewrite-rule] statement.
To display classifiers and rewrite rules bound to physical interfaces, enter the show
class-of-service interfaces interface-name command.
Related • Configuring Classifiers and Rewrite Rules at the Global and Physical Interface Levels
Documentation on page 872
Configuring Classifiers and Rewrite Rules at the Global and Physical Interface Levels
On ACX Series Universal Access Routers and EX Series switches, CoS supports
classification and rewrite at the global and physical interface levels.
To configure the global EXP classifier, include the following statements at the [edit
class-of-service] system-defaults hierarchy level.
[edit class-of-service]
{
system-defaults
{
classifiers exp classifier-name
}
}
CoS supports one global system default classifier of the EXP type, as shown in the
following example:
[edit class-of-service]
{
system-defaults {
classifiers {
exp exp-classf-core;
}
}
}
To configure classifiers and rewrite rules at the physical interface level, include the
following statements at the [edit class-of-service] interfaces hierarchy level.
[edit class-of-service]
interfaces {
interface-name
classifiers dscp classifier-name
classifiers inet-precedence classifier-name
classifiers ieee-802.1 [vlan-tag (outer | inner)] classifier-name
rewrite-rules dscp rewrite-name
rewrite-rules inet-prec rewrite-name
rewrite-rules ieee-802.1 rewrite-name
}
The following example shows classifiers and rewrite rules configured on physical
interfaces:
ge-0/1/0 {
unit 0 {
rewrite-rules {
exp custom-exp;
}
}
classifiers {
dscp d1;
ieee-802.1 ci;
}
rewrite-rules {
dscp default;
}
}
ge-0/1/2 {
classifiers {
ieee-802.1 ci;
}
rewrite-rules {
ieee-802.1 ri;
}
}
ge-0/1/3 {
unit 0 {
rewrite-rules {
exp custom-exp2;
}
}
}
ge-0/1/7 {
classifiers {
dscp d1;
}
}
ge-0/1/8 {
classifiers {
dscp d1;
}
}
Related • Classifiers and Rewrite Rules at the Global, Physical and Logical Interface Levels
Documentation Overview on page 871
You use schedulers to define the properties of output queues. These properties include
the amount of interface bandwidth assigned to the queue, the size of the memory buffer
allocated for storing packets, the priority of the queue, and the random early detection
(RED) drop profiles associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps. You
can then associate each scheduler map with an interface, thereby configuring the
hardware queues, packet schedulers, and RED processes that operate according to this
mapping.
[edit class-of-service]
interfaces {
interface-name {
scheduler-map map-name;
shaping-rate rate;
}
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
drop-profiles {
drop profile-name {
fill-level percentage drop-probability percentage;
fill-level percentage drop-probability percentage;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder | temporal microseconds | buffer-partition
multicast percent percentage );
In ACX Series routers, you can configure more than one strict-priority queues per port.
The hardware services the queues in the descending order of queue numbers marked as
strict priority. All the strict-priority queues are given preferential treatment by the scheduler
as long as their shaping rates (or peak information rates) are not met. Unlike MX Series
routers, the ACX Series routers configured with queues as strict-high at the [edit
class-of-service schedulers scheduler-name priority strict-high] statement hierarchy, the
service is based on queue number and not based on sharing the strict-high queues. Unlike
other ACX Series routers, ACX5048 and ACX5096 router supports CIR among
strict-priority queues. There is no implicit queue number-based priority among the
strict-priority queues. Unlike other ACX Series routers, ACX5048 and ACX5096 router
supports configuring drop profiles for loss-priority low, medium-high, and high for non-TCP
protocols as well.
The ACX5048 and ACX5096 router has 12 megabytes of Packet Forwarding Engine (PFE)
wide common packet buffer memory that is used to store packets on interface queues.
The buffer memory is divided into two pools, shared buffers and dedicated buffers or
reserved buffers.
Shared buffers are a global memory pool that the router allocates dynamically to ports
as needed, so the buffers are shared among the ports. To configure a maximum amount
of shared buffer that the multicast packets can consume, include the multicast percentage
CLI statement at the [edit class-of-service schedulers scheduler-name shared-buffer
maximum] hierarchy level. The value that you can specify for multicast percentage CLI
command can be from 0 through 100 percent. If the multicast percentage CLI statement
is not added, then the value defined by the shared-buffer maximum percent percentage
is used for multicast packets as well.
Dedicated buffers or reserved buffers are a memory pool divided equally among the
router ports. Each port receives a minimum guaranteed amount of buffer space, dedicated
to each port, not shared among ports. To configure a dedicated buffer for multicast
packets, include the buffer-partition multicast percentage CLI statement at the [edit
class-of-service schedulers scheduler-name buffer-size] hierarchy level. The value that
you can specify for buffer-partition multicast percentage CLI command can be from 0
through 100 percent. If the buffer-partition multicast percentage CLI statement is not
configured, then a default value of 25% is reserved for multicast packets.
NOTE: The total amount of actual queue buffer is defined using the buffer-size
CLI command.
To configure shared and dedicated buffers, include the multicast percentage and
buffer-partition multicast percentage CLI statements at the [edit class-of-service] hierarchy
level:
[edit class-of-service]
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder | temporal microseconds | buffer-partition
multicast percent percentage );
shared-buffer maximum (percent percentage | multicast percentage);
}
}
The following is a sample configuration for shared and dedicated buffers in ACX5048
and ACX5096 routers:
[edit class-of-service]
schedulers schd1{
buffer-size percent 80;
buffer-partition {
multicast {
percent 30;
}
}
shared-buffer {
maximum {
20;
multicast {
10;
}
}
}
}
The port gets 50 microseconds worth of reserved buffer. For a 10 Gigabyte port without
any shaper, this translates to 62500 Bytes.
In the above sample configuration, the total buffer size allotted for the queue is 80
percent.
Under buffer-partition, the multicast packets get 30 percent of the total buffer-size,
which translates to about 24 percent of port-buffer. The unicast packets get the remaining
70 percent of 80 percent of the port buffer, which translates to 56 percent of port buffer.
Under shared-buffer, the multicast packets get up to 10 percent of the total shared buffer.
Unicast packets use up to 20 percent of the total shared buffer.
Junos CoS enables you to divide traffic into classes and offer various levels of throughput
and packet loss when congestion occurs. This functionality allows packet loss to happen
according to rules that you configure. The Junos CoS features provide a set of mechanisms
that you can use to provide differentiated services when best-effort traffic delivery is
insufficient.
CoS functionalities are supported on PPP and MLPPP interfaces. Up to four forwarding
classes and four queues are supported per logical interface for PPP and MLPPP packets.
NOTE: CoS for PPP and MLPPP Interfaces is not applicable on ACX5048
and ACX5096 routers.
The Junos OS CoS features provide a set of mechanisms that you can use to provide
differentiated services when best-effort traffic delivery is insufficient. In designing CoS
applications, you must give careful consideration to your service needs, and you must
thoroughly plan and design your CoS configuration to ensure consistency across all
routing devices in a CoS domain. You must also consider all the routing devices and other
networking equipment in the CoS domain to ensure interoperability among all equipment.
Limitations That are Common for CoS on PPP and MLPPP Interfaces
The following restrictions apply for configuring CoS on PPP and MLPPP interfaces on
ACX Series routers:
• For interfaces with PPP encapsulation, you can configure interfaces to support the
IPv4, Internet Protocol Control Protocol (IPCP), PPP Challenge Handshake
Authentication Protocol (CHAP), and Password Authentication Protocol (PAP)
applications.
• Drop timeout, which defines a recovery method for any packets dropped by the member
links in a link services or multilink bundle, is not applicable for ACX routers.
• Loss of traffic occurs during a change of CoS configuration; you cannot modify
scheduling attributes instantaneously. The link moves to the down state for PPP, and
the protocol is denoted as down for MLPPP interfaces.
• Scheduling and shaping capabilities are based on the CIR-EIR model and are not in
accordance with the weighed fair queuing mode. The minimum transmit speed is 32
Kbps, and the minimum difference that can be supported between the transmit rate
and shaping rate is also 32 Kbps.
• Buffer size is calculated in terms of packets using 256 bytes as the average packet
size. For example, if you configure a 10 percent buffer size for TI interfaces, the buffer
allocated as 1.536 Mbps * (10/100) * (0.1 sec) = 15360 bits. The following formula
computes the configured queue length:
Because there are no shared buffers, the usage of "buffer-size" and "buffer-size exact"
attributes result in the same behavior.
• Only two loss priority levels, namely low and high, are supported. Traffic that arrives
from the Packet Forwarding Engine with a medium-high priority is treated as high
priority traffic. Although you can configure the medium-high loss priority type when
you configure the action for a firewall term, it is considered by the system as high priority
traffic.
• A fixed, in-built mapping between forwarding class and queue number as follows is
performed: Best-effort is queue 0, expedited-forwarding is queue 1, assured-forwarding
is queue 2, and network-control is queue 3
• For WRED configurations, the difference between maximum fill-level and minimum-fill
level is a number raised to the power of 2 in terms of number of packets (x^2).
Otherwise, the lower fill-level is tuned to turn the difference into a value raised to the
power of 2. For example, queues contain a size of 64 packets. If the following
configuration is performed:
fill-level 50 drop-probability 0;
fill-level 100 drop-probability 100;
• For the lower fill level, the minimum number of packets is 32. However, if you specify
the fill-level to be 45 instead of 50, the lower fill level is 28. Because 64 - 28, which
• The distribution of excess rate between 2 or more queues that contain the same priority
occurs on a first-come, first-served basis. For example, consider two Queues configured
as follows:
• The excess rate distribution between Q1 and Q2 does not follow the same ratio but
packets in these queues are served in first-come, first-served manner. The shaping
rate continues to be honored in such a scenario.
• You can configure only the any option with the protocol statement at the [edit
class-of-service schedulers scheduler-name drop-profile-map] hierarchy level to specify
the protocol type for the specified scheduler. You cannot specify the TCP or non-TCP
protocol types.
• CoS functionalities for fractional T1 and E1 interfaces are not supported. CoS is
supported only for full T1 and E1 interfaces.
• Weighted fair queuing (WFQ) shaping and scheduling model is not supported. Instead
of WFQ, CIR-EIR model is supported to handle shaping and scheduling requirements.
• Percentage-based rate configuration is not supported for MLPPP LSQ interfaces; only
absolute rate configration in bps is supported.
• Auto-adjustment of shaping and scheduling rates with the addition or deletion of T1/E1
links is not supported. All the limitations applicable for CoS on ACX routers apply for
PPP interfaces.
• All the policer limitations on ACX routers for Gigabit Ethernet interfaces are valid for
PPP interfaces. This restriction includes ingress and egress policers. Because these
limitations are chassis-wide, they are also effective for PPP interfaces.
• All valid configurations specified for MLPPP interfaces with inet address families are
also valid for MLPPP interfaces with MPLS address families. For example, EXP classifier
as a global classifier is supported for ingress classification and EXP rewrite rule is
supported for egress logical interfaces.
• Support for oversubscription and priority is not available, which might cause inefficient
bandwidth utilization. For example, consider a default scheduler map, with the
best-effort queue configured with a rate that is equal to 16*T1*(.95) transmit-rate
exact.
Traffic that arrives as only best-effort type of traffic is provided with complete
bandwidth capacity if no traffic is distributed to any other queue. Traffic that arrives
on the only network-control queue is limited to a bandwidth of 1.2288 Mbps, even if
no traffic is present on any other queue. When traffic arrives on both the best-effort
and network-control queues, an equal division of traffic is done on both the queues
because both the queues are within their minimum guarantee rate. Queues other than
Best-Effort and Network-Control receive 32 Kbps of exact transmit bandwidth.
Queues other than best-effort and network-control are assigned 32 Kbps of exact
transmit bandwidth.
Consider another example of a default scheduler map, and an MLPPP bundle with two
T1 links. In such a scenario, the following behavior is observed for MLPPP bundle with
two T1 links:
Traffic that arrives on only the best-effort queue obtains the entire bandwidth capacity
if there is no traffic on any other queue. Traffic that arrives on only the network-control
queue is limited to 1.2288 Mbps, even when no traffic is passing through any other queue.
When traffic arrives on both the queues, it is marked at 1.2288 Mbps for the
network-control queue and at 1.843200 Mbps for best-effort queue.
For a default scheduler-map with an MLPPP bundle that contains 16 T1 links, the traffic
that arrives as only best-effort traffic receives a bandwidth that is equal to (0.95 * 16 *
T1) capacity if there is no traffic on any other queue. Traffic that arrives as only
network-control traffic is limited to 1.2288 Mbps even if no traffic on any other queue is
observed. When traffic arrives on both the queues, it is tagged as 1.2288 Mbps for
network-control and (0.95 * 16 * T1) Mbps for best-effort queues. If you configure a
scheduler-map with a fragmentation map, two or more classes when configured with
same priority receive only the transmit-rate served for them and function as the traffic
defined for exact transmit-rate functionality.
Support for oversubscription between two multi-classes on the same priority is not
provided. The queue corresponding to which there is no-multiclass entry is moved to the
disabled state. Only one-to-one mapping between forwarding-class to multi-class is
supported. One forwarding class can send traffic corresponding to only one multi-class.
• To configure the global EXP classifier, include the following statements at the [edit
class-of-service system-defaults] hierarchy level.
[edit class-of-service]
{
system-defaults
{
classifiers exp classifier-name
}
}
CoS supports one global system default classifier of the EXP type, as shown in the
following example:
[edit class-of-service]
{
system-defaults {
classifiers {
exp exp-classf-core;
}
}
}
• All packets that are received on a logical interface in the ingress direction can be
classified to a single forwarding class using fixed classification.
• IPv4 - inet-precedence
• DSCP
• WRED
• The four priorities supported for logical interface-level queuing are strict-high,
medium-high, medium-low, or low. The transmit rate per queue (CIR) is the minimum
committed rate can be specified for each queue. The shaping rate per queue (PIR) is
the maximum transmit rate can be specified for each queue. For WRED, the default
behavior is to enable tail drops. The drop profile configuration enables WRED and
enables different drop behavior based on the drop precedence to be entered. Loss
priority settings help determine which packets are dropped from the network during
periods of congestion. The software supports multiple packet loss priority (PLP)
designations: low and high
• Buffer-size can be specific in percentage and temporal configuration. This size is turned
into the number of packets per queue, with 256 bytes treated as the average packet
size. The following settings can be configured at the queue level:
• Drop profile
• Buffer size
[edit class-of-service]
schedulers scheduler_name {
transmit-rate (percent number | rate);
shaping-rate (percent number | rate);
buffer-size (percent | temporal)
drop-profile-map map_name;
}
Only 4 forwarding classes and only 4 queues per logical interface are supported. Also,
logical interface-based shaping is not supported.
• Packet and byte counters for transmitted and dropped packets are available per queue.
These statistical details are displayed using the show interfaces queue command.
Aggregation to provide port-level statistics, if needed, is also supported by the system.
The logical interface-level statistics are correctly available for egress direction and are
displayed in the output, but the statistics pertaining to dropped packets are not
considered because of hardware limitations. The following configuration stanza defines
the rewrite rules:
[edit class-of-service]
rewrite-rules {
(inet-precedence | dscp | exp) rewrite-name
{
forwarding-class class-name loss-priority [low | high]
code-point value;
}
}
Each of the rewrite rules can be attached to an interface by using the following
configuration syntax:
All of the firewall features supported on ACX routers are applicable for PPP interfaces
for IPv4 packets.
• For rewrite rules, IPv4 or inet precedence and EXP rules are supported. EXP rewrite
rules apply only to logical interfaces. You cannot apply EXP rewrite rules to physical
interfaces. There are no default EXP rewrite rules. If you want to rewrite the EXP value
in MPLS packets, you must configure EXP rewrite rules and apply them to logical
interfaces. If no rewrite rules are applied, all MPLS labels that are pushed have a value
of zero (0). The EXP value remains unchanged on MPLS labels that are swapped.
• Fixed classification using forwarding classes and BA classification using IPv4 precedence
value are supported.
• WRED
• Forwarding classes
• Forwarding class to multilink class mapping. You use the multilink-class statement to
map a forwarding class into a multiclass MLPPP (MCML).
• All of the firewall features supported on ACX routers are applicable for MLPPP interfaces
for IPv4 packets
The following CoS capabilities are supported on MLPPP interfaces for MPLS packets:
• WRED
• Forwarding classes
• Forwarding class to multilink class mapping. You use the multilink-class statement to
map a forwarding class into a multiclass MLPPP (MCML).
• All of the firewall features supported on ACX routers are applicable for MLPPP interfaces
for IPv4 packets
[edit]
class-of-service {
classifiers {
inet-precedence all-traffic-inet {
forwarding-class assured-forwarding {
loss-priority low code-points 101;
}
forwarding-class expedited-forwarding {
loss-priority low code-points 000;
}
}
}
drop-profiles {
plp-low-red {
fill-level 50 drop-probability 0;
fill-level 100 drop-probability 100;
}
plp-high-red {
fill-level 25 drop-probability 0;
fill-level 50 drop-probability 100;
}
}
forwarding-classes {
queue 0 best-effort;
queue 1 assured-forwarding;
queue 2 expedited-forwarding;
queue 3 network-control;
}
schedulers {
evdo-mlppp-best-effort {
transmit-rate 1M;
buffer-size percent 80;
priority medium-high;
}
evdo-mlppp-assured-forwarding {
transmit-rate 500000;
buffer-size percent 10;
drop-profile-map loss-priority low protocol any drop-profile
plp-low-red;
drop-profile-map loss-priority high protocol any drop-profile
plp-high-red;
priority medium-low;
}
evdo-mlppp-expedited-forwarding {
transmit-rate 300000;
buffer-size percent 5;
priority low;
}
evdo-mlppp-network-control {
transmit-rate 200000;
buffer-size percent 5;
priority strict-high;
}
}
scheduler-maps {
evdo-mlppp-cos-map {
forwarding-class best-effort scheduler evdo-mlppp-best-effort;
forwarding-class {
assured-forwarding {
multilink-class 2;
}
expedited-forwarding {
multilink-class 3;
}
best-effort {
multilink-class 1;
}
network-control {
multilink-class 0;
}
}
}
}
interfaces {
lsq-0/* {
unit * {
scheduler-map evdo-mlppp-cos-map;
fragmentation-map frag-mlppp;
}
}
}
NOTE: In ACX Series routers, the forwarding class and queue mapping is
fixed for PPP and MLPPP interfaces.
[edit]
firewall {
filter classify-evdo-traffic-mlppp {
interface-specific;
term signalling {
from {
dscp ef;
}
then {
count signalling-counter;
forwarding-class network-control;
accept;
}
}
term user-speech {
from {
dscp af31;
}
then {
policer user-speech-rate-limit;
count user-speech-counter;
forwarding-class network-control;
accept;
}
}
term ptt-mcs {
from {
dscp af11;
}
then {
count ptt-mcs-counter;
forwarding-class network-control;
accept;
}
}
term user-video {
from {
dscp af21;
}
then {
count user-video-counter;
loss-priority low;
forwarding-class assured-forwarding;
accept;
}
}
term user-cmcs {
from {
dscp af12;
}
then {
count user-cmcs-counter;
loss-priority low;
forwarding-class assured-forwarding;
accept;
}
}
term ran-rlp-retransmission {
from {
dscp af41;
}
then {
count rlp-retransmit-counter;
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term user-best-effort {
then {
count user-be-counter;
forwarding-class best-effort;
accept;
}
}
}
}
For packets that go through NAT services, the classification is done when the packet
enters the router, and the resulting forwarding class and the packet loss priority are
preserved when the packet goes through the inline services interface. When the packet
exits the router through a physical interface, the queuing, scheduling, and rewrite rules
configured on the egress physical interface are applied on the basis of the forwarding
class and packet loss priority derived during ingress.
NOTE: CoS for NAT services is not applicable on ACX5048 and ACX5096
routers.
Queuing and scheduling are supported on the inline services interface to handle congestion
at the inline services interface. Congestion at inline services interface is possible when
the interface is oversubscribed. In this case, you would need to selectively drop packets
based on the packet's forwarding class and packet loss priority. To drop packets based
on the packet's forwarding class and packet loss priority, scheduler map configurations
are supported on the inline services interface.
NOTE: In ACX Series routers, you cannot configure classification and rewrite
policies on the inline services interface.
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX Series
This topic provides a summary of the configuration for setting the IEEE 802.1p field in the
Ethernet frame header for host outbound traffic (control plane traffic). You can set a
global value for the priority code point that applies to all host outbound traffic.
Additionally, or alternatively, you can specify that rewrite rules are applied to all host
outbound traffic on egress logical interfaces. These are rules that have been previously
configured to set the IEEE 802.1p field for data traffic on those interfaces.
1. (Optional) Specify a global default value for the IEEE 802.1p field for all host outbound
traffic.
See “Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in
ACX Series” on page 889.
2. (Optional) Specify that the IEEE 802.1p rewrite rules for the egress logical interfaces
are applied to all host outbound traffic on those interfaces.
See “Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host
Outbound Traffic on the Interface in ACX Series” on page 890.
Related • Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in ACX
Documentation Series on page 889
• Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host Outbound
Traffic on the Interface in ACX Series on page 890
Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in ACX
Series
This topic describes how to configure a global default value for the IEEE 802.1p field for
all host outbound traffic on ACX Series routers.
For example, specify that a value of 010 is applied to all host outbound traffic:
Related • Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX Series on
Documentation page 889
• Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host Outbound
Traffic on the Interface in ACX Series on page 890
Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host Outbound
Traffic on the Interface in ACX Series
This topic describes how to apply rewrite rules for egress logical interfaces to the IEEE
802.1p field for all host outbound traffic on those interfaces on ACX Series routers.
This task requires separately configured rewrite rules that map packet loss priority
information to the code point value in the 802.1p field for data traffic on egress logical
interfaces. See Rewriting Packet Header Information Overview in the Junos OS Class of
Service Configuration Guide.
1. Configure the CoS rewrite rules to map the forwarding class to the desired value for
the 802.1p field.
3. (Optional) Configure the forwarding class for host outbound traffic. Do not configure
this forwarding class if you want to use the default forwarding class assignment (input
classification).
To configure the rewrite rules to apply to the host outbound traffic IEEE 802.1p field:
[edit class-of-service]
rewrite-rules {
ieee-802.1 rewrite_foo {
forwarding-class network-control {
loss-priority low code-point 101;
}
}
}
interfaces {
ge-1/0/0 {
unit 100 {
rewrite-rules {
ieee-802.1 rewrite_foo vlan-tag outer-and-inner;
}
}
}
}
host-outbound-traffic {
forwarding-class network-control;
}
host-outbound-traffic {
ieee-802.1 {
rewrite-rules;
}
}
Related • Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX Series on
Documentation page 889
• Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in ACX
Series on page 889
In an edge router, a multifield classifier provides the filtering functionality that scans
through a variety of packet header fields to determine the forwarding class for a packet.
Typically, a classifier performs matching operations on the selected fields against a
configured value. A multifield classifier can examine multiple fields in the packet header:
destination address, source address, IP protocol, source port, destination port, and DSCP
value. Multifield classifiers are used when a simple BA classifier is insufficient to classify
a packet.
In Junos OS, you configure a multifield classifier with a firewall filter and its associated
match conditions. This enables you to use any filter match criteria to locate packets that
require classification. From a CoS perspective, multifield classifiers (or firewall filter rules)
provide the following services:
• Classify packets to a forwarding class and loss priority. The forwarding class determines
the output queue. The loss priority is used by schedulers in conjunction with the random
early discard (RED) algorithm to control packet discard during periods of congestion.
• Police traffic to a specific bandwidth and burst size. Packets exceeding the policer
limits can be discarded, or can be assigned to a different forwarding class, to a different
loss priority, or to both.
Related • Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic on page 950
Documentation
• Configuring Multifield Classifiers on page 892
Multifield classifiers classify packets to a forwarding class and loss priority based on the
filter match criteria. Multifield classification is usually done at the edge of the network
for packets that do not have valid or trusted behavior aggregate code points.
If you configure both a behavior aggregate (BA) classifier and a multifield classifier, BA
classification is performed first; then multifield classification is performed. If they conflict,
any BA classification result is overridden by the multifield classifier.
NOTE: For a specified interface, you can configure both a multifield classifier
and a BA classifier without conflicts. Because the classifiers are always
applied in sequential order, the BA classifier followed by the multifield
classifier, any BA classification result is overridden by a multifield classifier
if they conflict.
NOTE: For MX Series routers and EX Series switches, if you configure a firewall
filter with a DSCP action or traffic-class action on a DPC, the commit does
not fail, but a warning displays and an entry is made in the syslog.
For an L2TP LNS on MX Series routers, you can attach firewall for static LNS
sessions by configuring these at logical interfaces directly on the inline services
device (si-fpc/pic/port). RADIUS-configured firewall attachments are not
supported.
1. Defining the filter—Configure either a firewall filter or a simple filter. Simple filters
filter IPv4 traffic (family inet) only. Firewall filters enable you to filter additional protocol
families and more complex filters. The following sections describe both procedures.
1. Under the firewall statement, specify the protocol family for which you want to filter
traffic and specify a name for the filter.
edit
user@host# edit firewall family family-name filter filter-name
2. Specify the term name and match criteria you want to look for in incoming packets.
3. Specify the action you want to take when a packet matches the conditions.
• Set the forwarding class of incoming packets. The forwarding class determines the
output queue.
• Set the loss priority of incoming packets. The loss priority is used by schedulers in
conjunction with the random early discard (RED) algorithm to control packet discard
during periods of congestion.
2. Specify the term name and match criteria you want to look for in incoming packets.
3. Specify the action you want to take when a packet matches the conditions.
For multifield classifiers, you can perform the following actions for a simple filter:
To apply the firewall filter to the appropriate logical interfaces as an input filter.
1. Specify the physical and logical interface on which you want to apply the firewall filter.
edit
user@host# edit interfaces interface-name unit unit-number
Repeat this step for the family protocol filter and the simple filter.
[edit]
user@host# commit
Related • Overview of Assigning Service Levels to Packets Based on Multiple Packet Header
Documentation Fields on page 891
ACX Series routers configured with Asynchronous Transfer Mode (ATM) inverse
multiplexing for ATM (IMA) pseudowire interfaces support class of service (CoS) features
for ingress and egress traffic. Policing is performed by monitoring the configured
parameters on incoming traffic to conserve resources by dropping traffic that might not
meet those configured parameters. Egress shaping uses queuing and scheduling to
control the bandwidth used. Fixed classification is provided per interface.
NOTE: ACX5048 and ACX5096 routers do not support ATM IMA pseudowire
configurations.
• atm-ccc-cell-relay
• atm-ccc-vc-mux
On ACX Series routers, policing is cell based and configured in the ingress path of the
ATM IMA pseudowire interface at the [edit firewall] hierarchy level. The following ATM
policing features are supported:
• Traffic classes—Constant bit rate (cbr), real-time variable bit rate (rtvbr), non-real-time
variable bit rate (nrtvbr), and unspecified bit rate (ubr). All traffic classes must include
the peak-rate and cdvt statements for the configuration to work. With the peak-rate
statement, you can limit the maximum traffic allowed by specifying the largest number
of cells per second that the policer processes before it drops packets. The cdvt
statement ensures that the configuration functions correctly.
• For nonconforming cells, the discard, discard-tag, and count actions at the [edit firewall
atm-policer policer-name] hierarchy level. The discard-tag action is applicable to variable
bit-rate—nrtvbr and rtvbr—traffic classes.
• Prioritized bit rate—Constant bit rate (cbr) is the highest priority, followed by variable
bit rate—nrtvbr and rtvbr. Unspecified bit rate (ubr) is similar to the best-effort service
for Ethernet traffic.
• Constant bit rate shaping—Constant bit rate (cbr) shaping uses the peak cell rate to
limit the number of cells per second that the shaper processes before it drops packets.
• Variable bit rate shaping—Variable bit rate shaping (nrtvbr and rtvbr) uses peak-rate
and sustained-rate.
• Unspecified bit rate—Unspecified bit rate (ubr) uses peak-rate with the lowest transmit
priority.
The default shaping parameter is unspecified bit rate, which is similar to the best-effort
service for Ethernet traffic.
Fixed Classification
Fixed classifiers map all traffic on an interface to the forwarding class and loss priority.
The forwarding class determines the output queue. A scheduler uses the loss priority to
control packet discard during periods of congestion by associating different drop profiles
with different loss priorities. On ACX Series routers, the fixed classifier is associated with
the ingress interface. Packets are assigned on the basis of the type of fixed classification
associated with the logical interface. To configure a fixed classifier, include the
You configure fixed classification on the ATM IMA pseudowire logical interface (unit) by
specifying a forwarding class, which is applied to all packets received by the logical
interface. To complete this configuration, you can define a forwarding class at the [edit
class-of-service forwarding-classes] hierarchy level. If you do not define a forwarding
class, the default class is used.
The following steps require you to navigate various levels in the configuration hierarchy.
For information about navigating the CLI, see Using the CLI Editor in Configuration Mode
in the CLI User Guide.
1. Define the ATM IMA pseudowire. For information about defining the ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
[edit]
user@host# edit class-of-service
3. Define the forwarding class to apply to the input logical interface, if the default
forwarding class is not used:
[edit class-of-service]
user@host# set forwarding-classes class class-name queue-num queue-num
4. Specify the ATM IMA interface on which to include the forwarding class:
[edit class-of-service]
user@host# edit interfaces at-fpc/pic/port
After you have configured fixed classification, enter the commit command in configuration
mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Example: Configuring Fixed Classification on an ATM IMA Pseudowire on page 898
This example shows the configuration of fixed classification on an ATM IMA pseudowire.
Fixed classification is configured on the logical interface (unit) of the ATM IMA pseudowire.
The software assigns the fixed classification to packets on the basis of the fixed
classification parameters associated with the logical interface on which the ATM cells
are received.
Requirements
This example uses the following hardware and software components:
• A previously configured ATM IMA pseudowire. For steps to configure an ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
Overview
In this example, the configured forwarding class fc-1 is applied to all packets received on
the ingress logical interface at-0/0/16 unit 0. The fixed classification classifies all traffic
on the logical interface unit zero (0) to queue-num 1.
Configuration
The following example requires you to navigate various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step To define a forwarding class, which is applied to the ingress logical interface:
Procedure
1. In configuration mode, go to the following hierarchy level:
[edit]
user@host# edit class-of-service forwarding-classes
Step-by-Step To apply the forwarding class to the logical ATM IMA pseudowire:
Procedure
1. Specify the ATM IMA interface on which to include the forwarding class:
[edit class-of-service]
user@host# edit interfaces at-0/0/16
Results
From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
In the following example, all packets coming into the router from the at-0/0/16 unit 0
interface are assigned to the fc-1 forwarding class:
[edit class-of-service]
user@host# show
forwarding-classes {
class fc-1 queue-num 1;
}
interfaces {
at-0/0/16 {
unit 0 {
forwarding-class fc-1;
}
}
}
After you have completed the configuration, enter the commit command from
configuration mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Fixed Classification on an ATM IMA Pseudowire on page 897
On ACX Series routers, ATM shaping is applied in the egress direction only. Only cell-based
shaping is supported. A traffic control profile, which defines the ATM scheduling
parameters, is configured at the [edit class-of-service] hierarchy level. The traffic control
profile is then applied to the ATM logical interface configured at the [edit class-of-service]
hierarchy level.
NOTE: The configuration of ATM shaping requires the inclusion of the per-unit
scheduler statement at the [edit interfaces interface-name] hierarchy level.
The following steps require you to navigate various levels in the configuration hierarchy.
For information about navigating the CLI, see Using the CLI Editor in Configuration Mode
in the CLI User Guide.
1. Define the ATM IMA pseudowire. For information about defining the ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
[edit]
user@host# edit class-of-service
[edit class-of-service]
user@host# edit traffic-control-profiles profile-name
The following steps describe the traffic control profile options that you can configure.
The options include atm-service, delay-buffer-rate, max-burst-size, peak-rate, and
sustained-rate.
4. (Optional) Specify the service category that determines the traffic-shaping parameter
for the ATM queue at the ATM IMA pseudowire:
Select one of the following service traffic categories, depending on the needs of your
network: constant bit rate (cbr), non-real-time variable bit rate (nrtvbr), or real-time
variable bit rate (rtvbr). All service traffic categories must include the peak-rate and
cdvt statements for the configuration to work. The peak-rate statement limits the
maximum traffic allowed and the cdvt statement ensures that the configuration
functions correctly.
The delay-buffer calculation can be specified as cells per second—1000 cells per
second (cps) through 160,000,000,000 cps.
6. (Optional) Define the maximum number of cells that a burst of traffic can contain,
from 1 through 4000 cells:
7. Define the largest number of cells per second that the shaper processes before it
drops packets, from 61 cps through 38,641 cps:
The maximum peak rate value depends on the number of links in the IMA bundle—the
more the number of links, the higher the possible peak rate.
8. (Optional) Define the normal traffic rate averaged over time, from 61 cps through
38,641 cps:
After you have configured shaping on the ATM IMA interface, enter the commit command
from configuration mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Example: Configuring Shaping on an ATM IMA Pseudowire on page 902
The following example shows the configuration of shaping on an ATM IMA pseudowire.
On ACX Series routers, the ATM shaper is applied on the egress logical (unit) interface.
Requirements
This example uses the following hardware and software components:
• A previously configured ATM IMA pseudowire. For steps to configure an ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
Overview
In this example, an ATM IMA pseudowire logical interfaces (unit 0) is configured with
two egress ATM shapers—profile-1 and profile-2. The ATM shaping profiles are configured
with the following parameters:
• atm-service—ATM service category used to define the bit rate at which traffic is policed.
• peak-rate—Top rate at which traffic can burst. This is a mandatory statement that
must be included for the configuration to work correctly.
Configuration
To configure shaping on an ATM IMA pseudowire, perform these tasks:
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step The following steps require you to navigate various levels in the configuration hierarchy.
Procedure For information about navigating the CLI, see Using the CLI Editor in Configuration Mode
in the CLI User Guide.
[edit]
user@host# edit class-of-service
[edit class-of-service]
user@host# edit traffic-control-profiles profile-1
3. Specify the ATM real-time variable bit rate rtvbr service traffic category:
4. Define the largest number of cells per second that the shaper processes before it
drops packets:
5. Define the normal traffic rate averaged over time, from 61 cps through 38,641 cps:
6. Define the maximum number of cells that a burst of traffic can contain, from 1
through 4000 cells:
8. Specify the ATM constant bit rate cbr service traffic category:
9. Define the largest number of cells per second that the shaper processes before it
drops packets:
10. Define the largest number of cells per second that the shaper processes before it
drops packets:
11. Apply the first shaping traffic profile to the ATM IMA pseudowire logical interface:
[edit class-of-service]
user@host# edit interfaces at-0/0/16 unit 101 output-traffic-control-profile profile-1
[edit]
user@host# edit class of service traceoptions
Results
From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit class-of-service]
user@host# show
traffic-control-profiles {
profile-1 {
atm-service rtvbr;
peak-rate 5k;
sustained-rate 3k;
max-burst-size 400;
}
profile-2 {
atm-service cbr;
peak-rate 1k;
}
}
interfaces {
at-0/0/16 {
unit 101 {
output-traffic-control-profile profile-1;
}
}
}
traceoptions {
file cos size 1000000000;
flag all;
}
[edit interfaces]
user@host# show
at-0/0/16 {
per-unit-scheduler;
}
}
After you have completed the configuration, enter the commit command from
configuration mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Shaping on an ATM IMA Pseudowire on page 901
You can configure two parameters to control congestion at the output stage. The first
parameter defines the delay-buffer bandwidth, which provides packet buffer space to
absorb burst traffic up to the specified duration of delay. When the specified delay buffer
becomes full, packets with 100 percent drop probability are dropped from the head of
the buffer.
The second parameter defines the drop probabilities across the range of delay-buffer
occupancy, supporting the random early detection (RED) process. When the number of
packets queued is greater than the ability of the router to empty a queue, the queue
requires a method for determining which packets to drop from the network. To address
this, Junos OS provides the option of enabling RED on individual queues.
Depending on the drop probabilities, RED might drop many packets long before the buffer
becomes full, or it might drop only a few packets even if the buffer is almost full.
A drop profile is a mechanism of RED that defines parameters that allow packets to be
dropped from the network. Drop profiles define the meanings of the loss priorities.
When you configure drop profiles, there are two important values: the queue fullness
and the drop probability. The queue fullness represents a percentage of the memory used
to store packets in relation to the total amount that has been allocated for that specific
queue. Similarly, the drop probability is a percentage value that correlates to the likelihood
that an individual packet is dropped from the network.
You specify drop probabilities at the [edit class-of-service drop-profiles drop profile-name
fill-level percentage drop-probability percentage;] class-of-service (COS) configuration
hierarchy and reference them in each scheduler configuration. For each scheduler, you
can configure four drop profiles as high-tcp, medium-high-tcp, low-tcp, non-tcp. Two fill
levels can be specified in each drop-profile map. The drop probability associated with
the least fill level must be set as zero, otherwise the CLI command will be rejected during
commit check.
You enable RED by applying a drop profile to a scheduler. When RED is operational on
an interface, the queue no longer drops packets from the tail of the queue. Rather, packets
are dropped after they reach the head of the queue.
[edit class-of-service]
drop-profiles {
profile-name {
After you configure a drop profile, you must assign the drop profile to a drop-profile map,
and assign the drop-profile map to a scheduler, as discussed in Determining Packet Drop
Behavior by Configuring Drop Profile Maps for Schedulers.
With the exception of policers configured to rate-limit aggregate traffic (all protocol
families and logical interfaces configured on a physical interface), you can apply a policer
to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface.
With the exception of policers configured to rate-limit based on physical interface media
rate, you can apply a policer to specific IP packets in a Layer 3 traffic flow at a logical
interface by using a stateless firewall filter.
You can apply a policer to inbound or outbound interface traffic. Policers applied to
inbound traffic help to conserve resources by dropping traffic that does not need to be
routed through a network. Dropping inbound traffic also helps to thwart denial-of-service
(DoS) attacks. Policers applied to outbound traffic control the bandwidth used.
Traffic Limits
Junos OS policers use a token bucket algorithm to enforce a limit on an average transmit
or receive rate of traffic at an interface while allowing bursts of traffic up to a maximum
value based on the configured bandwidth limit and configured burst size. The token
bucket algorithm offers more flexibility than a leaky bucket algorithm in that you can
allow a specified traffic burst before starting to discard packets or apply a penalty such
as packet output-queuing priority or packet-drop priority.
In the token-bucket model, the bucket represents the rate-limiting function of the policer.
Tokens are added to the bucket at a fixed rate, but once the specified depth of the bucket
is reached, tokens allocated after cannot be stored and used. Each token represents a
“credit” for some number of bits, and tokens in the bucket are “cashed in” for the ability
to transmit or receive traffic at the interface. When sufficient tokens are present in the
bucket, a traffic flow continues unrestricted. Otherwise, packets might be dropped or
else re-marked with a lower forwarding class, a higher packet loss priority (PLP) level,
or both.
• The rate at which tokens are added to the bucket represents the highest average
transmit or receive rate in bits per second allowed for a given service level. You specify
this highest average traffic rate as the bandwidth limit of the policer. If the traffic arrival
rate (or fixed bits-per-second) is so high that at some point insufficient tokens are
present in the bucket, then the traffic flow is no longer conforming to the traffic limit.
During periods of relatively low traffic (traffic that arrives at or departs from the interface
at average rates below the token arrival rate), unused tokens accumulate in the bucket.
• The depth of the bucket in bytes controls the amount of back-to-back bursting allowed.
You specify this factor as the burst-size limit of the policer. This second limit affects
the average transmit or receive rate by limiting the number of bytes permitted in a
transmission burst for a given interval of time. Bursts exceeding the current burst-size
limit are dropped until there are sufficient tokens available to permit the burst to
proceed.
As shown in the figure above, a UPC bar code is a good facsimile of what traffic looks
like on the line; an interface is either transmitting (bursting at full rate) or it is not. The
black lines represent periods of data transmission and the white space represents
periods of silence when the token bucket can replenish.
Depending on the type of policer used, packets in a policed traffic flow that surpasses
the defined limits might be implicitly set to a higher PLP level, assigned to a configured
forwarding class or set to a configured PLP level (or both), or simply discarded. If packets
encounter downstream congestion, packets with a low PLP level are less likely to be
discarded than those with a medium-low, medium-high, or high PLP level.
• Single-rate two-color—A two-color marking policer (or “policer” when used without
qualification) meters the traffic stream and classifies packets into two categories of
packet loss priority (PLP) according to a configured bandwidth and burst-size limit.
You can mark packets that exceed the bandwidth and burst-size limit in some way, or
simply discard them.
A policer is most useful for metering traffic at the port (physical interface) level.
• Single-rate three-color—This type of policer is defined in RFC 2697, A Single Rate Three
Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB)
classification system for a Differentiated Services (DiffServ) environment. This type
of policer meters traffic based on the configured committed information rate (CIR),
committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as
belonging to one of three categories (green, yellow, or red) based on whether the
packets arriving are below the CBS (green), exceed the CBS (yellow) but not the EBS,
or exceed the EBS (red).
• Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three
Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB)
classification system for a Differentiated Services (DiffServ) environment. This type
of policer meters traffic based on the configured CIR and peak information rate (PIR),
along with their associated burst sizes, the CBS and peak burst size (PBS). Traffic is
marked as belonging to one of three categories (green, yellow, or red) based on whether
the packets arriving are below the CIR (green), exceed the CIR (yellow) but not the
PIR, or exceed the PIR (red).
Policer actions are implicit or explicit and vary by policer type. The term Implicit means
that Junos assigns the loss-priority automatically. Table 52 on page 911 describes the
policer actions.
Based on CoS configurations, packets of a given forwarding class are transmitted through
a specific output queue, and each output queue is associated with a transmission service
level defined in a scheduler.
• You can configure a standard stateless firewall filter that specifies the
policer policer-name nonterminating action or the three-color-policer (single-rate |
two-rate) policer-name nonterminating action. When you apply the standard filter to
the input or output at a logical interface, the policer is applied to all packets of the
filter-specific protocol family that match the conditions specified in the filter
configuration.
With this method of applying a policer, you can define specific classes of traffic on an
interface and apply traffic rate-limiting to each class.
• You can apply a policer directly to an interface so that traffic rate-limiting applies to
all traffic on that interface, regardless of protocol family or any match conditions.
You can configure policers at the queue, logical interface, or Layer 2 (MAC) level. Only a
single policer is applied to a packet at the egress queue, and the search for policers occurs
in this order:
• Queue level
On ACX Series routers, the ATM policer is attached to the ingress path of the ATM IMA
interface, making it an input policer configured at the [edit firewall] hierarchy level. This
input policer is then applied to an ATM IMA logical interface. The ATM IMA logical interface
must have circuit cross-connect (CCC) family encapsulation configured for the
configuration to work.
The following steps require you to navigate various levels in the configuration hierarchy.
For information about navigating the CLI, see Using the CLI Editor in Configuration Mode
in the CLI User Guide.
1. Define the ATM IMA pseudowire. For information about defining the ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
[edit]
user@host# edit firewall
[edit firewall]
user@host# edit atm-policer atm-policer-name
The following steps describe the ATM policer options that you can configure. The
options include: atm-service, cdvt, logical-interface-policer, max-burst-size, peak-rate,
policing-action, and sustained-rate.
Select one of the following service categories, depending on the policing needs of
your network: constant bit rate (cbr), nonreal-time variable bit rate (nrtvbr), real-time
variable bit rate (rtvbr), and unspecified bit rate ubr. All service categories must include
the peak-rate and cdvt statements for the configuration to work. The peak-rate
statement limits the maximum traffic allowed and the cdvt statement ensures that
the configuration functions correctly.
5. Apply limits to the traffic flow by configuring the cell delay variation tolerance (cdvt),
from 1 microsecond through 1,800,000,000 microseconds:
The logical interface policer is associated with the interface on which the policer is
applied. To configure the policer on multiple interfaces, you must apply this policer
on each interface explicitly.
7. (Optional) Define the maximum number of cells that a burst of traffic can contain,
from 1 through 4000 cells:
8. Apply limits to the traffic flow by specifying the largest number of cells per second
that the policer processes before it drops packets, from 61 cells per second (cps)
through 38,641 cps:
The maximum peak rate value depends on the number of links in the IMA bundle—the
more links, the higher the possible peak rate.
9. Define the policing-action parameter to set a consequence for the packets that exceed
the traffic limits:
10. Define the normal traffic rate averaged over time, from 61 cps through 38,641 cps):
After you have configured policing, enter the commit command from configuration mode.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit at-fpc/pic/port
After you have configured the ATM IMA interface, enter the commit command in
configuration mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Example: Configuring Policing on an ATM IMA Pseudowire on page 915
This example shows the configuration of policing on an ATM IMA pseudowire. On ACX
Series routers, the ATM policer is an input policer that is applied to the ATM IMA logical
interface. The ATM IMA logical interface must have the circuit cross-connect (CCC)
encapsulation family configured for the configuration to work.
Requirements
This example uses the following hardware and software components:
• A previously configured ATM IMA pseudowire. For steps to configure an ATM IMA
pseudowire, see “Configuring Inverse Multiplexing for ATM (IMA)” on page 185.
Overview
In this example, the ATM IMA pseudowire logical interfaces (unit 0, unit 1 and unit 2) are
configured with three input ATM policers—policer-1, policer-2, and policer-3. The ATM
policers are configured with the following parameters:
• atm-service—The ATM service category used to define the bit rate at which traffic is
policed.
• peak-rate—The peak rate is the top rate at which traffic can burst. This is a mandatory
statement that must be included for the configuration to work correctly.
• sustained-rate—The sustained rate is the normal traffic rate averaged over time.
• policing-action—The specified policing action used when the traffic exceeds the limits
set for the policer.
Configuration
The following steps require you to navigate various levels in the configuration hierarchy.
For information about navigating the CLI, see Using the CLI Editor in Configuration Mode
in the CLI User Guide.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Step-by-Step To configure the ATM policer, which is applied to the logical ATM IMA pseudowire:
Procedure
1. Define the policer:
[edit]
user@host# edit firewall atm-policer policer-1
After you have configured the ATM policers, enter the commit command from
configuration mode.
Step-by-Step To create the ATM IMA logical interface on which to apply the ATM policers:
Procedure
1. Define the ATM interface:
[edit interfaces]
user@host# edit interfaces at-0/0/16
2. Specify the ATM interface unit and apply the first input policer:
4. Specify the ATM interface unit and apply the second input policer:
6. Specify the ATM interface unit and apply the third input policer:
Results
From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit firewall]
user@host# show
atm-policer policer-1 {
logical-interface-policer;
atm-service rtvbr;
peak-rate 2k;
sustained-rate 1800;
max-burst-size 400;
cdvt 900001;
policing-action discard-tag;
}
atm-policer policer-2 {
logical-interface-policer;
atm-service nrtvbr;
peak-rate 1800;
sustained-rate 1500;
max-burst-size 300;
cdvt 999991;
policing-action discard;
}
atm-policer policer-3 {
logical-interface-policer;
atm-service cbr;
peak-rate 2k;
cdvt 800001;
policing-action count;
}
[edit interfaces]
user@host# show
at-0/0/16 {
unit 0 {
atm-policer {
input-atm-policer policer-1;
}
family ccc;
}
unit 1 {
atm-policer {
input-atm-policer policer-2;
}
family ccc;
}
unit 2 {
atm-policer {
input-atm-policer policer-3;
}
family ccc;
}
}
After you have completed the configuration, enter the commit command from
configuration mode.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Policing on an ATM IMA Pseudowire on page 912
Hierarchical policers control the sharing of an aggregate traffic rate across multiple
micro-flows, which constitute the aggregate flow or the macro-flow. Micro-flows are
defined and matched using firewall filter rules and the action of these rules point to a
macro-policer. This macro- policer or aggregate policer determines the amount of
aggregate bandwidth that can be used by the micro-flows that are associated with it.
You can control the bandwidth to be utilized among the micro-flows in different ways.
Policers are used to enforce bandwidth profiles on the transmitted traffic. A bandwidth
profile is configured for each user based on the service level agreement (SLA) and the
subscription plan that has been requested by the user from the service or enterprise
provider. A bandwidth profile is defined using the following parameters:
• Color mode (CM) can contain only one of two possible values, color-blind or
color-aware. In color-aware mode, the local router can assign a higher packet loss
priority, but cannot assign a lower packet loss priority. In color-blind mode, the local
router ignores the preclassification of packets and can assign a higher or lower packet
loss priority.
A policer is then used to enforce the bandwidth profile and perform different actions,
depending on whether a certain packet confirms to the attributes in the bandwidth profile
or does not satisfy the values in the configured bandwidth profile. Hierarchical policers
can be considered to be an alternative technique for hierarchical queuing and shaping.
However, a few differences exist between the operations that a hierarchical policer
performs when matched against the processes that a hierarchical scheduler performs.
ACX routers do not support hierarchical queuing and shaping. Ingress hierarchical policers
can work in conjunction with ingress, egress, or both ingress and egress hierarchical
queues. For example, a two-level ingress hierarchical policer combined with a two-level
egress queuing framework results in a four-level CoS capability.
Related • Guidelines for Configuring Hierarchical Policers on ACX Routers on page 921
Documentation
• Hierarchical Policer Modes on page 923
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
Keep the following points in mind when you configure hierarchical or aggregate policers:
• You cannot specify the same policer as both a child policer and a parent policer.
• The child policers of a hierarchical policer use the same resources as normal policers.
Therefore, the maximum number of child policers and normal policers in the system
for bridge domains and IPv4 services is as follows:
• Family Bridge
Along with 62 policers, you can configure up to 62 family-bridge filters without the
count action for the firewall filter.
• Family inet
A maximum of about 125 policers when no other family-inet filters with the count
action.
Along with 125 policers, you can define up to 62 family-inet filters without the count
action.
• The hierarchical policer supports the same policer ranger and burst size behavior as
normal policers.
• You must configure the same hierarchical policer mode for all child policers that refer
or link with the same parent policer instance.
• You cannot use the same policer template as both a normal policer and a child policer.
• You cannot use the same base policer settings as both a normal policer and an
aggregate or hierarchical policer.
• You cannot use the filter-specific statement at the [edit firewall policer policer-name]
hierarchy level to instantiate an aggregate policer. Instead, the instantiation of the
policer is performed by including the aggregate statement at the [edit firewall policer
policer-name] hierarchy level.
• All the child policers of a certain aggregate policer must contain the same definitions
of settings or attributes.
• All the policer instantiation formats are supported for the aggregate policer.
• All the supported match conditions for filters used with normal policers are supported
with micro-flow policers.
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
The method in which the micro-flow policer determines and manages the share of the
aggregate bandwidth for the micro-flow is defined by the hierarchical policer mode. ACX
routers support the following three hierarchical policer modes. You can configure the
mode or type of the policer for each hierarchical policer instance.
This topic contains the following sections that describe the three different modes of
operation of heirarchical policers:
Guarantee Mode
This mode, also called bandwidth-guarantee mode, is used when the micro-flow policer
is used to specify that a portion of the aggregate parent policer bandwidth is guaranteed
for its micro-flow. When this micro-flow contains no traffic, then amount allocated for
this micro-flow out of the aggregate bandwidth is used by the other micro-flows that
are transmitting traffic with a size-limit or bandwidth that is higher than their respective
guaranteed bandwidth rates.
Consider a sample scenario in which the maximum allowed rate or peak information rate
(PIR) for a user is 140 Mbps. A total of four services or applications called expedited
forwarding (EF), Gold, Silver and Bronze are defined for the guaranteed bandwidth mode
of policer with a CIR of 50 Mbps, 40 Mbps, 30 Mbps, and 20 Mbps respectively. For
example, if 140 Mbps of trafic is received for each of the four services, then the permitted
traffic rates are 50, 40, 30 and 20 Mbps respectively. If 150 Mbps of Gold traffic is received,
only 140 Mbps is permitted for Gold traffic.
All the child policers must be of single-rate, single-bucket, and two-color modes for
bandwidth guarantee mode of hiearchical policer. This combination of attributes is also
called floor mode. The micro-flow policer value specifies the minimum guaranteed
bandwidth (CIR) for the micro-flow. The macro-flow policer value specifies the maximum
allowed bandwidth (PIR) for all the flows. The sum or the cumulative value of all CIR
values of the configured micro-flows must be less than or equal to the macro-flow PIR.
The burst size of macro-flow must be greater than the sum of the aggregate of the burst
size of all the child policers and the largest MTU of the physical interface among all the
physical interfaces of the logical interfaces or interface families to which the child policers
are attached.
Consider a sample configuration that has two child policers aggregated by a parent PIR
in bandwidth-guarantee mode. PIRs for the children policers and the parent policer are
configured. When two flows, flow 1 and flow 2, transmit traffic at a rate that exceeds the
configured PIR values, then the share of the parent PIR is adjusted to permit traffic for
the child policers based on their priorities defined for the flows, while the bandwidth is
maintained.
Policers use a token bucket algorithm to enforce a limit on an average transmit or receive
rate of traffic at an interface while allowing bursts of traffic up to a maximum value based
on the configured bandwidth limit and configured burst size. The token bucket algorithm
offers more flexibility than a leaky bucket algorithm in that you can allow a specified
traffic burst before starting to discard packets or apply a penalty such as packet
output-queuing priority or packet-drop priority. Following are the main components of
the token bucket algorithm:
• The bucket represents a rate-limiting function of the policer on the interface input or
output traffic.
• Each token in the bucket represents a “credit” for some number of bits, and tokens in
the bucket are “cashed in” for the ability to receive or transmit traffic that conforms to
a rate limit configured for the policer.
• The token arrival rate is a periodic allocation of tokens into the token bucket that is
calculated from the configured bandwidth limit.
• The token bucket depth defines the capacity of the bucket in bytes. Tokens that are
allocated after the bucket reaches capacity are not able to be stored and used.
An arriving packet complies with the bandwidth-guarantee mode if tokens are present
in the peak burst size (PBS) of either the parent policer or the committed burst size (CBS)
of the child policer. If sufficient tokens are not present in the PBS or CBS of either of the
parent or child policers respectively, the packet does not conform to the guarantee mode
of the hierarchical policer working. In such a case, the child policer rate is guaranteed for
the member flows. The following table describes the different scenarios of color-coding
for micro-flow and macro-flow policers and the resultant color or priority that is assigned:
Peak Mode
This mode, also called bandwidth-protection mode, is used when the micro-flow policer
is used to specify the maximum amount of the aggregate parent policer bandwidth that
the micro-flow can use. This mode is used to protect a given micro-flow from starving
the other flows. Even when the other micro-flows contain no traffic (the available
aggregate bandwidth rate is greater than the rate of the particular micro-flow, the
micro-flow cannot use more than the rate configured on its micro-flow policer.
Consider a sample scenario in which the total maximum allowed rate (PIR) for a user is
100 Mbps. A total of four services or applications called expedited forwarding (EF), Gold,
Silver and Bronze are defined for the peak or bandwidth-restriction mode of the policer
with PIR values of 50 Mbps, 40 Mbps, 30 Mbps, and 20 Mbps respectively. Such a setting
is used in topologies in which you want to prevent a certain subscriber or user from utilizing
an increased share ofthe macro-flow or the parent CIR for real-time applications, such
as video-on-demand (VoD) or voice over IP (VoIP). For example, if only 100 Mbps of EF
packets are received, the permitted bandwidth rate for the traffic is 50 Mbps. When 100
Mbps of traffic is received for each of the four services, then the aggregate allowed traffic
is 100 Mbps, in which the rates are as follows for the different services:
All the child policers must be of single-rate, single-bucket, and two-color types for
bandwidth-protection or peak mode of the hierarchical policer. The micro-flow policer
value specifies the maximum allowed bandwidth (PIR) for the micro-flow. The macro-flow
policer value specifies the maximum allowed bandwidth (PIR) for all the flows. The sum
of the PIR values of the micro-flows must be greater than or equal to the PIR values of
the child policers. The macro-flow burst-size must be greater than or equal to that of
the micro-flow with the largest burst-size.
Consider a sample configuration that has two child policers aggregated by a parent PIR
in bandwidth-guarantee mode. PIRs for the children policers and the parent policer are
configured. When two flows, flow 1 and flow 2, transmit traffic at a rate that exceeds the
configured PIR values, then the share of the parent PIR is adjusted to permit traffic for
the child policers based on their priorities defined for the flows, while the bandwidth is
restricted to maintain the minimum or committed rates of traffic flows.
An arriving packet complies with the bandwidth-guarantee mode if tokens are present
in the peak burst size (PBS) of both the child policer and the parent policer. If sufficient
tokens are not present in the PBS of both the policers, the packet does not conform to
the peak mode of the hierarchical policer working. In such a case, the child policer rate
is the maximum allowed rate or PIR for the member flows. The following table describes
the different scenarios of color-coding for micro-flow and macro-flow policers and the
resultant color or priority that is assigned:
Hybrid Mode
This mode, which is a combination of the bandwidth-guarantee and bandwidth-protection
modes, enables the capabilities of bandwidth restriction and the per-flow bandwidth
moderation to be accomplished simultanouesly. Bandwidth-guarentee or
bandwidth-restriction mode controls the guaranteed rates for a given micro-flow.
However, it does not adminster or manage the manner in which the excess aggregate
bandwidth can be shared among the micro-flows. A certain micro-flow can potentially
use all the excess aggregate bandwidth starving the other micro-flows of any excess
bandwidth.
Hybrid mode implements the benefits of the peak and guaranteed modes to overcome
their individual limitations. In hybird mode, the micro-flow policer specifies two rates,
CIR and EIR, for the micro-flow. The CIR specifies the guaranteed portion out of the total
macro-flow bandwidth for a micro-flow, and the PIR specifies the maximum portion of
the total macro-flow bandwidth for a micro-flow. This mechanism is analogues to CIR
functioning in guarantee mode and EIR functioning in peak mode, thereby combining the
advantages of both models. In hyrbid mode, both color-aware and color-blind modes
are supported for child policers.
Child policers operate in compliance with the RFC 4115 mode of two-rate three color
markers. Normal two-rate three color markers on ACX routers operate in compliance
with the RFC2698 mode.
Consider a sample configuration in which the maximum allowed rate for a user is 140
Mbps. A total of four services or applications called expedited forwarding (EF), Gold,
Silver and Bronze are defined for the hybrid mode of the policer with PIR values of 55Mbps,
60 Mbps, 130 Mbps, and 140 Mbps respectively. The defined CIR values are 50 Mbps, 40
Mbps, 30 Mbps, and 20 Mbps for EF, Gold, Silver, and Bronze services respectively. For
example, when 140 Mbps of traffic is received for each of the four services, then the
permitted green-colored traffic is 50, 40, 30 and 20 Mbps respectively for the four services.
If only 140 Mbps of EF traffic is received, 50 Mbps of EF traffic as green and 5 Mbps of
EF traffic as yellow are permitted. In the same scenario, assume the macro-policer rate
to be 26 Mbps. Also, assume two child policers in color-aware mode, namely, child
policer-1 with a CIR of 10 Mbps and an EIR of 10 Mbps. Child policer-2 has a CIR of 15
Mbps and an EIR of 5 Mbps. When flow-1 is a 100 Mbps stream of yellow traffic, and
flow-2 is an 100 Mbps stream of green traffic, the output of this policer hierarchy is as
follows:
• Flow-1 has 0 Mbps of green traffic and has less than or equal to 5 Mbps of yellow traffic.
• Flow-2 has 10 Mbps of green traffic and has greater than or equal to 10 Mbps of yellow
traffic.
Consider a sample configuration that has two child policers aggregated by a parent PIR
in hybrid mode. PIRs for the children policers and the parent policer are configured. When
two flows, flow 1 and flow 2, transmit traffic at a rate that exceeds the configured PIR
values, then the share of the parent PIR is adjusted to permit traffic for the child policers
while the child PIR values are preserved for the two flows.
Hybrid mode of working of the aggregate or hierarchical policer supports two rates (CIR
and PIR) and three colors for micro-flows. On ACX routers, for hybrid type of the policer,
the micro-policer must be of type modified-trtcm as defined in RFC 4115. Both color-blind
and color- aware modes are supported for child policers. Macro policer must be a single
rate, single bucket, two color policer with the sum of the CIR values of the micro-flows
being less than the PIR value of the macro-flow, and the cumulative value of all the PIR
values of the micro-flows being greater than the PIR value of the macro-flow. When
micro-flow traffic is less than the CIR value of the micro-flow CIR, the policer causes
either the micro-flow CIR to be maintained or PIR to be achieved. When micro-flow traffic
is greater than the CIR value of the micro-flow, the micro-flow CIR is guaranteed.
Micro-flow excess rates are shared based on the available macro-flow bandwidth with
the limitation of the excess information rate distributed for the micro-flows being
implemented by the micro-flow PIR. The CBS of the macro-flow must be greater than
or equal to the aggregate of the micro-flow CBS. The excess burst size (EBS) of the
macro-flow must be greater than or equal to that of the micro-flow with the largest EBS.
An arriving packet complies with the hybrid mode if tokens are present in the committed
burst size (CBS) of the child policer. The packet does not comply with hybrid mode if
tokens are present in both the EBS of the child policer and the PBS of the parent policer.
When a packet does not satisfy the hybrid mode of working of a policer, the CIR of the
child policer is guaranteed for the member traffic flows and the PIR value of the child
policer is the maximum permitted rate for the member flows. The following table describes
the different scenarios of color-coding for micro-flow and macro-flow policers and the
resultant color or priority that is assigned:
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
• Assign child policers to the aggregate policer--This step is additional, from the procedure
to create a single-level policer, to configure a hierarchical policer. You must link or
associate the child policers to the parent or aggregate policer. You can perform this
linking by specifying at each child policer by using the aggregate-policing
aggregate-policer-name statement at the [edit firewall policer policer-name] hierarchy
level.
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
The hierarchical parent policer impacts the packet loss priority (PLP) of the child policer.
The PLP-based actions defined in the then statement of the are performed, based on
the PLP derived from the combined processing of the child and parent policers. The then
statement defined in the parent policer is not effective. This section contains the following
topics that describe the methods of instantiation of aggregate or hierarchical policers
and child or normal policers.
By default, a policer operates in term-specific mode so that, for a given firewall filter, the
Junos OS creates a separate policer instance for every filter term that references the
policer. This operation is the default instantiation mode if you do not configure the
filter-specific statement. For example, consider a filter F1 that has two terms, T1 and T2.
Both these terms refer to the same policer, namely P1. With a term-specific mode of the
policer, two policer instances are created on the device, one each for terms T1 and T2.
• Global—Shares the same parent policer across all the child policer instances in the
system.
• Physical interface-specific—Shares the same parent policer across all the child policer
instances of a certain physical interface. This mode is not supported on ACX routers.
• Filter-specific—Shares the same parent policer across all the child policer instances
of the same filter. This mode is not supported on ACX routers.
• Interface-specific—Shares the same parent policer across all the child policer instances
of the same logical interface. This mode is not supported on ACX routers.
You can include the aggregate global statement at the [edit firewall policer
policer-template-name] hierarchy level to define an aggregate policer to be shared or
applicable across all of the child policer instances in the router. You can include the
aggregate parent statement at the [edit firewall policer policer-template-name] hierarchy
level to define an aggregate policer as the parent policer. The following statement does
not take effect for aggregate policers: set firewall policer policer-template-name
filter-specific.
If you configure an interface-specific filter, term-specific child policer, and the aggregate
policer as the global policer, a single instance of P3 is created and associated with the
child policers, P1 and P2. Two instances each of P1 and P2 are created, one for T1 within
F1 and the other for T2 within F1. The two instances each of P1 and P2 are associated
with IFL1 and IFL2, which in turn are bound to IFD1 and IFD2.
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
To configure child or micro policers for an aggregate parent policer and associate the
parent policer with the child policers:
1. Configure one normal policer as a child policer and specify the aggregate policing
mode.
2. Configure another normal policer as a child policer and specify the aggregate policing
mode. The aggregate-sharing-mode option is a Packet Forwarding Engine statement.
3. Define the aggregate parent policer as the global policer for the system. The
aggregate-sharing-mode option is a Packet Forwarding Engine statement.
4. Verify the settings of all policer templates configured by using the show filter policer
template command.
5. View the configured policer instances that are linked to the aggregate parent policer
by using the show filter aggregate-policer command.
PARENT
------
[p1] PBS[3000]kB; PIR[38000]kbps;
Sum child CIR[25000]kbps;CBS[2000]kB;
Sum child PIR[65000]kbps;PBS[4000]kB;
Max child CIR[15000]kbps;CBS[1000]kB;
Max child PIR[35000]kbps;PBS[2000]kB;
RESULTS
-------
STATUS = OK
Hierarchical class of service (HCoS) is the ability to apply traffic schedulers and shapers
to a hierarchy of scheduler nodes. Each level of the scheduler hierarchy can be used to
shape traffic based on different criteria such as application, user, VLAN, and physical
port.
This allows you to support the requirements of different services, applications, and users
on the same physical device and physical infrastructure.
HCoS is implemented primarily using traffic classifiers at the ingress and hierarchical
schedulers and shapers at the egress.
A classifier is a filter that labels traffic at the device ingress based on configurable
parameters such as application or destination. Traffic is classified into what is called a
forwarding equivalence class (FEC). The FEC defines a class of traffic that receives
common treatment.
Schedulers, and their associated shapers, is the function that controls the traffic
bandwidth, jitter (delay variation), and packet loss priority at the egress of the device.
Hierarchical schedulers are used to apply multiple levels of scheduling and shaping with
each level applied to different classifications such as forwarding equivalence class, VLAN,
and physical interface (port) as shown in Figure 58 on page 934.
Dynamic profiles are a mechanism that allows you to dynamically apply schedulers and
shapers to individual subscribers or groups of subscribers.
To learn more about HCoS, the following topics are very helpful:
• CoS Features of the Router Hardware, PIC, MIC, and MPC Interface Families
• The number of queues and logical interfaces supported is dependent upon exactly
what hardware you are using.
• The MX Series Packet Forwarding Engine handles guaranteed bandwidth and scheduler
node weight differently than other Packet Forwarding Engines.
• The fine-grained queuing MPCs and MICs have a certain granularity with respect to
the shaping and delay buffer values. The values used are not necessarily exactly the
values configured.
To learn more about platform support for HCoS, use the Juniper Networks Feature Explorer
(http://pathfinder.juniper.net/feature-explorer/). In the Feature Explorer, search on
hierarchical schedulers.
• HCoS is most frequently used to enforce service level agreements at the subscriber
edged using dynamic traffic control profiles.
• There are other features in Junos OS that have similar sounding names.
NOTE: The hierarchical scheduler and shaper feature supported on the SRX
Series devices is not the HCoS feature described here.
Before planning HCoS for you network, you should learn about HCoS, define you needs,
plan how you want to implement HCoS, and test the operation in a simulated environment.
Day One: Deploying Basic QoS Juniper This book is a good resource for learning the basics of CoS on Juniper
Networks Books Networks devices.
Juniper MX-Series O'Reilly Media Learn about the advanced features of HCoS. This book provides an in-depth
description of how HCoS works and how it can be deployed. It also provides
a lab tested topology and configuration example.
Day One: Dynamic Subscriber Management Learn how to use HCoS in conjunction with dynamic traffic control profiles
Juniper Networks Books for subscriber management. This book also includes troubleshooting.
QoS Enabled Networks John Wiley & Sons This book is an additional source for studying QoS.
ACX5000 Series routers support hierarchical class of service at the physical interface
level. You can configure up to 8 queues per physical interface (port). Scheduling properties
can be applied at both physical as well as logical interface levels. Service providers will
be able to support hierarchical class of service at multiple levels to meet the service level
agreements and bandwidth allocations for subscribers.
[edit]
interfaces ge-0/0/1 {
hierarchical-scheduler;
}
NOTE: If you change the physical interface queuing mode from default to
hierarchical scheduler mode or vice-versa, the traffic flowing out of the
physical interface during the mode change results in a transient loss of traffic
data.
• Scheduler-map
• Shaping rate
• Guaranteed rate
Traffic control profiles can be attached at physical interface and logical interface level.
Scheduling and queuing characteristics can be defined for the scheduler node using the
shaping-rate and guaranteed-rate. The following is a sample traffic control profile
configuration:
Schedulers
A scheduler defines scheduling and queuing characteristics of a queue and holds the
information about the queues, the last level of the hierarchy. The following is a sample
scheduler configuration:
Drop Profiles
Drop profiles allow you to specify queue specific behavior to drop packets based on
WRED profile under congestion. The following is a sample drop profile configuration:
Scheduler Maps
A scheduler map is referenced by traffic control profiles to define queues. The scheduler
map establishes the number of queues over a scheduler node, associating a
forwarding-class with a scheduler. The following is a sample scheduler map configuration:
}
}
Subscriber Services
ACX5000 line of routers support hierarchical class of service functionality for subscriber
services such as Layer 3 VPN, Layer 2 VPN, Ethernet pseudowire (VPWS), and VPLS for
logical interface instance on the AC (Access Port).
The following sections explain the hierarchical class of service configuration for subscriber
services:
• Configuring hierarchical class of service for Layer 3 VPN Service on page 939
• Configuring hierarchical class of service for Layer 2 VPN (Ethernet Pseudowires)
Service on page 940
• Configuring hierarchical class of service for VPLS Service on page 941
• Verifying the hierarchical class of service configurations on page 942
ACX5000 line of routers can be configured to provide Layer 3 VPN services to subscribers
by connecting the UNI port to a CE device. The physical port can be configured to provide
Layer 3 VPN services to multiple subscribers. You can schedule traffic for different Layer
3 VPN instances based on the SLA parameters agreed with the subscriber.
The following is a sample UNI and NNI logical interface configuration on the PE router
providing the Layer 3 VPN service:
[edit interfaces]
xe-0/0/1 {
description “NNI IFL”;
unit 0 {
family inet {
address 100.1.1.1/24;
}
family mpls;
}
}
ge-0/0/1 {
description “UNI IFL”;
hierarchical-scheduler;
flexible-vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 20.20.0.1/24;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.1.1/24;
}
}
unit 2 {
vlan-id 2;
family inet {
address 20.20.2.1/24;
}
}
unit 3 {
vlan-id 3;
family inet {
address 20.20.3.1/24;
}
}
unit 4 {
vlan-id 4;
family inet {
address 20.20.4.1/24;
}
}
...
}
ACX5000 line of routers can be configured to provide Layer 2 VPN services to subscribers
based on Ethernet pseudowires where the UNI port is connected to a CE device. The
physical port can be configured to provide Layer 2 VPN services to multiple subscribers.
You can schedule traffic for different pseudowires based on the SLA parameters agreed
with the subscriber. Hierarchical class of service can be enabled per UNI logical interface
represented as the attachment point of the Ethernet pseudowire to achieve the
functionality.
The following is a sample to configure the UNI logical interface on the PE router providing
the Layer 2 VPN service based on Ethernet pseudowire:
[edit interfaces]
ge-0/0/1 {
hierarchical-scheduler;
vlan-tagging;
unit 0 {
encapsulation vlan-ccc;
vlan-id 0;
}
unit 1 {
encapsulation vlan-ccc;
vlan-id 1;
}
unit 2 {
encapsulation vlan-ccc;
vlan-id 2;
}
unit 3 {
encapsulation vlan-ccc;
vlan-id 3;
}
unit 4 {
encapsulation vlan-ccc;
vlan-id 4;
}
}
You can enable scheduling on the interfaces to achieve hierarchical class of service for
traffic flowing from NNI towards UNI direction.
ACX5000 line of routers can be configured to provide Layer 2 VPN services to subscribers
based on VPLS where the UNI port can be connected to a CE device. Subscriber network
is attached to UNI logical interface at the PE router and have a VPLS instance. The same
physical port can service multiple VPLS instances for various subscribers. The service
provider can schedule traffic for different VPLS instances based on the SLA parameters
agreed with the subscriber. You can enable hierarchical class of service per UNI logical
interface representing the VPLS instance for the subscriber to achieve the functionality.
The following is a sample to configure the UNI logical interface on the PE router providing
the VPLS service:
[edit interfaces]
ge-0/0/1 {
hierarchical-scheduler;
vlan-tagging;
encapsulation vlan-vpls;
unit 0 {
encapsulation vlan-vpls;
vlan-id 0;
}
unit 1 {
encapsulation vlan-vpls;
vlan-id 1;
}
unit 2 {
encapsulation vlan-vpls;
vlan-id 2;
}
unit 3 {
encapsulation vlan-vpls;
vlan-id 3;
}
unit 4 {
encapsulation vlan-vpls;
vlan-id 4;
}
Scheduling can be enabled on the interfaces to achieve hierarchical class of service for
the traffic flowing from NNI towards UNI direction.
You can use the following CLI commands to verify the configuration:
Queued:
Packets : 77485 6099 pps
Bytes : 41362188 26054080 bps
Transmitted:
Packets : 12417 975 pps
Bytes : 6357504 3996992 bps
Tail-dropped packets : Not Available
RL-dropped packets : 0 0 pps
RL-dropped bytes : 0 0 bps
Total-dropped packets: 65068 5124 pps
Total-dropped bytes : 35004684 22057088 bps
Queue Buffer Usage:
Reserved buffer : 8 pkts 1664 bytes
Shared buffer : 1507 pkts 313456 bytes
Queue: 3, Forwarding classes: 8q3
Queued:
Packets : 77547 6114 pps
Bytes : 41609314 26271632 bps
Transmitted:
Packets : 3261 243 pps
Bytes : 1646862 999248 bps
Tail-dropped packets : Not Available
RL-dropped packets : 0 0 pps
RL-dropped bytes : 0 0 bps
Total-dropped packets: 74286 5871 pps
Total-dropped bytes : 39962452 25272384 bps
Queue Buffer Usage:
Reserved buffer : 8 pkts 1664 bytes
Shared buffer : 1381 pkts 287248 bytes
Queue: 4, Forwarding classes: 8q4
Queued:
Packets : 77502 6105 pps
Bytes : 41450894 26131200 bps
Transmitted:
Packets : 9349 732 pps
Bytes : 4786688 3002344 bps
Tail-dropped packets : Not Available
RL-dropped packets : 0 0 pps
RL-dropped bytes : 0 0 bps
Total-dropped packets: 68153 5373 pps
Total-dropped bytes : 36664206 23128856 bps
Queue Buffer Usage:
Reserved buffer : 8 pkts 1664 bytes
Shared buffer : 1366 pkts 284128 bytes
Queue: 5, Forwarding classes: 8q5
Queued:
Packets : 77480 6094 pps
Bytes : 41358904 26032304 bps
Transmitted:
Packets : 12444 975 pps
Bytes : 6371328 3996992 bps
Tail-dropped packets : Not Available
RL-dropped packets : 0 0 pps
RL-dropped bytes : 0 0 bps
Total-dropped packets: 65036 5119 pps
Total-dropped bytes : 34987576 22035312 bps
Queue Buffer Usage:
Reserved buffer : 8 pkts 1664 bytes
Shared buffer : 1552 pkts 322816 bytes
Queue: 6, Forwarding classes: 8q6
Queued:
• show class-of-service packet-buffer usage—Shows the total buffer usage of the system.
The following is a sample output of the show class-of-service packet-buffer usage CLI
command:
You can use the syslog to view the log messages and error reports.
Related
Documentation
• Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic on page 950
• Default Behavior Aggregate Classification Overview in ACX Series on page 953
• Default IP Precedence Classifier on page 954
• Default MPLS EXP Classifier on page 955
• Default IEEE 802.1p Classifier on page 956
• Default IEEE 802.1ad Classifier on page 957
• Default DSCP and DSCP IPv6 Classifier on page 958
• Applying DSCP and DSCP IPv6 Classifiers on page 959
The idea behind class of service (CoS) is that packets are not treated identically by the
routers or switches on the network. In order to selectively apply service classes to specific
packets, the packets of interest must be classified in some fashion.
The simplest way to classify a packet is to use behavior aggregate (BA) classification,
also called the CoS value in this document. The DSCP, DSCP IPv6, or IP precedence bits
of the IP header convey the behavior aggregate class information. The information might
also be found in the MPLS EXP bits, IEEE 802.1ad, or IEEE 802.1p CoS bits.
NOTE: Support was added for filtering on Differentiated Services Code Point
(DSCP) and forwarding class for Routing Engine sourced packets, including
IS-IS packets encapsulated in generic routing encapsulation (GRE).
Subsequently, when upgrading from a previous version of Junos OS where
you have both a class of service (CoS) and firewall filter, and both include
DSCP or forwarding class filter actions, the criteria in the firewall filter
automatically takes precedence over the CoS settings. The same is true when
creating new configurations; that is, where the same settings exist, the firewall
filter takes precedence over the CoS, regardless of which was created first.
BA classification is useful if the traffic comes from a trusted source and the CoS value
in the packet header is trusted. If the traffic is untrusted, multifield classifiers (see
“Overview of Assigning Service Levels to Packets Based on Multiple Packet Header Fields”
on page 891) are used to classify packets based on multiple packet fields. It is common
to use multifield classifiers to classify traffic at the ingress of a network, rewrite the packet
headers (see Rewriting Packet Headers to Ensure Forwarding Behavior), then use the more
efficient BA classification for transversing the network.
The BA classifier maps a CoS value in the packet header to a forwarding class and loss
priority. The forwarding class determines the output queue. The loss priority is used by
schedulers in conjunction with the random early discard (RED) algorithm to control
packet discard during periods of congestion.
The types of BA classifiers are based on which part of the incoming packet the classifier
examines:
• IEEE 802.1ad—Packet classification for IEEE 802.1ad formats (including DEI bit)
Unlike multifield classifiers (which are discussed in “Overview of Assigning Service Levels
to Packets Based on Multiple Packet Header Fields” on page 891), BA classifiers are based
on fixed-length fields, which makes them computationally more efficient than multifield
classifiers. For this reason, core devices are normally configured to perform BA
classification, because of the higher traffic volumes they handle.
In most cases, you need to rewrite a given marker (IP precedence, DSCP, IEEE 802.1p,
IEEE 802.1ad, or MPLS EXP settings) at the ingress node to accommodate BA
classification by core and egress devices. For more information about rewrite markers,
see Rewriting Packet Headers to Ensure Forwarding Behavior.
NOTE: If you apply an IEEE 802.1 classifier to a logical interface, this classifier
takes precedence and is not compatible with any other classifier type.
Classifiers for IP (DSCP or IP precedence) and MPLS (EXP) can coexist on a
logical interface if the hardware requirements are met.
For Juniper Networks M Series Multiservice Edge Routers, four classes can forward traffic
independently. For M320 Multiservice Edge Routers, T Series Core Routers, MX Series
3D Universal Edge Routers, and PTX Series Packet Transport Routers, eight classes can
forward traffic independently. If you carry more classes of traffic than the device can
forward independently, you must configure the additional classes to be aggregated into
one of the available classes. You use the BA classifier to configure class aggregation.
NOTE: For a specified interface, you can configure both a multifield classifier
and a BA classifier without conflicts. Because the classifiers are applied in
sequential order if they are both either protocol specific or protocol
independent, the BA classifier followed by the multifield classifier, any BA
classification result is overridden by a multifield classifier if they conflict.
NOTE: The default Junos OS CoS policy, 95 percent of the bandwidth for
queue 0 and 5 percent for queue 3 on routing devices (see Default Schedulers
Overview), is in effect regardless of any custom BA classifier or forwarding
class definitions, until you configure a custom scheduler (see Configuring
Schedulers).
If you enable the MPLS protocol family on a logical interface, a default MPLS EXP classifier
is automatically applied to that logical interface. This default EXP classifier (see Default
MPLS EXP Classifier) maps the eight possible EXP code point values into a combination
of the four default forwarding classes and loss priority values to be directly compatible
with the default EXP rewrite rule (see Rewriting MPLS and IPv4 Packet Headers).
Other default classifiers (such as those for IEEE 802.1p bits and DSCP) require that you
explicitly associate a default classification table with a logical interface. When you
explicitly associate a default classifier with a logical interface, you are in effect overriding
the implicit default classifier with an explicit default classifier.
NOTE: Only the IEEE 802.1p classifier is supported in Layer 2-only interfaces.
You must explicitly apply this classifier to the interface as shown in Default
IEEE 802.1p Classifier.
You can apply IEEE 802.1p classifiers to interfaces that are part of VPLS routing instances.
13.3R7 Support was added for filtering on Differentiated Services Code Point (DSCP)
and forwarding class for Routing Engine sourced packets, including IS-IS
packets encapsulated in generic routing encapsulation (GRE).
Other default classifiers (such as those for IEEE 802.1p bits and DSCP) require that you
explicitly associate a default classification table with a physical interface. When you
explicitly associate a default classifier with a logical interface, you are in effect overriding
the implicit default classifier with an explicit default classifier.
Related • Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic on page 950
Documentation
• Overview of BA Classifier Types
Table 55 on page 955 shows the forwarding class and PLP that are assigned to the IP
precedence bits when you apply the default IP precedence classifier.
Table 56 on page 955 shows the forwarding class and PLP that are assigned to the MPLS
EXP bits when you apply the explicit default MPLS EXP classifier. To do this, include the
default statement [edit class-of-service system-defaults classifier exp default].
Related • Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic on page 950
Documentation
• Default Behavior Aggregate Classification Overview in ACX Series on page 953
Table 57 on page 956 shows the forwarding class and PLP that are assigned to the
IEEE 802.1p CoS bits when you apply the explicit default IEEE 802.1p classifier. To do
this, include the default statement at the [edit class-of-service interfaces interface-name
classifiers ieee-802.1] hierarchy level:
Related • Configuring the IEEE 802.1p Field for CoS Host Outbound Traffic in ACX Series on
Documentation page 889
• Configuring a Global Default IEEE 802.1p Value for All Host Outbound Traffic in ACX
Series on page 889
• Applying Egress Interface Rewrite Rules to the IEEE 802.1p Field for All Host Outbound
Traffic on the Interface in ACX Series on page 890
Table 58 on page 957 shows the code point, forwarding class alias, and PLP that are
assigned to the IEEE 802.1ad bits when you apply the explicit default IEEE 802.1ad
classifier. The table is very similar to the IEEE 802.1p default table, but the loss priority is
determined by the drop eligibility indicator (DEI) bit. To apply the default table, include
the default statement at the [edit class-of-service interfaces interface-name classifiers
ieee-802.1] hierarchy level:
0000 be low
0100 ef low
Related • CoS on ACX Series Universal Access Routers Features Overview on page 864
Documentation
• Understanding CoS CLI Configuration Statements on ACX Series Universal Access
Routers on page 865
Table 59 on page 958 shows the forwarding class and packet loss priority (PLP) that are
assigned to each well-known DSCP when you apply the explicit default DSCP or DSCP
IPv6 classifier. To do this, include the default statement at the [edit class-of-service
interfaces interface-name classifiers (dscp | dscp-ipv6)] hierarchy level:
ef expedited-forwarding low
be best-effort low
You can apply classifiers on a physical interface by including the classifiers statement
at the [edit class-of-service interfaces interface-name] hierarchy level and specifying the
dscpand dscp-ipv6 classifier types:
For ACX Series routers, you cannot apply separate DSCP and DSCP IPv6 classifiers for
IPv4 and IPv6 packets on a physical interface. Instead, classifier assignment works as
follows:
• If you assign a DSCP classifier only, IPv4 and IPv6 packets are classified using the DSCP
classifier.
• If you assign a DSCP IPv6 classifier only, IPv4 and IPv6 packets are classified using the
DSCP IPv6 classifier.
• If you assign an IP precedence classifier only, IPv4 and IPv6 packets are classified using
the IP precedence classifier. In this case, the lower three bits of the DSCP field are
ignored because IPv4 precedence mapping requires the upper three bits only.
• You can assign either DSCP, DSCP IPv6, or IPv4 precedence classifier types on a physical
interface.
• You can configure either DSCP, DSCP IPv6, or IPv4 precedence rewrite rules on a
physical interface. The rewrite rule applies to both IPv4 and IPv6 packets.
• If you assign either the DSCP or the IP precedence classifier in conjunction with the
DSCP IPv6 classifier, the commit fails.
On ACX Series routers, the following statements are supported at the [edit services rpm]
hierarchy level:
probe owner {
test test-name {
data-fill data;
data-size size;
destination-interface interface-name;
destination-port port;
dscp-code-point dscp-bits;
hardware-timestamp;
history-size size;
moving-average-size number;
one-way-hardware-timestamp;
probe-count count;
probe-interval seconds;
probe-type type;
routing-instance instance-name;
source-address address;
target (url url | address address);
test-interval interval;
thresholds thresholds;
traps traps;
}
}
NOTE: The ACX Series routers do not support the configuration of RPM
probes to a routing instance along with the configuration of the
hardware-timestamp statement.
The Two-Way Active Measurement Protocol (TWAMP) defines a standard for measuring
IP performance between two devices in a network. You can configure TWAMP on ACX
Series routers. ACX Series routers support only the reflector side of TWAMP.
For more information about TWAMP, see RFC 5357, A Two-Way Active Measurement
Protocol (TWAMP).
To configure TWAMP properties, include the twamp statement at the [edit services rpm]
hierarchy level:
maximum-sessions count;
maximum-sessions-per-connection count;
port udp-port-number;
server-inactivity-timeout minutes;
}
}
You can specify a number of TWAMP server properties, some of which are optional, by
including the server statement at the [edit services rpm twamp] hierarchy level:
• To specify the list of allowed control client hosts that can connect to this server, include
the client-list statement at the [edit services rpm twamp server] hierarchy level. Each
value you include must be a Classless Interdomain Routing (CIDR) address (IP address
plus mask) that represents a network of allowed hosts. You can include multiple client
lists, each of which can contain a maximum of 64 entries. You must configure at least
one client address to enable TWAMP.
• ACX Series routers do not support authentication and encryption modes. The value
for authentication-mode statement at the [edit services rpm twamp server] hierarchy
level must be set to none.
• To specify the maximum number of concurrent connections the server can have to
client hosts, include the maximum-connections statement at the [edit services rpm
twamp server] hierarchy level. The allowed range of values is 1 through 2048 and the
default value is 64. You can also limit the number of connections the server can make
to a particular client host by including the maximum-connections-per-client statement.
ACX Series routers supports a maximum of 15 concurrent connections.
• To specify the maximum number of sessions the server can have running at one time,
include the maximum-sessions statement at the [edit services rpm twamp server]
hierarchy level. The allowed range of values is 1 through 2048 and the default value is
64. You can also limit the number of sessions the server can have on a single connection
by including the maximum-sessions-per-connection statement. ACX Series routers
supports a maximum of 15 sessions.
• To specify the TWAMP server listening port, include the port statement at the [edit
services rpm twamp server] hierarchy level. The range is 1 through 65,535. If a port range
is not specified, then the default port 862 is used.
• TWAMP control connection traffic always arrives on ACX routers with the listening
port set as 862. Because this port number for traffic probes can be modified, probes
that arrive with a different port number are not recognized and processed by ACX
routers correctly. As a result, TWAMP traffic and host-bound packets are dropped in
such a scenario.
A traffic storm is generated when messages are broadcast on a network and each
message prompts a receiving node to respond by broadcasting its own messages on the
network. This, in turn, prompts further responses, creating a snowball effect. The LAN is
suddenly flooded with packets, creating unnecessary traffic that leads to poor network
performance or even a complete loss of network service. Storm control enables the router
to monitor traffic levels and to drop broadcast, unknown unicast, and multicast (BUM)
packets if they exceed the configured limit.
Storm control functions slightly differently on ACX Series routers compared to other
Juniper Networks routers. On ACX Series routers, storm control is only applicable at the
IFD level. No event will be logged when a traffic storm hits an ACX Series router. Also
interfaces will not be bound to any default profile. The default action is to drop the packets
exceeding the configured bandwidth.
Storm control configuration is done in two steps. The first step is to create a storm control
profile. Use the following configuration to create your storm control profile on an ACX
Series router:
storm-control-profiles {
foo {
all {
bandwidth [percentage | level] <x>;
[no-unknown-unicast | no-broadcast | no-multicast | no-registered-multicast |
no-unregistered-multicast]
}
}
}
The second step in configuring storm control is to bind the profile to an IFD. The following
configuration shows how to bind your storm control profile:
[edit interfaces]
ge-0/0/0 {
ether-options {
ethernet-switch-profile {
storm-control foo;
}
}
Related • Controlling Network Access Using Traffic Policing Overview on page 908
Documentation
• ACX Series Universal Access Router Overview on page 3
• ACX1000 and ACX1100 Routers Hardware and CLI Terminology Mapping on page 30
• ACX2000 and ACX2100 Routers Hardware and CLI Terminology Mapping on page 33
NOTE: For details on SNMP MIB support on EX4600 switches, QFX Series
switches, and QFabric systems, see SNMP MIBs Support.
IEEE 802.1ab section 12.1, Link Layer EX Series implementation of LLDP MIB EX Series and MX Series
Discovery Protocol (LLDP) MIB supports both IPv4 and IPv6
configuration.
IEEE, 802.3ad, Aggregation of Multiple Supported tables and objects: EX Series, M Series, MX Series, PTX
Link Segments Series, SRX Series, T Series, and vSRX
• dot3adAggPortTable,
dot3adAggPortListTable,
dot3adAggTable, and
dot3adAggPortStatsTable
• dot3adAggPortDebugTable (only
dot3adAggPortDebugRxState,
dot3adAggPortDebugMuxState,
dot3adAggPortDebugActorSyncTransitionCount,
dot3adAggPortDebugPartnerSyncTransitionCount,
dot3adAggPortDebugActorChangeCount,
and
dot3adAggPortDebugPartnerChangeCount)
• dot3adTablesLastChanged
IEEE, 802.1ag, Connectivity Fault Supported tables and objects: EX Series, MX Series, and QFX Series
Management
• dot1agCfmMdTableNextIndex
• dot1agCfmMdTable (except
dot1agCfmMdMhfldPermission)
• dot1agCfmMaNetTable
• dot1agCfmMaMepListTable
• dot1agCfmDefaultMdDefLevel
• dot1agCfmDefaultMdDefMhfCreation
• dot1agCfmMepTable (except
dot1agCfmMepLbrBadMsdu,
dot1agCfmMepTransmitLbmVlanPriority,
dot1agCfmMepTransmitLbmVlanDropEnable,
dot1agCfmMepTransmitLtmFlags,
dot1agCfmMepPbbTeCanReportPbbTePresence,
dot1agCfmMepPbbTeTrafficMismatchDefect,
dot1agCfmMepPbbTransmitLbmLtmReverseVid,
dot1agCfmMepPbbTeMismatchAlarm,
dot1agCfmMepPbbTeLocalMismatchDefect,
and
dot1agCfmMepPbbTeMismatchSinceReset)
• dot1agCfmLtrTable (except
dot1agCfmLtrChassisIdSubtype,
dot1agCfmLtrChassisId,
dot1agCfmLtrManAddressDomain,
dot1agCfmLtrManAddress,
dot1agCfmLtrIngressPortIdSubtype,
dot1agCfmLtrIngressPortId,
dot1agCfmLtrEgressPortIdSubtype,
dot1agCfmLtrEgressPortId, and
dot1agCfmLtrOrganizationSpecificTlv)
• dot1agCfmMepDbTable (except
dot1agCfmMebDbChassisIdSubtype,
dot1agCfmMebDbChassisId,
dot1agCfmMebDbManAddressDomain,
and dot1agCfmMebDbManAddress)
RFC 1195, Use of OSI IS-IS for Routing in Supported tables and objects: All platforms
TCP/IP and Dual Environments
• isisSystem
• isisMANAreaAddr
• isisAreaAddr
• isisSysProtSupp
• isisSummAddr
• isisCirc
• isisCircLevel
• isisPacketCount
• isisISAdj
• isisISAdjAreaAddr
• isisAdjIPAddr
• isisISAdjProtSupp
• isisRa
• isisIPRA
RFC 1212, Concise MIB Definitions No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series
RFC 1213, Management Information Base Junos OS supports the following areas: ACX Series, EX Series, M Series, MX
for Network Management of Series, PTX Series, SRX Series, and T
TCP/IP-Based Internets: MIB-II • MIB II and its SNMP version 2 Series
derivatives, including:
• Statistics counters
• IP, except for ipRouteTable, which
has been replaced by
ipCidrRouteTable (RFC 2096, IP
Forwarding Table MIB)
• SNMP management
• Interface management
RFC 1215, A Convention for Defining Traps Junos OS supports only MIB II SNMP ACX Series, EX Series, M Series, MX
for use with the SNMP version 1 traps and version 2 notifications. Series, PTX Series, SRX Series, and T
Series
RFC 1406, Definitions of Managed Objects Junos OS supports T1 MIB. ACX Series, M Series, SRX Series, and T
for the DS1 and E1 Interface Types Series
RFC 1407, Definitions of Managed Objects Junos OS supports T3 MIB. M Series and T Series
for the DS3/E3 Interface Type
RFC 1471, Definitions of Managed Objects Supported tables and objects: M Series, MX Series, and PTX Series
for the Link Control Protocol of the
Point-to-Point Protocol • pppLcp 1 object
• pppLinkStatustable table
• pppLinkConfigTable table
RFC 1657, Definitions of Managed Objects No exceptions ACX Series, EX Series, M Series, MX
for the Fourth Version of the Border Series, and T Series
Gateway Protocol (BGP-4) using SMIv2
RFC 1695, Definitions of Managed Objects No exceptions ACX Series, M Series, PTX Series, and T
for ATM Management Version 8.0 Using Series
SMIv2
RFC 1850, OSPF Version 2 Management Unsupported tables, objects, and traps: ACX Series, EX Series, M Series, MX
Information Base Series, PTX Series, SRX Series, and T
• ospfOriginateNewLsas object Series
• ospfRxNewLsas object
• The host table
• ospfOriginateLSA trap
ospfLsdbOverflow trap
ospfLsdbApproachingOverflow trap
RFC 2024, Definitions of Managed Objects Unsupported tables, objects, and traps M Series, MX Series, and T Series
for Data Link Switching Using SMIv2 with read-only access:
RFC 2096, IP Forwarding Table MIB The ipCidrRouteTable has been extended ACX Series, EX Series, M Series, MX
to include the tunnel name when the next Series, PTX Series, SRX Series, and T
NOTE: RFC 2096 has been replaced by hop is through an RSVP-signaled LSP. Series
RFC 4292. However, Junos OS currently
supports both RFC 2096 and RFC 4292.
RFC 2115, Management Information Base Unsupported table and objects: M Series, MX Series, SRX Series, and T
for Frame Relay DTEs Using SMIv2 Series
• frCircuitTable
• frErrTable
RFC 2233, The Interfaces Group MIB Using No exceptions ACX Series, EX Series, M Series, MX
SMIv2 Series, PTX Series, SRX Series, and T
Series
NOTE: RFC 2233 has been replaced by
RFC 2863, IF MIB. However, Junos OS
supports both RFC 2233 and RFC 2863.
RFC 2287, Definitions of System-Level Supported tables and objects: ACX Series, EX Series, M Series, MX
Managed Objects for Applications Series, PTX Series, SRX Series, and T
• sysApplInstallPkgTable Series
• sysApplInstallElmtTable
• sysApplElmtRunTable
• sysApplMapTable
RFC 2465, Management Information Base Junos OS does not support IPv6 interface ACX Series, M Series, MX Series, PTX
for IP Version 6: Textual Conventions and statistics. Series, SRX Series, and T Series
General Group (except for IPv6 interface
statistics)
RFC 2495, Definitions of Managed Unsupported tables, objects, and traps: ACX Series, M Series, SRX Series, and T
Objects for the DS1, E1, DS2, and E2 Series
Interface Types • dsx1FarEndConfigTable
• dsx1FarEndCurrentTable
• dsx1FarEndIntervalTable
• dsx1FarEndTotalTable
• dsx1FracTable
RFC 2515, Definitions of Managed Objects Unsupported table and objects: ACX Series, M Series, and T Series
for ATM Management
• atmVpCrossConnectTable
• atmVcCrossConnectTable
• aal5VccTable
RFC 2570, Introduction to Version 3 of the No exceptions ACX Series, EX Series, M Series, MX
Internet-standard Network Management Series, PTX Series, SRX Series, and T
Framework Series
RFC 2571, An Architecture for Describing No exceptions ACX Series, EX Series, M Series, MX
SNMP Management Frameworks Series, PTX Series, SRX Series, and T
(read-only access) Series
RFC 2572, Message Processing and No exceptions ACX Series, EX Series, M Series, MX
Dispatching for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
(read-only access)
RFC 2576, Coexistence between Version No exceptions ACX Series, EX Series, M Series, MX
1, Version 2, and Version 3 of the Series, PTX Series, SRX Series, and T
Internet-standard Network Management Series
Framework
RFC 2579, Textual Conventions for SMIv2 No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series
RFC 2580, Conformance Statements for No exceptions ACX Series, EX Series, M Series, MX
SMIv2 Series, PTX Series, SRX Series, and T
Series
RFC 2662, Definitions of Managed Objects No exceptions M Series, MX Series, SRX Series, and T
for ADSL Lines Series
RFC 2665, Definitions of Managed For M Series, T Series, and MX Series, the ACX Series, EX Series, M Series, MX
Objects for the Ethernet-like Interface SNMP counters do not count the Series, PTX Series, SRX Series, and T
Types Ethernet header and frame check Series
sequence (FCS). Therefore, the Ethernet
NOTE: The list of managed objects header bytes and the FCS bytes are not
specified in RFC 2665 has been updated included in the following four tables:
by RFC 3635 by including information
useful for the management of 10-Gigabit • ifInOctets
per second Ethernet interfaces. • ifOutOctets
• ifHCInOctets
• ifHCOutOctets
RFC 2787, Definitions of Managed Objects Unsupported table and objects: ACX Series, EX Series, M Series, MX
for the Virtual Router Redundancy Series, PTX Series, SRX Series, and T
Protocol • vrrpStatsPacketLengthErrors Series
RFC 2790, Host Resources MIB Supported tables and objects: ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
• hrStorageTable Series
• hrSystem group
• hrSWInstalled group
• hrProcessorTable
RFC 2819, Remote Network Monitoring Supported tables and objects: ACX Series, EX Series, M Series, MX
Management Information Base Series, PTX Series, SRX Series, and T
• etherStatsTable (for Ethernet Series
interfaces only), alarmTable,
eventTable, and logTable are
supported on all devices running Junos
OS.
• historyControlTable and
etherHistoryTable (except
etherHistoryUtilization object) are
supported only on EX Series switches.
RFC 2863, The Interfaces Group MIB No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
NOTE: RFC 2863 replaces RFC 2233. Series
However, Junos OS supports both RFC
2233 and RFC 2863.
RFC 2864, The Inverted Stack Table No exceptions M Series, MX Series, PTX Series, SRX
Extension to the Interfaces Group MIB Series, and T Series
RFC 2922, The Physical Topology Supported objects: EX Series and SRX Series
(PTOPO) MIB
• ptopoConnDiscAlgorithm
• ptopoConnAgentNetAddrType
• ptopoConnAgentNetAddr
• ptopoConnMultiMacSASeen
• ptopoConnMultiNetSASeen
• ptopoConnIsStatic
• ptopoConnLastVerifyTime
• ptopoConnRowStatus
RFC 2925, Definitions of Managed Objects Supported tables and objects: ACX Series, EX Series, M Series, MX
for Remote Ping, Traceroute, and Lookup Series, PTX Series, SRX Series, and T
Operations • pingCtlTable Series
• pingResultsTable
• pingProbeHistoryTable
• pingMaxConcurrentRequests
• traceRouteCtlTable
• traceRouteResultsTable
• traceRouteProbeHistoryTable
• traceRouteHopsTable
RFC 2932, IPv4 Multicast Routing MIB No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series
RFC 2934, Protocol Independent Support for the pimNeighborLoss trap ACX Series, EX Series, M Series, MX
Multicast MIB for IPv4 was added in Release 11.4. Series, PTX Series, SRX Series, and T
Series
NOTE: In Junos OS, RFC 2934 is
implemented based on a draft version,
pimmib.mib, of the now standard RFC.
RFC 2981, Event MIB No exceptions ACX Series, M Series, MX Series, PTX
Series, and T Series
RFC 3014, Notification Log MIB No exceptions ACX Series, M Series, MX Series, PTX
Series, and T Series
RFC 3019, IP Version 6 Management No exceptions M Series, MX Series, PTX Series, SRX
Information Base for The Multicast Series, and T Series
Listener Discovery Protocol
RFC 3410, Introduction and Applicability No exceptions ACX Series, EX Series, M Series, MX
Statements for Internet-Standard Series, PTX Series, SRX Series, and T
Management Framework Series
RFC 3411, An Architecture for Describing No exceptions ACX Series, EX Series, M Series, MX
Simple Network Management Protocol Series, PTX Series, SRX Series, and T
(SNMP) Management Frameworks Series
RFC 3412, Message Processing and No exceptions ACX Series, EX Series, M Series, MX
Dispatching for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
RFC 3413, Simple Network Management Unsupported tables and objects: ACX Series, EX Series, M Series, MX
Protocol (SNMP) Applications Series, PTX Series, SRX Series, and T
• Proxy MIB Series
RFC 3414, User-based Security Model No exceptions ACX Series, EX Series, M Series, MX
(USM) for version 3 of the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMPv3) Series
RFC 3415, View-based Access Control No exceptions ACX Series, EX Series, M Series, MX
Model (VACM) for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
RFC 3416, Version 2 of the Protocol No exceptions ACX Series, EX Series, M Series, MX
Operations for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
RFC 3417, Transport Mappings for the No exceptions ACX Series, EX Series, M Series, MX
Simple Network Management Protocol Series, PTX Series, SRX Series, and T
(SNMP) Series
RFC 3418, Management Information Base No exceptions ACX Series, EX Series, M Series, MX
(MIB) for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
RFC 3584, Coexistence between Version No exceptions ACX Series, EX Series, M Series, MX
1, Version 2, and Version 3 of the Series, PTX Series, SRX Series, and T
Internet-standard Network Management Series
Framework
RFC 3591 Managed Objects for the Supported tables and objects: M Series, MX Series, PTX Series, and T
Optical Interface Type Series
• optIfOTMnTable (except
optIfOTMnOpticalReach,
optIfOTMnInterfaceType, and
optIfOTMnOrder)
• optIfOChConfigTable (except
optIfOChDirectionality and
optIfOChCurrentStatus)
• optIfOTUkConfigTable (except
optIfOTUkTraceIdentifierAccepted,
optIfOTUkTIMDetMode,
optIfOTUkTIMActEnabled,
optIfOTUkTraceIdentifierTransmitted,
optIfOTUkDEGThr, optIfOTUkDEGM,
optIfOTUkSinkAdaptActive, and
optIfOTUkSourceAdaptActive)
• optIfODUkConfigTable (except
optIfODUkPositionSeqCurrentSize and
optIfODUkTtpPresent)
RFC 3592, Definitions of Managed Objects No exceptions M Series, MX Series, and T Series
for the Synchronous Optical
Network/Synchronous Digital Hierarchy
(SONET/SDH) Interface Type
RFC 3635, Definitions of Managed Objects Unsupported tables and objects: MX Series
for the Ethernet-like Interface Types
• dot3StatsRateControlAbility
• dot3StatsRateControlStatus in
dot3StatsEntry table
• dot3HCStatsSymbolErrors
• dotHCStatsInternalMacTransmitErrors
RFC 3637, Definitions of Managed Objects Unsupported tables and objects: M Series, MX Series, PTX Series, and T
for the Ethernet WAN Interface Sublayer Series
• etherWisDeviceTable,
• etherWisSectionCurrentTable
• etherWisFarEndPathCurrentTable
RFC 3811, Definitions of Textual No exceptions ACX Series, M Series, MX Series, PTX
Conventions (TCs) for Multiprotocol Label Series, SRX Series, and T Series
Switching (MPLS) Management
RFC 3812, Multiprotocol Label Switching MPLS tunnels as interfaces are not ACX Series, M Series, MX Series, PTX
(MPLS) Traffic Engineering (TE) supported. Series, and T Series
Management Information Base (MIB)
(read-only access) mplsTunnelCHopTable is supported on
ingress routers only.
• mplsTunnelResourceMeanRate in
TunnelResource table
• mplsTunnelResourceMaxBurstSize in
TunnelResource table
• mplsTunnelResourceMeanBurstSize in
TunnelResource table
• mplsTunnelResourceExBurstSize in
TunnelResource table
• mplsTunnelResourceWeight in
TunnelResource table
• mplsTunnelPerfTable
• mplsTunnelCRLDPResTable
RFC 3813, Multiprotocol Label Switching Unsupported tables and objects ACX Series, M Series, MX Series, PTX
(MPLS) Label Switching Router (LSR) (read-only access): Series, SRX Series, and T Series
Management Information Base (MIB)
• mplsInterfacePerfTable
• mplsInSegmentPerfTable
• mplsOutSegmentPerfTable
• mplsInSegmentMapTable
• mplsXCUp
• mplsXCDown
RFC 3826, The Advanced Encryption No exceptions ACX Series, EX Series, M Series, MX
Standard (AES) Cipher Algorithm in the Series, PTX Series, SRX Series, and T
SNMP User-based Security Model Series
RFC 3877, Alarm Management • Junos OS does not support the MX Series
Information Base alarmActiveStatsTable.
• Traps that do not conform to the
alarm model are not supported.
However, these traps can be redefined
to conform to the alarm model.
RFC 3896, Definitions of Managed Unsupported tables and objects: M Series and T Series
Objects for the DS3/E3 Interface Type
• dsx3FarEndConfigTable
• dsx3FarEndCurrentTable
• dsx3FarEndIntervalTable
• dsx3FarEndTotalTable
• dsx3FracTable
RFC 4087, IP Tunnel MIB Describes MIB objects in the following M Series, MX Series, and T Series
tables for managing tunnels of any type
over IPv4 and IPv6 networks:
• tunnelIfTable—Provides information
about the tunnels known to a router.
• tunnelInetConfigTable—Assists
dynamic creation of tunnels and
provides mapping from end-point
addresses to the current interface
index value.
RFC 4133, Entity MIB Unsupported tables and objects: Only MX240, MX480, and MX960
routers, and EX2200 and EX3300
• entityLogicalGroup table switches
• entPhysicalMfgDate and
entPhysicalUris objects in
entityPhysical2Group table
• entLPMappingTable and
entPhysicalContainsTable in
entityMappingGroup table
• entityNotoficationsGroup table
RFC 4188, Definitions of Managed Objects • Supports 802.1D STP(1998) MX Series, EX Series, and M Series and
for Bridges • Supported subtrees and objects: T Series
RFC 4268, Entity State MIB No exceptions Only MX240, MX480, and MX960
routers, and EX2200 and EX3300
switches
RFC 4273, Definitions of Managed Objects Supported tables and objects: ACX Series, EX Series, M Series, MX
for BGP-4 Series, SRX Series, and T Series
• jnxBgpM2PrefixInPrefixesAccepted
• jnxBgpM2PrefixInPrefixesRejected
RFC 4292, IP Forwarding MIB Supported tables and objects: ACX Series, EX Series, M Series, MX
Series, PTX Series, and T Series
• inetCidrRouteTable
• inetCidrRouteNumber
• inetCidrRouteDiscards
RFC 4293, Management Information Base Supports only the mandatory groups. MX Series and EX Series
for the Internet Protocol (IP)
RFC 4318, Definitions of Managed Objects Supports 802.1w and 802.1t extensions EX Series, M Series, MX Series, and T
for Bridges with Rapid Spanning Tree for RSTP. Series
Protocol
RFC 4382, MPLS/BGP Layer 3 Virtual Supported tables and objects: EX Series, M Series, MX Series, PTX
Private Network (VPN) MIB Series, and T Series
• mplsL3VpnActiveVrfs
• mplsL3VpnConfiguredVrfs
• mplsL3VpnConnectedInterfaces
• mplsL3VpnVrfConfMidRteThresh
• mplsL3VpnVrfConfHighRteThresh
• mplsL3VpnIfConfRowStatus
• mplsL3VpnIllLblRcvThrsh
• mplsL3VpnNotificationEnable
• mplsL3VpnVrfConfMaxPossRts
• mplsL3VpnVrfConfRteMxThrshTime
• mplsL3VpnVrfOperStatus
• mplsL3VpnVrfPerfCurrNumRoutes
• mplsL3VpnVrfPerfTable
• mplsL3VpnVrfRteTable
• mplsVpnVrfRTTable
• mplsL3VpnVrfTable
• mplsL3VpnIfConfTable
RFC 4802, Generalized Multiprotocol Unsupported tables and objects: M Series, MX Series, and T Series
Label Switching (GMPLS) Traffic
Engineering (TE) Management • gmplsTunnelReversePerfTable
Information Base (MIB) (read-only • gmplsTeScalars
access)
• gmplsTunnelTable
• gmplsTunnelARHopTable
• gmplsTunnelCHopTable
• gmplsTunnelErrorTable
RFC 4803, Generalized Multiprotocol Unsupported tables and objects: M Series, MX Series, and T Series
Label Switching (GMPLS) Label Switching
Router (LSR) Management Information • gmplsLabelTable
Base (MIB) (read-only access) • gmplsOutsegmentTable
RFC 5643, Management Information Base Unsupported tables and objects: M Series, MX Series, PTX Series, SRX
for OSPFv3 (read-only access) Series, and T Series
• ospfv3HostTable
• ospfv3CfgNbrTable
• ospfv3ExitOverflowInterval
• ospfv3ReferenceBandwidth
• ospfv3RestartSupport
• ospfv3RestartInterval
• ospfv3RestartStrictLsaChecking
• ospfv3RestartStatus
• ospfv3RestartAge
• ospfv3RestartExitReason
• ospfv3NotificationEnable
• ospfv3StubRouterSupport
• ospfv3StubRouterAdvertisement
• ospfv3DiscontinuityTime
• ospfv3RestartTime
• ospfv3AreaNssaTranslatorRole
• ospfv3AreaNssaTranslatorState
• ospfv3AreaNssaTranslatorStabInterval
• ospfv3AreaNssaTranslatorEvents
• ospfv3AreaTEEnabled
• ospfv3IfMetricValue
• ospfv3IfDemandNbrProbe
ESO Consortium MIB, which can be No exceptions ACX Series, EX Series, M Series, MX
found at http://www.snmp.com/eso/ Series, PTX Series, SRX Series, and T
Series
NOTE: The ESO Consortium MIB has
been replaced by RFC 3826.
Internet draft As defined under the Juniper Networks M Series, MX Series, and T Series
draft-ietf-atommib-sonetaps-mib-10.txt, enterprise branch [jnxExperiment] only
Definitions of Managed Objects for
SONET Linear APS Architectures
Internet draft draft-ieft-bfd-mib-02.txt, (Represented by mib-jnx-bfd-exp.txt and ACX Series, EX Series, M Series, MX
Bidirectional Forwarding Detection implemented under the Juniper Networks Series, SRX Series, and T Series
Management Information Base enterprise branch [jnxExperiment]. Read
only. Includes bfdSessUp and
bfdSessDown traps. Does not support
bfdSessPerfTable and
bfdSessMapTable.)
Internet draft Unsupported tables and objects: ACX Series, EX Series, M Series, MX
draft-ietf-isis-wg-mib-07.txt, Series, PTX Series, SRX Series, and T
Management Information Base for IS-IS • isisISAdjTable Series
• isisISAdjAreaAddrTable
NOTE: Replaced with RFC 4444, IS-IS
• isisISAdjIPAddrTable
MIB in Junos OS Release 11.3 and later.
• isisISAdjProtSuppTable)
Internet draft (Implemented under the Juniper M Series, MX Series, and T Series
draft-ietf-l3vpn-mvpn-mib-03.txt, Networks enterprise branch
MPLS/BGP Layer 3 VPN Multicast [jnxExperiment]. OID for
Management Information Base jnxMvpnExperiment is .1.3.6.1.4.1.2636.5.12.
Read only. Includes jnxMvpnNotifications
traps.)
Internet draft Unsupported tables and objects: M Series, MX Series, PTX Series, and T
draft-ietf-mpls-mldp-mib-02.txt, Series
Definitions of Managed Objects for the • mplsMldpInterfaceStatsTable
LDP Point-to-Multipoint and
Also, the following fields of the
Multipoint-to-Multipoint Label Switched
mplsMldpFecUpstreamSessTable are
Paths
not implemented because these
statistics are not currently supported in
LDP or PFE:
• mplsMldpFecUpstreamSessPackets
• mplsMldpFecUpstreamSessBytes
• mplsMldpFecUpstreamSessDiscontinuityTime
Internet draft Support for ospfv3NbrTable only. M Series, MX Series, PTX Series, SRX
draft-ietf-ospf-ospfv3-mib-11.txt, Series, and T Series
Management Information Base for
OSPFv3
Internet draft Supported tables and objects: M Series, MX Series, PTX Series, and T
draft-ietf-ppvpn-mpls-vpn-mib-04.txt, Series
MPLS/BGP Virtual Private Network • mplsVpnScalars
Management Information Base Using • mplsVpnVrfTable
SMIv2
• mplsVpnPerTable
• mplsVpnVrfRouteTargetTable
For information about standard SNMP MIB objects, see the SNMP MIB Explorer.
NOTE: Starting with Junos OS Release 16.1, this topic has been deprecated;
refer instead to Enterprise-Specific SNMP MIBs Supported by Junos OS.
Table 61 on page 985 lists the enterprise-specific MIBs that are supported on various
devices running Junos OS.
NOTE: In this table, a value of 1 in any of the platform columns (ACX, M, MX,
T, EX, PTX, and SRX) denotes that the corresponding MIB is supported on
that particular platform. A value of 0 denotes that the MIB is not supported
on the platform.
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-user-aaa.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-auth.txt
Alarm MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-chassis-alarm.txt
Analyzer MIB 0 0 0 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-analyzer.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-utm-av.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-atm-cos.txt
ATM MIB 1 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-atm.txt
BGP4 V2 MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-bgpmib2.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-bfd.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-chassis-fwdd.txt
Chassis MIBs 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-chassis.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-chas-defines.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-jsrpd.txt
Class-of-Service MIB 1 1 1 1 1 1 0 0 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-cos.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-cfgmgmt.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-dcu.txt
DHCP MIB 0 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-jdhcp.txt
DHCPv6 MIB 0 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-jdhcpv6.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-dom.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-dns.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-dfc.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/jnx-mac.txt
Event MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-event.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ex-mac-notification.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ex-smi.txt
Experimental MIB 1 1 1 1 1 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-exp.txt
Firewall MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-firewall.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-coll.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-hostresources.txt
Interface MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-if-extensions.txt
IP Forward MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ipforward.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ipsec-flow-mon.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ipsec-monitor-asp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-ipsec-vpn.txt
IPv4 MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ipv4.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ipv6.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
L2ALD MIB 0 0 1 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-l2ald.txt
L2CP MIB 0 0 0 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-l2cp-features.txt
L2TP MIB 0 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-l2tp.txt
LDP MIB 1 1 1 0 0 1 0 0 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ldp.txt
License MIB 0 1 1 0 0 0 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-license.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-lsys-securityprofile.txt
MIMSTP MIB 0 0 1 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-mimstp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-mpls-ldp.txt
MPLS MIB 1 1 1 1 1 1 0 0 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-mpls.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
MVPN MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-mvpn.txt and
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-l2l3vpn-mcast.txt.
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-nat.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/ mibs/mib-jnx-sp-nat.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-otn.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-pfe.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-packet-mirror.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-pae-extension.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-pmon.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
Ping MIB 1 1 1 1 1 0 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ping.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-policy.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-power-supply-unit.txt
PPP MIB 0 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-ppp.txt
PPPoE MIB 0 1 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-pppoe.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-pwatm.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/ reference/mibs/mib-jnx-pwtdm.txt
PTP MIB 0 0 0 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-timing-notifications.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-rpm.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
Reverse-Path-Forwarding MIB 1 1 1 1 1 1 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-rpf.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-rmon.txt
RSVP MIB 1 1 1 1 0 1 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-rsvp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-if-ext.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-screening.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-sp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-idp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-sonetaps.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-sonet.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-scu.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-spu-monitoring.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-smi.txt
Subscriber MIB 1 0 1 0 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-subscriber.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-syslog.txt
Traceroute MIB 0 1 1 1 1 0 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-traceroute.txt
Utility MIB 0 1 1 1 1 0 1 1 1
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-util.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-virtualchassis.txt
VLAN MIB 0 0 0 1 0 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vlan.txt
SRX
SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800
VPLS MIBs 0 1 1 1 0 0 0 0 0
• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-generic.txt
• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-ldp.txt
• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-bgp.txt
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-js-cert.txt
VPN MIB 1 1 1 1 1 0 0 0 0
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpn.txt
IP and MAC address validation enables the ACX Series router to validate that received
packets contain a trusted IP source and an Ethernet MAC source address.
Configuring IP and MAC address validation can provide additional validation when
subscribers access billable services. MAC address validation provides additional security
by enabling the router to drop packets that do not match, such as packets with spoofed
addresses.
When subscribers log in, they are automatically assigned IP addresses by DHCP. With IP
and MAC address validation enabled, the router compares the IP source and MAC source
addresses against trusted addresses, and forwards or drops the packets according to
the match and the validation mode.
IP and MAC address validation on ACX Series routers support Fast Ethernet, Gigabit
Ethernet, and 10-Gigabit Ethernet interfaces (with or without VLAN tagging).
Trusted Addresses
A trusted address tuple comprises a 32-bit IP address and a 48-bit MAC address. Prefixes
and ranges are not supported.
The IP source address and the MAC source address used for validation must be from a
trusted source.
All static ARP addresses configured through the Junos OS CLI are trusted addresses;
dynamic ARP addresses are not considered trusted addresses.
Addresses dynamically created through an extended DHCP local server are also trusted
addresses. When a DHCP server and client negotiate an IP address, the resulting IP
address and MAC address tuple is trusted. Each DHCP subscriber can generate more
than one address tuple.
Each MAC address can have more than one IP address, which can result in more than
one valid tuple. Each IP address must map to one MAC address.
Configuring strict mode is a more conservative strategy because it requires both received
source addresses to match trusted addresses.
Related • Configuring IP and MAC Address Validation for Static Interfaces on page 997
Documentation
• mac-validate on page 1593
This topic describes how to configure IP and MAC address validation for static interfaces
on ACX Series routers.
Subscriber interfaces can be statically created and associated with a dynamic profile
(for example, VLAN interfaces).
To configure IP and MAC address validation on static interfaces, include the mac-validate
statement at the [edit interfaces interface-name unit logical-unit-number family inet]
hierarchy level.
[edit interfaces]
user@host# edit interface-name unit logical-unit-number family inet
2. Configure the type of IP and MAC address validation for the interface.
For example, to configure loose validation on interface fe-0/0/0.0, configure the following:
To check packets dropped by IP and MAC address validation, use the run show interfaces
interface-name statistics show command.
NAT is described in RFC 1631 to solve IP (version 4) address depletion problems. NAT
has been found to be a useful tool for firewalls, traffic redirect, load sharing, network
migrations, and so on.
Source NAT is the translation of the source IP address of a packet leaving the router.
Source NAT is used to allow hosts with private IP addresses to access a public network.
Source NAT allows connections to be initiated only for outgoing network connections—for
example, from a private network to the Internet. Source NAT is commonly used to:
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Network Address Port Translation (NAPT) is a method by which many network addresses
and their TCP/UDP ports are translated into a single network address and its TCP/UDP
ports. This translation can be configured in both IPv4 and IPv6 networks.
In ACX Series routers, you can have up to 4096 network address translations at a time.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
The NAT services on ACX Series routers allows Junos OS interface addresses to be shared
with a NAPT pool. This feature of sharing the same address/port between the NAPT pool
and Junos OS is termed as address overloading.
To achieve address overloading, the available IPv4 address or port range of 1 to 65,536
addresses is partitioned between Junos OS and NAT as shown below:
The number of ports reserved for NAPT pool with address overload feature is 4096.
The address-overload statement enables sharing of IPv4 address between Junos OS and
the NAT pool. Along with the address-overload statement, you must also specify the
interface statement so that the first available IPv4 address or port of the interface is
picked up for the NAT pool.
You can configure the address overload feature the following ways:
pool p3 {
address-overload;
interface ge-0/0/1.0;
port {
range low 49160 high 53255;
}
}
In this case, the primary address on the interface is picked for the NAT pool.
pool p4 {
address-overload;
address 45.0.0.1/32;
port {
range low 49160 high 53255;
}
}
The interface statement enables sharing of IPv4 interface address with the NAT pool
along with the port range specified in the pool.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
You should consider the following constraints while configuring Network Address
Translation (NAT) on ACX Series routers:
• When a port is defined in a NAT pool, you can configure only one address or one address
range in the pool.
• When you specify an address range or an address prefix in a NAT pool, the maximum
number of addresses supported is 65,535. ACX Series routers supports up to 4096
network address translations at a time.
• In a NAT rule term, the from clause can contain a maximum of 4 matching addresses.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
To configure a Network Address Translation (NAT) rule, include the rule rule-name
statement at the [edit services nat] hierarchy level:
Each rule must include a match-direction statement that specifies the direction in which
the match is applied.
NOTE: ACX Series routers support only input as the match direction.
In addition, each NAT rule consists of a set of terms, similar to a firewall filter. A term
consists of the following:
• from statement—Specifies the match conditions and applications that are included
and excluded.
The following sections explain how to configure the components of NAT rules:
The match direction is used with respect to the traffic flow through the NAT engine. When
a packet is sent to the NAT engine, direction information is carried along with it. The
packet direction is determined on the basis of the following criteria:
• With a next-hop service set, packet direction is determined by the interface used to
route the packet to the NAT engine. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
NAT engine, the packet direction is output. For more information about inside and
outside interfaces, see “Configuring Service Sets to Be Applied to Services Interfaces”
on page 1031.
• On the NAT engine, a flow lookup is performed. If no flow is found, rule processing is
performed. All rules in the service set are considered. During rule processing, the packet
direction is compared against rule directions. Only rules with direction information that
matches the packet direction are considered.
source-address prefix;
source-address-range (Services NAT) low minimum-value high maximum-value <except>;
}
To configure traditional NAT, you can use the destination address, a range of destination
addresses, the source address, or a range of source addresses as a match condition, in
the same way as you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
Alternatively, you can specify a list of source or destination prefixes by including the
prefix-list statement at the [edit policy-options] hierarchy level and then including either
the destination-prefix-list or the source-prefix-list statement in the NAT rule.
The no-translation statement enables you to specify addresses that you want excluded
from NAT.
The syslog statement enables you to record an alert in the system logging facility.
NOTE: When configuring NAT, if any traffic is destined for the following
addresses and does not match a NAT flow or NAT rule, the traffic is dropped:
• Addresses specified in the source NAT pool when you are using source
translation
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Configuring Address Pools for Network Address Port Translation (NAPT) Overview
With Network Address Port Translation (NAPT), you can have up to 4096 network
address or port translations.
The port statement specifies port assignment for the translated addresses. To configure
a specific range of port numbers, include the port range low minimum-value high
maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.
Junos OS for ACX Series routers allocates ports sequentially—that is, ACX Series routers
allocate the first available address or port from the NAT pool.
The NAT pool called napt in the following configuration example uses the sequential
implementation:
pool napt {
address-range low 100.0.0.1 high 100.0.0.3;
port {
range low 49160 high 53255;
}
}
address or port are from a different source, you are free to assign a different external
address.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
The inline services interface is a virtual interface that resides on the Packet Forwarding
Engine. The si- interface makes it possible to provide NAT and IPsec services without
using a special services PIC.
To configure inline services interface, you define the service interface as type si-
(service-inline) interface. You must also reserve adequate bandwidth for the inline services
interface. This enables you to configure both interface or next-hop service sets used for
NAT and IPsec services.
NOTE: In ACX Series routers, you can configure only one inline services
interface as an anchor interface for NAT and IPsec sessions: si-0/0/0.
1. Access an FPC-managed slot and the PIC where the interface is to be enabled.
[edit chassis]
user@host# edit fpc slot-number pic number
2. Enable the interface and specify the amount of bandwidth reserved on each Packet
Forwarding Engine for tunnel traffic that uses inline services.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
ALGs Available by Default for Junos OS Address Aware NAT on ACX500 Router
The following Application Level Gateways (ALGs) listed in Table 63 on page 1010 are
supported for NAT processing on ACX500 routers.
To view the implementation details (port, protocol, and so on) for these Junos OS default
applications, locate the Junos OS Default ALG Name in the table and then look up the
listed name in the groups. For example, for details about TFTP, look up junos-tftp as
shown.
NOTE: The ALG for NAT is supported only on the ACX500 indoor routers.
TIP: The Junos OS provides the junos-alg, which enables other ALGs to
function by handling ALG registrations, causing slow path packets to flow
through registered ALGs, and transferring ALG events to the ALG plug-ins.
The junos-alg ALG is automatically available on the ACX500 router and does
not require further configuration.
NOTE: The remote login (rlogin) application layer gateways (ALGs) are not
supported with network address port translation (NAPT) on ACX500 router.
Basic TCP ALG yes NOTE: Specific Junos OS ALGs are not supported.
However, a feature called TCP tracker, available by
default, performs segment ordering and retransmit
and connection tracking, validations for TCP
connections.
Basic UDP ALG yes NOTE: TCP tracker performs limited integrity and
validation checks for UDP.
Basic TCP
This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates
the following anomaly events and system log messages:
1. When the router receives a SYN packet, the ALG creates TCP forward and reverse
flows and groups them in a conversation. It tracks the TCP three-way handshake.
4. ICMP errors are allowed only when a flow matches the selector information specified
in the ICMP data.
Basic UDP
This ALG performs basic sanity checking on UDP headers. If it finds errors, it generates
the following anomaly events and system log messages:
1. When it receives the first packet, the ALG creates bidirectional flows to accept forward
and reverse UDP session traffic.
2. If the session is idle for more than the maximum allowed idle time (the default is
30 seconds), the flows are deleted.
3. ICMP errors are allowed only when a flow matches the selector information specified
in the ICMP data.
DNS
The Domain Name System (DNS) ALG handles data associated with locating and
translating domain names into IP addresses. The ALG typically runs on port 53. The ALG
monitors DNS query and reply packets and supports only UDP traffic. The ALG does not
support payload translations. The DNS ALG closes the session only when a reply is
received or an idle timeout is reached.
[edit]
services {
service-set set-dns {
nat-rules nat-dns;
interface-service {
service-interface ms-0/2/0;
}
}
[edit]
services {
nat {
pool p-napt {
address 1.1.1.1/32;
}
}
}
[edit]
services {
nat {
rule nat-dns {
match-direction input;
term term1 {
from {
source-address {
50.50.50.2/32;
}
applications junos-dns-udp;;
}
then {
translated {
source-pool p-napt;
translation-type {
basic-nat44;
}
}
}
}
}
}
[edit]
interfaces {
ge-0/1/0 {
media-type copper;
unit 0 {
family inet {
service {
input {
service-set set-dns;
}
output {
service-set set-dns;
}
}
address 50.50.50.1/24;
}
}
}
ge-0/1/1 {
media-type copper;
unit 0 {
family inet {
address 60.60.60.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
}
FTP
FTP is the File Transfer Protocol, specified in RFC 959. In addition to the main control
connection, data connections are also made for any data transfer between the client
and the server; and the host, port, and direction are negotiated through the control
channel.
For non-passive-mode FTP, Junos OS stateful firewall service scans the client-to-server
application data for the PORT command, which provides the IP address and port number
to which the server connects. For passive-mode FTP, Junos OS stateful firewall service
scans the client-to-server application data for the PASV command and then scans the
server-to-client responses for the 227 response, which contains the IP address and port
number to which the client connects.
There is an additional complication: FTP represents these addresses and port numbers
in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number
might be changed, and thereafter the NAT service needs to maintain this delta in SEQ
and ACK numbers by performing sequence NAT on all subsequent packets.
Support for stateful firewall and NAT services requires that you configure the FTP ALG
on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:
• Automatically allocates data ports and firewall permissions for dynamic data
connection
• Rewrites the control packets with the appropriate NAT address and port information
On ACX500, for passive FTP to work properly without FTP application layer gateway
(ALG) enabled (by not specifying the application junos-ftp statement at the [edit services
nat rule rule-name term term-name from] hierarchy level), you must enable the address
pooling paired (APP) functionality enabled (by including the address-pooling statement
at the [edit services nat rule rule-name term term-name then translated] hierarchy level).
Such a configuration causes the data and control FTP sessions to receive the same NAT
address.
[edit]
services {
service-set set-ftp {
nat-rules nat-ftp;
interface-service {
service-interface ms-0/2/0;
}
}
[edit]
services {
nat {
pool p-napt {
address 30.30.30.0/24;
port {
range low 9000 high 9010;
}
}
}
[edit]
services {
nat {
rule nat-ftp {
match-direction input;
term term1 {
from {
source-address {
10.10.10.0/24;
}
applications junos-ftp;
}
then {
translated {
source-pool p-napt;
translation-type {
napt-44;
}
}
}
}
}
}
[edit]
interfaces {
ge-0/1/0 {
media-type copper;
unit 0 {
family inet {
service {
input {
service-set set-ftp;
}
output {
service-set set-ftp;
}
}
address 10.10.10.1/24;
}
}
}
ge-0/1/1 {
media-type copper;
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
ICMP
The Internet Control Message Protocol (ICMP) is defined in RFC 792. The Junos OS allows
ICMP messages to be filtered by specific type or specific type code value. ICMP error
packets that lack a specifically configured type and code are matched against any existing
flow in the opposite direction to check for the legitimacy of the error packet. ICMP error
packets that pass the filter matching are subject to NAT translation.
The ICMP ALG always tracks ping traffic statefully using the ICMP sequence number.
Each echo reply is forwarded only if there is an echo request with the corresponding
sequence number. For any ping flow, only 20 echo requests can be forwarded without
receiving an echo reply. When you configure dynamic NAT, the PING packet identifier is
translated to allow additional hosts in the NAT pool to use the same identifier.
Support for NAT services requires that you configure the ICMP ALG if the protocol is
needed. You can configure the ICMP type and code for additional filtering.
TFTP
The Trivial File Transfer Protocol (TFTP) is specified in RFC 1350. The initial TFTP requests
are sent to UDP destination port 69. Additional flows can be created to get or put individual
files. Support of NAT services requires that you configure the TFTP ALG for UDP
destination port 69.
[edit]
services {
service-set set-tftp {
nat-rules nat-tftp;
interface-service {
service-interface ms-0/2/0;
}
}
[edit]
services {
nat {
pool p-napt {
address 1.1.1.1/32;
}
}
}
[edit]
services {
nat {
rule nat-tftp {
match-direction input;
term term1 {
from {
source-address {
50.50.50.2/32;
}
applications junos-tftp;
}
then {
translated {
source-pool p-napt;
translation-type {
dynamic-nat44;
}
}
}
}
}
}
[edit]
interfaces {
ge-0/1/0 {
media-type copper;
unit 0 {
family inet {
service {
input {
service-set set-tftp;
}
output {
service-set set-tftp;
}
}
address 50.50.50.1/24;
}
}
}
ge-0/1/1 {
media-type copper;
unit 0 {
family inet {
address 60.60.60.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
• Login—Better known as rlogin; uses well-known TCP port 513. For details, see RFC 1282.
No special firewall processing is required.
NAT remote-shell services require that any dynamic source port assigned be within the
port range 512 to 1023. If you configure a NAT pool, this port range is reserved exclusively
for remote shell applications.
[edit]
services {
service-set set-rsh {
nat-rules nat-rsh;
interface-service {
service-interface ms-0/2/0;
}
}
[edit]
services {
nat {
pool p-napt {
address 1.1.1.1/32;
}
}
}
[edit]
services {
nat {
rule nat-rsh {
match-direction input;
term term1 {
from {
source-address {
50.50.50.2/32;
}
applications junos-rsh;
}
then {
translated {
source-pool p-napt;
translation-type {
dynamic-nat44;
}
}
}
}
}
}
[edit]
interfaces {
ge-0/1/0 {
media-type copper;
unit 0 {
family inet {
service {
input {
service-set set-rsh;
}
output {
service-set set-rsh;
}
}
address 50.50.50.1/24;
}
}
}
ge-0/1/1 {
media-type copper;
unit 0 {
family inet {
address 60.60.60.1/24;
}
}
}
ms-0/2/0 {
unit 0 {
family inet;
}
}
}
Routers use firewalls to track and control the flow of traffic. Adaptive Services and
MultiServices PICs employ a type of firewall called a stateful firewall. Contrasted with a
stateless firewall that inspects packets in isolation, a stateful firewall provides an extra
layer of security by using state information derived from past communications and other
applications to make dynamic control decisions for new communication attempts.
Stateful firewalls group relevant flows into conversations. A flow is identified by the
following five properties:
• Source address
• Source port
• Destination address
• Destination port
• Protocol
You configure stateful firewalls using a powerful rule-driven conversation handling path.
A rule consists of direction, source address, source port, destination address, destination
port, IP protocol value, and application protocol or service. In addition to the specific
values you configure, you can assign the value any to rule objects, addresses, or ports,
which allows them to match any input value. Finally, you can optionally negate the rule
objects, which negates the result of the type-specific match.
Firewall rules are directional. For each new conversation, the router software checks the
initiation flow matching the direction specified by the rule.
Firewall rules are ordered. The software checks the rules in the order in which you include
them in the configuration. The first time the firewall discovers a match, the router
implements the action specified by that rule. Rules still unchecked are ignored.
For more information, see “Configuring Stateful Firewall Rules” on page 1023.
The firewall rules are configured in relation to an interface. By default, the stateful firewall
allows all sessions initiated from the hosts behind the interface to pass through the
router.
• IP anomalies:
• IP address anomalies:
• IP fragmentation anomalies:
• IP fragment overlap.
• IP fragment missed.
• TCP anomalies:
• TCP port 0.
• UDP anomalies:
If you employ stateful anomaly detection in conjunction with stateless detection, IDS
can provide early warning for a wide range of attacks, including these:
14.2 Starting in Junos OS Release 14.2, MS-MPC and MS-MIC interface cards
support IPv6 traffic for Junos Network Secure Stateful Firewall.
To configure a stateful firewall rule, include the rule rule-name statement at the [edit
services stateful-firewall] hierarchy level:
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. A term consists of the following:
• from statement—Specifies the match conditions and applications that are included
and excluded. The from statement is optional in stateful firewall rules.
ACX500 Series routers do not support the following while configuring stateful firewall
rules:
• Chaining of services within Multiservices Modular Interfaces Card (MS-MIC) and with
inline-services (-si).
• Class of service.
• The following show services stateful-firewall CLI commands are not supported:
The following sections explain how to configure the components of stateful firewall
rules:
The match direction is used with respect to the traffic flow through the AS or Multiservices
PIC. When a packet is sent to the PIC, direction information is carried along with it.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output. For more information on inside and outside interfaces,
see Configuring Service Sets to be Applied to Services Interfaces.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed.
Rules in this service set are considered in sequence until a match is found. During rule
processing, the packet direction is compared against rule directions. Only rules with
direction information that matches the packet direction are considered. Most packets
result in the creation of bidirectional flows.
The source address and destination address can be either IPv4 or IPv6.
You can use either the source address or the destination address as a match condition,
in the same way that you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide. You can use the wildcard
values any-unicast, which denotes matching all unicast addresses, any-ipv4, which
denotes matching all IPv4 addresses, or any-ipv6, which denotes matching all IPv6
addresses.
Alternatively, you can specify a list of source or destination prefixes by configuring the
prefix-list statement at the [edit policy-options] hierarchy level and then including either
If you omit the from term, the stateful firewall accepts all traffic and the default protocol
handlers take effect:
• User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet
Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse
flow.
You can also include application protocol definitions you have configured at the [edit
applications] hierarchy level; for more information, see Configuring Application Properties.
• To apply one or more specific application protocol definitions, include the applications
statement at the [edit services stateful-firewall rule rule-name term term-name from]
hierarchy level.
• To apply one or more sets of application protocol definitions you have defined, include
the application-sets statement at the [edit services stateful-firewall rule rule-name term
term-name from] hierarchy level.
• accept skip-ids—The packet is accepted and sent on to its destination, but IDS rule
processing configured on an MS-MPC is skipped.
• reject—The packet is not accepted and a rejection message is returned; UDP sends an
ICMP unreachable code and TCP sends RST. Rejected packets can be logged or
sampled.
NOTE: The ACX500 indoor routers do not support the action accept skip-ids.
You can optionally configure the firewall to record information in the system logging
facility by including the syslog statement at the [edit services stateful-firewall rule
rule-name term term-name then] hierarchy level. This statement overrides any syslog
setting included in the service set or interface default configuration.
You can optionally configure the firewall to inspect IP header information by including
the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term
term-name then] hierarchy level. When you configure this statement, all packets that
match the criteria specified in the from statement are subjected to additional matching
criteria. A packet is accepted only when all of its IP option types are configured as values
in the allow-ip-options statement. If you do not configure allow-ip-options, only packets
without IP header options are accepted.
The additional IP header option inspection applies only to the accept and reject stateful
firewall actions. This configuration has no effect on the discard action. When the IP header
inspection fails, reject frames are not sent; in this case, the reject action has the same
effect as discard.
When a packet is dropped because it fails the IP option inspection, this exception event
generates both IDS event and system log messages. The event type depends on the first
IP option field rejected.
Table 64 on page 1027 lists the possible values for the allow-ip-options statement. You
can include a range or set of numeric values, or one or more of the predefined IP option
settings. You can enter either the option name or its numeric equivalent. For more
information, refer to http://www.iana.org/assignments/ip-parameters.
ip-security 130 –
ip-stream 136 –
loose-source-route 131 –
route-record 7 –
router-alert 148 –
strict-source-route 137 –
timestamp 68 –
Junos OS for ACX Series routers enables you to create service sets that define a collection
of services to be performed by an inline services interface. You can configure the service
set either as an interface-style service set or as a next-hop-style service set.
An interface-style service set is used as an action modifier across an entire interface. You
can use an interface-style service set when you want to apply services to packets passing
through an interface.
To configure service sets for NAT services, include the service-set statement at the [edit
services] hierarchy level:
[edit services]
service-set service-set-name {
interface-service {
service-interface interface-name;
}
nat-rule-sets rule-set-name;
nat-rules rule-names;
stateful-firewall-rule-setsrule-set-name;
stateful-firewall-rules rule-names;
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
}
To configure service sets for IPsec VPN services, include the service-set statement at the
[edit services] hierarchy level:
[edit services]
service-set service-set-name {
interface-service {
service-interface interface-name;
}
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
ipsec-vpn-options {
local-gateway (address | interface);
no-anti-replay;
}
ipsec-vpn-rules rule-name;
}
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
When configuring a service set for Network Address Translation (NAT) processing, make
sure you have defined:
NOTE: Prior to Junos OS Release 11.4R3, you could use a source NAT pool
only in a single service set. In Junos OS Release 11.4R3 and subsequent
releases, you can reuse a source or destination NAT pool in multiple service
sets, provided that the service interfaces associated with the service sets are
in different virtual routing and forwarding (VRF) instances.
[edit services]
user@host# edit service-set service-set-name
Or
[edit]
user@host# set interfaces si-0/0/0
[edit services service-set s1]
user@host# set interface-service service-interface si-0/0/0
For more information on interface service and next-hop service, see “Configuring
Service Sets to Be Applied to Services Interfaces” on page 1031.
3. Configure a reference to the NAT rules or rule set to be used with the service set.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Only the interface name is needed, because Junos OS manages logical unit numbers
automatically. The services interface must be an inline-services interface for which you
have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router. When
you apply the service set to an interface, it automatically ensures that packets are directed
to the Network Address Translation (NAT) engine.
To associate a defined service set with an interface, include the service-set statement
with the input and output statement at the [edit interfaces interface-name unit
logical-unit-number family inet service] hierarchy level:
You configure the same service set on the input and output sides of the interface. You
can optionally include filters associated with each service set to refine the target and
additionally process the traffic. If you include the service-set statement without a
service-filter definition, Junos OS assumes that the match condition is true and selects
the service set for processing automatically.
NOTE: If you configure service sets with filters, you must configure the service
sets on the input and output sides of the interface.
To configure the service domain, include the service-domain statement at the [edit
interfaces interface-name unit logical-unit-number] hierarchy level:
The service-domain setting must match the configuration for the next-hop’s inside and
outside services interfaces. To configure the inside and outside services interfaces, include
the next-hop-service statement at the [edit services service-set service-set-name] hierarchy
level. The interfaces you specify must be logical interfaces on the same NAT engine. You
cannot configure unit 0 for this purpose, and the logical interface you choose must not
be used by another service set.
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
Traffic on which the service is applied is forced to the inside interface using a static route.
For example:
routing-options {
static {
route 10.1.2.3 next-hop si-0/0/0.1;
}
}
After the service is applied, traffic exits through the outside interface. A lookup is then
performed in the Packet Forwarding Engine to send the packet out of the NAT engine.
The reverse traffic enters the outside interface, is serviced, and sent to the inside interface.
The inside interface forwards the traffic out of the NAT engine.
1. To associate the two parts with logical interfaces, you configure two logical interfaces
with the service-domain statement, one with the inside value and one with the outside
value, to mark them as either an inside or outside service interface.
2. The router forwards the traffic to be serviced to the inside interface, using the next-hop
lookup table.
3. After the service is applied, the traffic exits from the outside interface. A route lookup
is then performed on the packets to be sent out of the router.
4. When the reverse traffic returns on the outside interface, the applied service is undone;
for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced
packets then emerge on the inside interface, the router performs a route lookup, and
the traffic exits the router.
A service rule’s match direction—whether input, output, or input and output—is applied
with respect to the traffic flow through the NAT engine, not through a specific inside or
outside interface.
When a packet is sent to an NAT engine, packet direction information is carried along
with it. This is true for both interface-style and next-hop-style service sets.
The match direction can also depend on the network topology. For example, you might
route all the external traffic through one interface that is used to protect the other
interfaces on the router, and configure various services on this interface specifically.
Alternatively, you might use one interface for priority traffic and configure special services
on it, but not care about protecting traffic on the other interfaces.
Packet direction that is determined by the NAT engine is used to route packets to the
NAT engine. If you use the inside-interface statement to route traffic, then the packet
direction is input. If you use the outside-interface statement to direct packets to the NAT
engine, then the packet direction is output.
The interface to which you apply the service sets affects the match direction. For example,
apply the following configuration:
[edit]
services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
services ipsec-vpn rule test-ipsec-rule match-direction input;
routing-options static route 10.0.0.0/24 next-hop si-0/0/0.1;
The essential difference between the two configurations is the change in the match
direction and the static routes’ next hop, pointing to either the NAT engine’s inside or
outside interface.
When you apply a service set to the traffic at an inline services interface, you can optionally
use service filters to refine the target of the set of services and also to process traffic.
Service filters enable you to manipulate traffic by performing packet filtering to a defined
set of services on an inline services interface before the traffic is delivered to its destination.
In ACX Series routers, you can apply a service filter to traffic before packets are accepted
for input service processing.
NOTE: In ACX Series routers, the service-set filters are implemented using
ternary content addressable memory (TCAM) space. The allocated TCAM
space is shared by the bridge family filter. The same space is shared by the
NNI-Address-Overload-Reverse filter (for each service set that is configured
with address overloading, the internal filters are configured for the given
overloaded IP address and the port range to redirect the matched reverse-nat
(public to private) traffic to the service). From a scaling perspective, the
allocated 124 hardware TCAM entries are shared by these features and the
allocation of TCAM entries works on a first-come-first-serve basis mode.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
The following configuration shows the hierarchy levels at which you can apply the service
filters to inline services interfaces:
[edit]
interfaces {
interface-name {
unit unit-number {
family (inet | inet6) {
service {
input {
service-set service-set-name service-filter service-filter-name;
}
output {
[ service-set service-set-name <service-filter filter-name> ];
}
}
}
}
}
}
To apply an interface service set to the input of an inline services interface, you include
the service-set service-set-name at the following hierarchy levels:
For the service-set-name, specify a service set configured at the [edit services service-set]
hierarchy level.
The service set retains the input interface information even after services are applied, so
that functions such as filter-class forwarding that depend on input interface information
continue to work.
The following requirements apply to filtering inbound or outbound traffic before accepting
packets for service processing:
• You configure the same service set on the input and output sides of the interface.
• The service filter is applied only if a service set is configured and selected.
In ACX Series, service filters support only a subset of the stateless firewall filter match
conditions for IPv4 traffic. Table 65 on page 1038 describes the service filter match
conditions.
destination-port Match the UDP or TCP destination port field. family inet
number
You cannot specify both the port and destination-port match conditions
in the same term.
If you configure this match condition for IPv4 traffic, we recommend that
you also configure the protocol udp or protocol tcp match statement in
the same term to specify which protocol is being used on the port.
ip-options values Match the 8-bit IP option field, if present, to the specified value or list of family inet
values.
source-port number Match the UDP or TCP source port field. family inet
If you configure this match condition for IPv4 traffic, we recommend that
you also configure the protocol udp or protocol tcp match statement in
the same term to specify which protocol is being used on the port.
tcp-flags value Match one or more of the low-order 6 bits in the 8-bit TCP flags field in family inet
the TCP header.
If you configure this match condition for IPv4 traffic, we recommend that
you also configure the protocol tcp match statement in the same term to
specify that the TCP protocol is being used on the port.
ACX Series support different sets of terminating and nonterminating actions that you
can configure in a service filter term.
Table 66 on page 1039 describes the terminating actions you can configure in a service
filter term.
Table 67 on page 1039 describes the nonterminating actions you can configure in a service
filter term.
log Log the packet header information in a buffer within the Packet Forwarding Engine. inet
You can access this information by issuing the show firewall log command at the
command-line interface (CLI).
To configure queuing and scheduling on an inline services interface, you need to include
scheduler-map statement at the [edit class-of-services interfaces si-/0/0/0] hierarchy
level.
[edit class-of-service]
scheduler-maps <scheduler-map-name>;
interfaces si-0/0/0; {
scheduler-map <scheduler-map-name>;
}
The queue-number 7 of the inline services interface has strict-high priority because the
timing packets received by ACX Series routers gets assigned to this queue. You can
explicitly override this strict-high priority by assigning an explicit scheduler for
queue-number 7 in the scheduler-map statement attached to inline services interface as
shown below:
[edit class-of-service]
forwarding-classes {
class <class-name> queue-number 7;
}
interfaces {
si-0/0/0{
scheduler-map scheduler-map-name;
}
}
scheduler-maps {
<map-name> {
forwarding-class <class-name> scheduler <scheduler-name>;
}
}
schedulers {
<scheduler-name> {
priority low ;
}
}
• Inline services packets classified with packet loss priority as medium-high in the ingress
path are treated as high on the egress path.
• When both timing and NAT services are enabled on the router, you should not classify
NAT traffic into a forwarding class mapped with queue-number 7, because if you do
so, the performance of timing services can degrade.
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
• RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version
6 (IPv6) Specification
NOTE: ACX Series routers do not support RFC 2460, RFC 4291, and RFC 4443
standards.
firewall {
family family-name {
filter filter-name {
accounting-profile name;
instance-shared;
interface-specific;
physical-interface-filter;
term term-name {
filter filter-name;
}
term term-name {
from {
match-conditions;
ip-version ip-version {
match-conditions;
protocol (tcp | udp) {
match conditions;
}
}
}
then {
actions;
}
}
}
}
}
You can include the firewall configuration at one of the following hierarchy levels:
• [edit]
NOTE: For stateless firewall filtering, you must allow the output tunnel traffic
through the firewall filter applied to input traffic on the interface that is the
next-hop interface toward the tunnel destination. The firewall filter affects
only the packets exiting the router (or switch) by way of the tunnel.
• family bridge—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers
only.
The family family-name statement is required only to specify a protocol family other than
IPv4. To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall]
hierarchy level without including the family inet statement, because the [edit firewall]
and [edit firewall family inet] hierarchy levels are equivalent.
NOTE: For bridge family filter, the ip-protocol match criteria is supported
only for IPv4 and not for IPv6. This is applicable for line cards that support
the Junos Trio chipset such as the MX 3D MPC line cards.
At the [edit firewall family family-name filter filter-name] hierarchy level, the following
statements are optional:
• accounting-profile
• instance-shared (MX Series routers with Modular Port Concentrators (MPCS) only)
• interface-specific
• physical-interface-filter
• You must specify a unique name for each term within a firewall filter. The term name
can contain letters, numbers, and hyphens (-) and can be up to 64 characters long.
To include spaces in the name, enclose the entire name in quotation marks (“ ”).
• The order in which you specify terms within a firewall filter configuration is important.
Firewall filter terms are evaluated in the order in which they are configured. By default,
new terms are always added to the end of the existing filter. You can use the insert
configuration mode command to reorder the terms of a firewall filter.
At the [edit firewall family family-name filter filter-name term term-name] hierarchy level,
the filter filter-name statement is not valid in the same term as from or then statements.
When included at this hierarchy level, the filter filter-name statement is used to nest
firewall filters.
With the exception of MPLS-tagged IPv4 or IPv6 traffic, you specify the term’s match
conditions under the from statement. For MPLS-tagged IPv4 traffic, you specify the term’s
IPv4 address-specific match conditions under the ip-version ipv4 statement and the
term’s IPv4 port-specific match conditions under the protocol (tcp | udp) statement.
For MPLS-tagged IPv6 traffic, you specify the term’s IPv6 address-specific match
conditions under the ip-version ipv6 statement and the term’s IPv6 port-specific match
conditions under the protocol (tcp | udp) statement.
Table 68 on page 1047 describes the types of traffic for which you can configure firewall
filters.
For the complete list of match conditions, see Firewall Filter Match Conditions for
Protocol-Independent Traffic.
For the complete list of match conditions, see Firewall Filter Match Conditions for IPv4 Traffic.
For the complete list of match conditions, see Firewall Filter Match Conditions for IPv6 Traffic.
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS Traffic.
IPv4 addresses [edit firewall family mpls filter filter-name term term-name ip-version ipv4 ]
in MPLS flows
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged
IPv4 or IPv6 Traffic.
IPv4 ports in MPLS flows [edit firewall family mpls filter filter-name term term-name ip-version ipv4 protocol (tcp | udp)]
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged
IPv4 or IPv6 Traffic.
IPv6 addresses [edit firewall family mpls filter filter-name term term-name ip-version ipv6 ]
in MPLS flows
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged
IPv4 or IPv6 Traffic.
IPv6 ports in MPLS flows [edit firewall family mpls filter filter-name term term-name ip-version ipv6 protocol (tcp | udp)]
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged
IPv4 or IPv6 Traffic.
For the complete list of match conditions, see “Firewall Filter Match Conditions for VPLS Traffic”
on page 1070.
Layer 2 CCC [edit firewall family ccc filter filter-name term term-name]
For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 CCC Traffic.
Layer 2 Bridging [edit firewall family bridge filter filter-name term term-name]
(MX Series routers and [edit firewall family ethernet-switching filter filter-name term term-name] (for EX Series switches
EX Series switches only) only)
For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 Bridging
Traffic.
Table 69 on page 1048 summarizes the types of actions you can specify in a firewall filter
term.
Terminating Halts all evaluation of a firewall filter for a specific packet. See Firewall Filter Terminating Actions.
The router (or switch) performs the specified action, and
no additional terms are used to examine the packet.
Nonterminating Performs other functions on a packet (such as All nonterminating actions include an implicit
incrementing a counter, logging information about the accept action. This accept action is carried out
packet header, sampling the packet data, or sending if no other terminating action is configured in
information to a remote host using the system log the same term.
functionality), but any additional terms are used to
examine the packet. See Firewall Filter Nonterminating Actions.
Flow control For standard firewall filters only, the next term action You cannot configure the next term action with
directs the router (or switch) to perform configured actions a terminating action in the same filter term.
on the packet and then, rather than terminate the filter, However, you can configure the next term action
use the next term in the filter to evaluate the packet. If the with another nonterminating action in the same
next term action is included, the matching packet is filter term.
evaluated against the next term in the firewall filter.
Otherwise, the matching packet is not evaluated against A maximum of 1024 next term actions are
subsequent terms in the firewall filter. supported per standard firewall filter
configuration. If you configure a standard
For example, when you configure a term with the firewall filter that exceeds this limit, your
nonterminating action count, the term’s action changes candidate configuration results in a commit
from an implicit discard to an implicit accept. The next term error.
action forces the continued evaluation of the firewall filter.
Loopback interface The router’s loopback interface, lo0, is the interface to the Routing Engine and carries no data
packets. When you apply a firewall filter to the loopback interface, the filter evaluates the local
packets received or transmitted by the Routing Engine.
NOTE:
• ACX5048 and ACX5096 routers do not support the evaluation of packets transmitted by the
Routing engine for loopback interface filter.
Physical interface or When you apply a filter to a physical interface on the router or to a logical interface (or member
logical interface of an aggregated Ethernet bundle defined on the interface), the filter evaluates all data packet
that pass through that interface.
Multiple interfaces You can use the same firewall filter one or more times.
On M Series routers, except the M120 and M320 routers, if you apply a firewall filter to multiple
interfaces, the filter acts on the sum of traffic entering or exiting those interfaces.
On T Series, M120, M320, and MX Series routers, interfaces are distributed among multiple
packet-forwarding components. On these routers, you can configure firewall filters and service
filters that, when applied to multiple interfaces, act on the individual traffic streams entering or
exiting each interface, regardless of the sum of traffic on the multiple interfaces.
Single interface with For interfaces hosted on the following hardware only, you can attach a protocol-independent
protocol-independent (family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter
and protocol-specific simultaneously. The protocol-independent firewall executes first.
firewall filters attached
• ACX Series Universal Access Routers
• Flexible PIC Concentrators (FPCs) in M7i and M10i Multiservice Edge Routers
• Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) in MX Series 3D
Universal Edge Routers
• T Series Core Routers
NOTE:
Interfaces hosted on the following hardware do not support protocol-independent firewall filters:
interfaces {
interface-name {
unit logical-unit-number {
filter {
group group-number;
input filter-name;
input-list [ filter-names ];
output filter-name;
output-list [ filter-names ];
}
}
}
}
interfaces {
interface-name {
unit logical-unit-number {
family family-name {
...
filter {
group group-number;
input filter-name;
input-list [ filter-names ];
output filter-name;
output-list [ filter-names ];
}
}
}
}
}
Input filters—Although you can use the same filter multiple times, you can apply only
one input filter or one input filter list to an interface.
• To specify a single firewall filter to be used to evaluate packets received on the interface,
include the input filter-name statement in the filter stanza.
Output filters—Although you can use the same filter multiple times, you can apply only
one output filter or one output filter list to an interface.
The input-list filter-names and output-list filter-names statements for firewall filters for
the ccc and mpls protocol families are supported on all interfaces with the exception of
the following:
Only on MX Series routers and EX Series switches, you cannot apply a Layer 2 CCC
stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc]
hierarchy level) as an output filter. On MX Series routers and EX Series switches, firewall
filters configured for the family ccc statement can be applied only as input filters.
• filter (Configuring)
Standard Firewall Filter Match Conditions and Actions on ACX Series Routers Overview
On ACX Series Universal Access Routers, you can configure firewall filters to filter packets
and to perform an action on packets that match the filter. The match conditions specified
to filter the packets are specific to the type of traffic being filtered.
NOTE: On ACX Series routers, the filter for the exiting traffic (egress filter)
can be applied only for interface-specific instances of the firewall filter.
Table 71 on page 1053 describes the types of traffic for which you can configure standard
stateless firewall filters.
Table 71: Standard Firewall Filter Match Conditions by Protocol Family for ACX Series Routers
Traffic Type Hierarchy Level at Which Match Conditions Are Specified
Layer 2 CCC [edit firewall family ccc filter filter-name term term-name]
Under the then statement for a standard stateless firewall filter term, you can specify
the actions to be taken on a packet that matches the term.
Table 72 on page 1053 summarizes the types of actions you can specify in a standard
stateless firewall filter term.
Table 72: Standard Firewall Filter Action Categories for ACX Series Routers
Type of Action Description Comment
Terminating Halts all evaluation of a firewall filter for a specific See “Standard Firewall Filter
packet. The router performs the specified action, Terminating Actions on ACX Series
and no additional terms are used to examine the Routers” on page 1063.
packet.
Table 72: Standard Firewall Filter Action Categories for ACX Series Routers (continued)
Type of Action Description Comment
Nonterminating Performs other functions on a packet (such as See “Standard Firewall Filter
incriminating a counter, logging information about Nonterminating Actions on ACX
the packet header, sampling the packet data, or Series Routers” on page 1064.
sending information to a remote host using the
system log functionality), but any additional terms
are used to examine the packet.
Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series Routers
On ACX Series routers, you can configure a standard stateless firewall filter with match
conditions for IP version 4 (IPv4) traffic (family inet). Table 73 on page 1054 describes the
match conditions you can configure at the [edit firewall family inet filter filter-name term
term-name from] hierarchy level.
Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series Routers
Match Condition Description
NOTE: On ACX Series routers, you can specify only one destination address. A list of IPv4
destination addresses is not supported.
If you configure this match condition, we recommend that you also configure the protocol udp
or protocol tcp match statement in the same term to specify which protocol is being used on
the port.
NOTE: On ACX Series routers, you can specify only one destination port number. A list of port
numbers is not supported.
In place of the numeric value, you can specify one of the following text synonyms (the port
numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514),
cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79),
ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88),
klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646),
login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110),
pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25),
snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),
tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or
xdmcp (177).
Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series
Routers (continued)
Match Condition Description
dscp number Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the
DSCP. For more information, see “Understanding How Behavior Aggregate Classifiers Prioritize
Trusted Traffic” on page 950.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed):
• RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).
• RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in
each class, for a total of 12 code points:
• af11 (10), af12 (12), af13 (14)
• af21 (18), af22 (20), af23 (22)
• af31 (26), af32 (28), af33 (30)
• af41 (34), af42 (36), af43 (38)
fragment-flags number (Ingress only) Match the three-bit IP fragmentation flags field in the IP header.
In place of the numeric field value, you can specify one of the following keywords (the field
values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).
If you configure this match condition, we recommend that you also configure the protocol icmp
match condition in the same term.
If you configure this match condition, you must also configure the icmp-type message-type
match condition in the same term. An ICMP message code provides more specific information
than an ICMP message type, but the meaning of an ICMP message code is dependent on the
associated ICMP message type.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed). The keywords are grouped by the ICMP type with which they are
associated:
Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series
Routers (continued)
Match Condition Description
If you configure this match condition, we recommend that you also configure the protocol icmp
match condition in the same term.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15),
mask-request (17), mask-reply (18), parameter-problem (12), redirect (5),
router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11),
timestamp (13), timestamp-reply (14), or unreachable (3).
ip-options values Match the 8-bit IP option field, if present, to the specified value.
ACX Series routers support only the ip-options_any match condition, which ensures that the
packets are sent to the Packet Forwarding Engine for processing.
NOTE: On ACX Series routers, you can specify only one IP option value. Configuring multiple
values is not supported.
protocol number Match the IP protocol type field. In place of the numeric value, you can specify one of the
following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50),
fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4),
ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
source-address address Match the IPv4 address of the source node sending the packet.
If you configure this match condition for IPv4 traffic, we recommend that you also configure
the protocol udp or protocol tcp match statement in the same term to specify which protocol
is being used on the port.
In place of the numeric value, you can specify one of the text synonyms listed with the
destination-port number match condition.
Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series
Routers (continued)
Match Condition Description
tcp-flags value Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal
values:
• fin (0x01)
• syn (0x02)
• rst (0x04)
• push (0x08)
• ack (0x10)
• urgent (0x20)
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in
all packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
For combined bit-field match conditions, see the tcp-initial match conditions.
If you configure this match condition, we recommend that you also configure the protocol tcp
match statement in the same term to specify that the TCP protocol is being used on the port.
tcp-initial Match the initial packet of a TCP connection. This is an alias for tcp-flags "(!ack & syn)".
This condition does not implicitly check that the protocol is TCP. If you configure this match
condition, we recommend that you also configure the protocol tcp match condition in the same
term.
ttl number Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values. For number,
you can specify one or more values from 2 through 255.
• Standard Firewall Filter Terminating Actions on ACX Series Routers on page 1063
• Standard Firewall Filter Nonterminating Actions on ACX Series Routers on page 1064
Standard Firewall Filter Match Conditions for IPv6 Traffic on ACX Series Routers
You can configure a firewall filter with match conditions for Internet Protocol version 6
(IPv6) traffic (family inet6). Table 74 on page 1058 describes the match conditions you can
configure at the [edit firewall family inet6 filter filter-name term term-name from] hierarchy
level.
You cannot specify both the port and destination-port match conditions in the same term.
If you configure this match condition, we recommend that you also configure the next-header
udp or next-header tcp match condition in the same term to specify which protocol is being used
on the port.
In place of the numeric value, you can specify one of the following text synonyms (the port
numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514),
cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79),
ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88),
klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646),
login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110),
pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25),
snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),
tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).
extension-headers Match an extension header type that is contained in the packet by identifying a Next Header
header-type value.
In the first fragment of a packet, the filter searches for a match in any of the extension header
types. When a packet with a fragment header is found (a subsequent fragment), the filter only
searches for a match of the next extension header type because the location of other extension
headers is unpredictable.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): ah (51), destination (60), esp (50), fragment (44), hop-by-hop (0), mobility (135),
or routing (43).
To match any value for the extension header option, use the text synonym any.
NOTE: Only the first extension header of the IPv6 packet can be matched. L4 header beyond
one IPv6 extension header will be matched.
hop-limit hop-limit Match the hop limit to the specified hop limit or set of hop limits. For hop-limit, specify a single
value or a range of values from 0 through 255.
Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
If you configure this match condition, we recommend that you also configure the next-header
icmp or next-header icmp6 match condition in the same term.
If you configure this match condition, you must also configure the icmp-type message-type match
condition in the same term. An ICMP message code provides more specific information than an
ICMP message type, but the meaning of an ICMP message code is dependent on the associated
ICMP message type.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed). The keywords are grouped by the ICMP type with which they are associated:
If you configure this match condition, we recommend that you also configure the next-header
icmp or next-header icmp6 match condition in the same term.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148),
destination-unreachable (1), echo-reply (129), echo-request (128),
home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144),
inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141),
membership-query (130), membership-report (131), membership-termination (132),
mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146),
neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140),
node-information-request (139), packet-too-big (2), parameter-problem (4),
private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200
(200), private-experimentation-201 (201), redirect (137), router-advertisement (134),
router-renumbering (138), router-solicit (133), or time-exceeded (3).
For private-experimentation-201 (201), you can also specify a range of values within square
brackets.
Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
next-header header-type Match the first 8-bit Next Header field in the packet. Support for the next-header firewall match
condition is available in Junos OS Release 13.3R6 and later.
For IPv6, we recommend that you use the payload-protocol term rather than the next-header
term when configuring a firewall filter with match conditions. Although either can be used,
payload-protocol provides the more reliable match condition because it uses the actual payload
protocol to find a match, whereas next-header simply takes whatever appears in the first header
following the IPv6 header, which may or may not be the actual protocol. In addition, if next-header
is used with IPv6, the accelerated filter block lookup process is bypassed and the standard filter
used instead.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0),
icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59),
ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
NOTE: next-header icmp6 and next-header icmpv6 match conditions perform the same function.
next-header icmp6 is the preferred option. next-header icmpv6 is hidden in the Junos OS CLI.
source-address address Match the IPv6 address of the source node sending the packet.
You cannot specify the port and source-port match conditions in the same term.
If you configure this match condition, we recommend that you also configure the next-header
udp or next-header tcp match condition in the same term to specify which protocol is being used
on the port.
In place of the numeric value, you can specify one of the text synonyms listed with the
destination-port number match condition.
tcp-flags flags Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
• fin (0x01)
• syn (0x02)
• rst (0x04)
• push (0x08)
• ack (0x10)
• urgent (0x20)
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all
packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.
If you configure this match condition, we recommend that you also configure the next-header tcp
match condition in the same term to specify that the TCP protocol is being used on the port.
Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
tcp-initial Match the initial packet of a TCP connection. This is a text synonym for tcp-flags "(!ack & syn)".
This condition does not implicitly check that the protocol is TCP. If you configure this match
condition, we recommend that you also configure the next-header tcp match condition in the
same term.
traffic-class number Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet.
This field was previously used as the type-of-service (ToS) field in IPv4.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed):
• RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).
• RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each
class, for a total of 12 code points:
• af11 (10), af12 (12), af13 (14)
• af21 (18), af22 (20), af23 (22)
• af31 (26), af32 (28), af33 (30)
• af41 (34), af42 (36), af43 (38)
Standard Firewall Filter Match Conditions for MPLS Traffic on ACX Series Routers
On ACX Series routers, you can configure a standard stateless firewall filter with match
conditions for MPLS traffic (family mpls).
Table 75 on page 1063 describes the match conditions you can configure at the [edit firewall
family mpls filter filter-name term term-name from] hierarchy level.
Table 75: Standard Firewall Filter Match Conditions for MPLS Traffic on ACX Series Routers
• Standard Firewall Filter Terminating Actions on ACX Series Routers on page 1063
• Standard Firewall Filter Nonterminating Actions on ACX Series Routers on page 1064
Standard stateless firewall filters support different sets of terminating actions for each
protocol family.
NOTE: ACX Series routers do not support the next term action.
Table 76 on page 1063 describes the terminating actions you can specify in a standard
firewall filter term.
Table 76: Terminating Actions for Standard Firewall Filters on ACX Series Routers
Terminating
Action Description Protocols
discard Discard a packet silently, without sending an Internet Control Message Protocol • family any
(ICMP) message. Discarded packets are available for logging and sampling. • family inet
• family mpls
• family ccc
Table 76: Terminating Actions for Standard Firewall Filters on ACX Series Routers (continued)
Terminating
Action Description Protocols
reject message-type Reject the packet and return an ICMPv4 or ICMPv6 message: family inet
NOTE:
• Rejected packets can be sampled or logged if you configure the sample or syslog
action.
• This action is supported on ingress only.
The message-type option can have one of the following values: address-unreachable,
administratively-prohibited, bad-host-tos, bad-network-tos, beyond-scope,
fragmentation-needed, host-prohibited, host-unknown, host-unreachable,
network-prohibited, network-unknown, network-unreachable, no-route,
port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable,
source-host-isolated, source-route-failed, or tcp-reset.
routing-instance Direct the packet to the specified routing instance. • family inet
routing-instance-name
• Standard Firewall Filter Nonterminating Actions on ACX Series Routers on page 1064
Standard stateless firewall filters support different sets of nonterminating actions for
each protocol family.
NOTE: ACX Series routers do not support the next term action.
ACX Series routers support log and syslog actions in ingress and egress
directions for family inet and family bridge.
Table 77 on page 1065 describes the nonterminating actions you can configure for a standard
firewall filter term.
Table 77: Nonterminating Actions for Standard Firewall Filters on ACX Series Routers
Nonterminating Action Description Protocol Families
Table 77: Nonterminating Actions for Standard Firewall Filters on ACX Series
Routers (continued)
Nonterminating Action Description Protocol Families
loss-priority (high | medium-high | low) Set the packet loss priority • family any
(PLP) level. • family inet
Table 77: Nonterminating Actions for Standard Firewall Filters on ACX Series
Routers (continued)
Nonterminating Action Description Protocol Families
• Standard Firewall Filter Terminating Actions on ACX Series Routers on page 1063
Standard Firewall Filter Match Conditions for CCC Firewall Family Filters on ACX Series
Routers
Standard Firewall Filter Match Conditions for CCC Family Firewall Filters on ACX Series Routers
On ACX Series routers, you can configure a standard firewall filter with match conditions
for circuit cross-connection (CCC) traffic (family ccc).
Table 78 on page 1068 describes the match conditions you can configure at the [edit firewall
family ccc filter filter-name term term-name] hierarchy level.
Table 78: CCC Family Firewall Filter Match Conditions for ACX Series Routers
Field Description
Standard Firewall Filter Match Conditions for Bridge Family Firewall Filters on ACX
Series Routers
Standard Firewall Filter Match Conditions for Bridge Family Firewall Filters on ACX Series
Routers
Bridge family firewall filters can be configured at the IFL-family level on ACX series routers.
Bridge family filters are used to match the L2 bridge flows based on the supported
Layer2/Layer3 fields and take firewall action. The maximum number of terms supported
for bridge firewall filters on ACX Series routers is 124.
Table 79 on page 1069 shows the match conditions supported for bridge family filters.
Table 79: Bridge Family Firewall Filter Match Conditions for ACX Series Routers
Match Condition Description
Table 80: Bridge Family Firewall Filter Action Fields for ACX Series Routers
Action Field Description
log Log the packet header information in a buffer within the Packet
Forwarding Engine. You can access this information by issuing
the show firewall log command at the command-line interface
(CLI).
NOTE: Bridge family firewall filters can be applied as an output filter on Layer
2 interfaces. When the Layer 2 interface is on a bridge-domain configured
with the vlan-id statement, ACX series routers can match the outer-vlan of
the packet using the user vlan-id match specified in the bridge family firewall
filter.
In the from statement in the VPLS filter term, you specify conditions that the packet must
match for the action in the then statement to be taken. All conditions in the from
statement must match for the action to be taken. The order in which you specify match
conditions is not important, because a packet must match all the conditions in a term
for a match to occur.
If you specify no match conditions in a term, that term matches all packets.
An individual condition in a from statement can contain a list of values. For example, you
can specify numeric ranges. You can also specify multiple source addresses or destination
addresses. When a condition defines a list of values, a match occurs if one of the values
in the list matches the packet.
Individual conditions in a from statement can be negated. When you negate a condition,
you are defining an explicit mismatch. For example, the negated match condition for
forwarding-class is forwarding-class-except. If a packet matches a negated condition, it
is immediately considered not to match the from statement, and the next term in the
filter is evaluated, if there is one. If there are no more terms, the packet is discarded.
You can configure a firewall filter with match conditions for Virtual Private LAN Service
(VPLS) traffic (family vpls). Table 81 on page 1071 describes the match-conditions you can
configure at the [edit firewall family vpls filter filter-name term term-name from] hierarchy
level.
NOTE: Not all match conditions for VPLS traffic are supported on all routing
platforms or switching platforms. A number of match conditions for VPLS
traffic are supported only on MX Series 3D Universal Edge Routers.
In the VPLS documentation, the word router in terms such as PE router is used
to refer to any device that provides routing functions.
destination-mac-address Match the destination media access control (MAC) address of a VPLS packet.
address
destination-port number (MX Series routers and EX Series switches only) Match the UDP or TCP destination port field.
You cannot specify both the port and destination-port match conditions in the same term.
In place of the numeric value, you can specify one of the following text synonyms (the port
numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514),
cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79),
ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88),
klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646),
login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110),
pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25),
snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),
tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).
destination-port-except (MX Series routers and EX Series switches only) Do not match on the TCP or UDP destination
number port field. You cannot specify both the port and destination-port match conditions in the same
term.
destination-prefix-list name (ACX Series routers, MX Series routers, and EX Series switches only) Match destination prefixes
in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list
prefix-list-name] hierarchy level.
NOTE: VPLS prefix lists support only IPv4 addresses. IPv6 addresses included in a VPLS prefix
list will be discarded.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
destination-prefix-list name (MX Series routers and EX Series switches only) Do not match destination prefixes in the specified
except list. For more information, see the destination-prefix-list match condition.
dscp number (MX Series routers and EX Series switches only) Match the Differentiated Services code point
(DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most
significant 6 bits of this byte form the DSCP. For more information, see the “Understanding How
Behavior Aggregate Classifiers Prioritize Trusted Traffic” on page 950.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed):
• RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).
• RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each
class, for a total of 12 code points:
dscp-except number (MX Series routers and EX Series switches only) Do not match on the DSCP. For details, see the
dscp match condition.
ether-type values Match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values.
You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). A value from
0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. A value from 1536
(0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an
Ethernet Version 2 frame.
In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal
values are also listed): aarp (0x80F3), appletalk (0x809B), arp (0x0806), ipv4 (0x0800),
ipv6 (0x86DD), mpls-multicast (0x8848), mpls-unicast (0x8847), oam (0x8902), ppp (0x880B),
pppoe-discovery (0x8863), pppoe-session (0x8864), or sna (0x80D5).
ether-type-except values Do not match the 2-octet Length/EtherType field to the specified value or list of values.
For details about specifying the values, see the ether-type match condition.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
forwarding-class class Match the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or
network-control.
forwarding-class-except Do not match the forwarding class. For details, see the forwarding-class match condition.
class
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
interface interface-name Interface on which the packet was received. You can configure a match condition that matches
packets based on the interface on which they were received.
NOTE: If you configure this match condition with an interface that does not exist, the term
does not match any packet.
interface-group Match the logical interface on which the packet was received to the specified interface group or
group-number set of interface groups. For group-number, specify a single value or a range of values from 0 through
255.
To assign a logical interface to an interface group group-number, specify the group-number at the
[interfaces interface-name unit number family family filter group] hierarchy level.
For more information, see Filtering Packets Received on a Set of Interface Groups Overview.
interface-group-except Do not match the logical interface on which the packet was received to the specified interface
group-name group or set of interface groups. For details, see the interface-group match condition.
interface-set Match the interface on which the packet was received to the specified interface set.
interface-set-name
To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level.
For more information, see Filtering Packets Received on an Interface Set Overview.
ip-address address (MX Series routers and EX Series switches only) 32-bit address that supports the standard syntax
for IPv4 addresses.
Note that when using this term, the match condition ether-type IPv4 must be defined on the
same term.
ip-destination-address (MX Series routers and EX Series switches only) 32-bit address that is the final destination node
address address for the packet.
Note that when using this term, the match condition ether-type IPv4 must be defined on the
same term.
ip-precedence (MX Series routers and EX Series switches only) IP precedence field. In place of the numeric field
ip-precedence-field value, you can specify one of the following text synonyms (the field values are also listed):
critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0),
net-control (0xe0), priority (0x20), or routine (0x00).
ip-precedence-except (MX Series routers and EX Series switches only) Do not match on the IP precedence field.
ip-precedence-field
ip-protocol number (MX Series routers and EX Series switches only) IP protocol field.
ip-protocol-except number (MX Series routers and EX Series switches only) Do not match on the IP protocol field.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
ip-source-address address (MX Series routers and EX Series switches only) IP address of the source node sending the packet.
Note that when using this term, the match condition ether-type IPv4 must also be defined on
the same term.
ipv6-source-prefix-list (MX Series only) Match the IPv6 source address in a named-list.
named-list
ipv6-address address (MX Series and EX9200 only) 128-bit address that supports the standard syntax for IPv6
addresses. Starting in Junos OS 14.2, firewall family bridge IPv6 match criteria is supported on
MX Series and EX9200 switches.
ipv6-destination-address ((MX Series and EX9200 only) 128-bit address that is the final destination node address for this
address packet. Note that when using this term, the match condition ether-type IPv6 must be defined on
the same term.
ipv6-destination-prefix-list (MX Series only) Match the IPv6 destination addresses in a named-list.
named-list
ipv6-next-header protocol (MX Series only) Match IPv6 next header protocol type.
ipv6-next-header-except (MX Series only) Do not match the IPv6 next header protocol type.
protocol
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
ipv6-payload-protocol-except (MX Series only) Do not match the IPv6 payload protocol.
protocol
ipv6-prefix-list named-list (MX Series only) Match the IPv6 address in a named-list.
ipv6-source-address address (MX Series only) 128-bit address that is the originating source node address for this packet.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
ipv6-traffic-class number (MX Series only) Differentiated Services code point (DSCP). The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the
DSCP. For more information, see “Understanding How Behavior Aggregate Classifiers Prioritize
Trusted Traffic” on page 950.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed):
• RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).
• RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each
class, for a total of 12 code points:
learn-vlan-1p-priority number (MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p learned
VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN
tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple
values from 0 through 7.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
learn-vlan-1p-priority-except (MX Series routers, M320 router, and EX Series switches only) Do not match on the IEEE 802.1p
number learned VLAN priority bits. For details, see the learn-vlan-1p-priority match condition.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
learn-vlan-dei (MX Series routers and EX Series switches only) Match the user VLAN ID drop eligability indicator
(DEI) bit.
learn-vlan-dei-except (MX Series routers and EX Series switches only) Do not match the user VLAN ID DEI bit.
learn-vlan-id number (MX Series routers and EX Series switches only) VLAN identifier used for MAC learning.
learn-vlan-id-except number (MX Series routers and EX Series switches only) Do not match on the VLAN identifier used for
MAC learning.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
loss-priority level Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low,
medium-high, or high.
Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E);
and MX Series routers.
For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators
(FPCs) and EX Series switches, you must include the tri-color statement at the [edit
class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified.
If the tri-color statement is not enabled, you can only configure the high and low levels. This
applies to all protocol families.
For information about the tri-color statement and about using behavior aggregate (BA) classifiers
to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign
Classes to Output Queues.
loss-priority-except level Do not match on the packet loss priority level. Specify a single level or multiple levels: low,
medium-low, medium-high, or high.
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming
packets, see “Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic” on
page 950.
port number (MX Series routers and EX Series switches only) TCP or UDP source or destination port. You
cannot specify both the port match condition and either the destination-port or source-port match
condition in the same term.
port-except number (MX Series routers and EX Series switches only) Do not match on the TCP or UDP source or
destination port. You cannot specify both the port match condition and either the destination-port
or source-port match condition in the same term.
prefix-list name (MX Series routers and EX Series switches only) Match the destination or source prefixes in the
specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list
prefix-list-name] hierarchy level.
NOTE: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix
list will be discarded.
prefix-list name except (MX Series routers and EX Series switches only) Do not match the destination or source prefixes
in the specified list. For more information, see the destination-prefix-list match condition.
source-port number (MX Series routers and EX Series switches only) TCP or UDP source port field. You cannot specify
the port and source-port match conditions in the same term.
source-port-except number (MX Series routers and EX Series switches only) Do not match on the TCP or UDP source port
field. You cannot specify the port and source-port match conditions in the same term.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
source-prefix-list name (ACX Series routers, MX Series routers, and EX Series switches only) Match the source prefixes
in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list
prefix-list-name] hierarchy level.
NOTE: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix
list will be discarded.
source-prefix-list name (MX Series routers and EX Series switches only) Do not match the source prefixes in the specified
except prefix list. For more information, see the source-prefix-list match condition.
tcp-flags flags Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
• fin (0x01)
• syn (0x02)
• rst (0x04)
• push (0x08)
• ack (0x10)
• urgent (0x20)
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all
packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
If you configure this match condition for IPv6 traffic, we recommend that you also configure the
next-header tcp match condition in the same term to specify that the TCP protocol is being used
on the port.
traffic-type type-name (MX Series routers and EX Series switches only) Traffic type. Specify broadcast, multicast,
unknown-unicast, or known-unicast.
traffic-type-except (MX Series routers and EX Series switches only) Do not match on the traffic type. Specify
type-name broadcast, multicast, unknown-unicast, or known-unicast.
user-vlan-1p-priority number (MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p user
priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags).
Specify a single value or multiple values from 0 through 7.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
user-vlan-1p-priority-except (MX Series routers, M320 rouer, and EX Series switches only) Do not match on the IEEE 802.1p
number user priority bits. For details, see the user-vlan-1p-priority match condition.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
user-vlan-id number (MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the
payload.
Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
user-vlan-id-except number (MX Series routers and EX Series switches only) Do not match on the first VLAN identifier that
is part of the payload.
vlan-ether-type-except value Do not match on the VLAN Ethernet type field of a VPLS packet.
14.2 Starting in Junos OS 14.2, flexible offset filters are supported in firewall
hierarchy configurations.
14.2 Starting in Junos OS 14.2, firewall family bridge IPv6 match criteria is
supported on MX Series and EX9200 switches.
A loopback interface is a gateway for all the control traffic that enters the Routing Engine
of the router. If you want to monitor this control traffic, you must configure a firewall filter
on the loopback interface (lo0). Loopback firewall filters are applied only to packets that
are sent to the Routing Engine CPU for further processing. Therefore, you can apply a
firewall filter in the ingress and egress directions on the loopback interface. Loopack
interfaces on ACX Routers support both inet and inet6 family filters.
NOTE: On ACX, the filter for loopback interface can be applied only for
interface-specific instances of the firewall filter.
For standard firewall filter match conditions, see “Standard Firewall Filter Match
Conditions for IPv4 Traffic on ACX Series Routers” on page 1054.
The firewall filter on loopback interfaces handles only the following exception packets
in ingress direction:
• Broadcast packets
• IP option packets
The following is a sample configuration for attaching a firewall to the loopback interface:
[edit interfaces]
lo0 {
unit 0 {
family <inet | inet6> {
filter {
input f1;
}
}
}
}
family <inet | inet6>{
filter f1 {
interface-specific; >> Mandatory Field.
term t1 {
from {
protocol ospf;
}
then {
count c1;
discard;
}
}
term t2 {
then {
count c2;
accept;
}
}
}
}
Related
Documentation
You can use stateless firewall filters in routing instances to control how packets travel
in a network for IPv4 and IPv6 traffic. This is called filter-based forwarding.
You can define a firewall filtering term that directs matching packets to a specified routing
instance. This type of filtering can be configured to route specific types of traffic through
a firewall or other security device before the traffic continues on its path. To configure a
stateless firewall filter to direct traffic to a routing instance, configure a term with the
routing-instance routing-instance-name terminating action at the [edit firewall family <inet
| inet6>] hierarchy level to specify the routing instance to which matching packets will
be forwarded. You can apply a forwarding table filter to a routing instance of type
forwarding and also to the default routing instance inet.0. To configure the filter to direct
traffic to the master routing instance, use the routing-instance default statement at the
[edit firewall family <inet | inet6>] hierarchy level.
• You cannot configure any of the following actions in a firewall filtering term when the
filtering term contains the routing-instance routing-instance-name terminating action:
• count counter-name
• discard
• forwarding-class class-name
• log
• policer policer-name
• port-mirror
• reject message-type
• syslog
• You cannot configure the fragment-flags number match condition in the filter term.
• source-port
• destination-port
• icmp-type
• icmp-code
Although you can configure forwarding of packets from one VRF to another VRF, you
cannot configure forwarding from a VRF to the global routing instance.
The maximum number of routing instances supported is 64, which is the same as the
maximum number of virtual routers supported. Forwarding packets to the global table
(default VRF) is not supported for filter-based forwarding.
NOTE: Filter-based forwarding on the interface will not work when source
MAC address filter is configured because the source MAC address filter takes
higher precedence over filter-based forwarding.
Forwarding table filter is a mechanism by which all the packets forwarded by a certain
forwarding table are subjected to filtering and if a packet matches the filter condition,
the configured action is applied on the packet. You can use the forwarding table filter
mechanism to apply a filter on all interfaces associated with a single routing instance
with a simple configuration. You can apply a forwarding table filter to a routing instance
of type forwarding and also to the default routing instance inet.0. To configure a
forwarding table filter, include the filter filter-name statement at the [edit firewall family
<inet | inet6>] hierarchy level.
The following limitations apply to forwarding table filters configured on routing instances:
• You cannot attach the same filter to more than one routing instance.
• You cannot attach the same filter at both the [edit interfaces interface-name family
<inet | inet6> filter input filter-name] and [edit routing-instances instance-name
forwarding-options family <inet | inet6> filter input filter-name] hierarchy level.
• You cannot attach a filter that is either interface-specific or a physical interface filter.
Forwarding table filters are defined the same as other firewall filters, but you apply them
differently:
• Instead of applying forwarding table filters to interfaces, you apply them to forwarding
tables, each of which is associated with a routing instance and a virtual private network
(VPN).
• Instead of applying input and output filters by default, you can apply an input forwarding
table filter only.
All packets are subjected to the input forwarding table filter that applies to the forwarding
table. A forwarding table filter controls which packets the router accepts and then
performs a lookup for the forwarding table, thereby controlling which packets the router
forwards on the interfaces.
When the router receives a packet, it determines the best route to the ultimate destination
by looking in a forwarding table, which is associated with the VPN on which the packet
is to be sent. The router then forwards the packet toward its destination through the
appropriate interface.
NOTE: For transit packets exiting the router through the tunnel, forwarding
table filtering is not supported on the interfaces you configure as the output
interface for tunnel traffic.
A forwarding table filter allows you to filter data packets based on their components and
to perform an action on packets that match the filter; it essentially controls which bearer
packets the router accepts and forwards. To configure a forwarding table filter, include
the firewall statement at the [edit] hierarchy level:
[edit]
firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
}
family-name is the family address type: IPv4 (inet), IPv6 (inet6), Layer 2 traffic (bridge),
or MPLS (mpls).
term-name is a named structure in which match conditions and actions are defined.
match-conditions are the criteria against which a bearer packet is compared; for example,
the IP address of a source device or a destination device. You can specify multiple criteria
in a match condition.
action specifies what happens if a packet matches all criteria; for example, the gateway
GPRS support node (GGSN) accepting the bearer packet, performing a lookup in the
forwarding table, and forwarding the packet to its destination; discarding the packet;
and discarding the packet and returning a rejection message.
action-modifiers are actions that are taken in addition to the GGSN accepting or discarding
a packet when all criteria match; for example, counting the packets and logging a packet.
To create a forwarding table, include the instance-type statement with the forwarding
option at the [edit routing-instances instance-name] hierarchy level:
[edit]
routing-instances instance-name {
instance-type forwarding;
}
To apply a forwarding table filter to a VPN routing and forwarding (VRF) table, include
the filter and input statements at the [edit routing-instance instance-name
forwarding-options family family-name] hierarchy level:
To apply a forwarding table filter to a forwarding table, include the filter and input
statements at the [edit forwarding-options family family-name] hierarchy level:
To apply a forwarding table filter to the default forwarding table inet.0, which is not
associated with a specific routing instance, include the filter and input statements at the
[edit forwarding-options family inet] hierarchy level:
Configuring IPsec
The Juniper Networks Junos operating system (Junos OS) supports IPsec. This topic
includes the following sections, which provide background information about configuring
IPsec on ACX Series Universal Access Routers.
For a list of the IPsec and IKE standards supported by Junos OS, see the Junos OS Hierarchy
and RFC Reference.
IPsec
The IPsec architecture provides a security suite for the IP version 4 (IPv4) network layer.
The suite provides functionality such as authentication of origin, data integrity,
confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec,
Junos OS also supports the Internet Key Exchange (IKE), which defines mechanisms for
key generation and exchange, and manages security associations.
IPsec also defines a security association and key management framework that can be
used with any transport layer protocol. The security association specifies what protection
policy to apply to traffic between two IP-layer entities. IPsec provides secure tunnels
between two peers.
Security Associations
To use IPsec security services, you create security associations between hosts. A security
association is a simplex connection that allows two hosts to communicate with each
other securely by means of IPsec. There are two types of security associations:
• Manual security associations require no negotiation; all values, including the keys, are
static and specified in the configuration. Manual security associations statically define
the security parameter index (SPI) values, algorithms, and keys to be used, and require
matching configurations on both ends of the tunnel. Each peer must have the same
configured options for communication to take place.
IKE
IKE is a key management protocol that creates dynamic security associations; it negotiates
security associations for IPsec. An IKE configuration defines the algorithms and keys used
to establish a secure connection with a peer security gateway.
• Provides mutual peer authentication by means of shared secrets (not passwords) and
public keys.
The inline services interface is a virtual interface that resides on the Packet Forwarding
Engine. The si- interface makes it possible to provide NAT and IPsec services without
using a special services PIC.
To configure inline services interface, you define the service interface as type si-
(service-inline) interface. You must also reserve adequate bandwidth for the inline services
interface. This enables you to configure both interface or next-hop service sets used for
NAT and IPsec services.
NOTE: In ACX Series routers, you can configure only one inline services
interface as an anchor interface for NAT and IPsec sessions: si-0/0/0.
1. Access an FPC-managed slot and the PIC where the interface is to be enabled.
[edit chassis]
user@host# edit fpc slot-number pic number
2. Enable the interface and specify the amount of bandwidth reserved on each Packet
Forwarding Engine for tunnel traffic that uses inline services.
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Junos OS for ACX Series routers enables you to create service sets that define a collection
of services to be performed by an inline services interface. You can configure the service
set either as an interface-style service set or as a next-hop-style service set.
An interface-style service set is used as an action modifier across an entire interface. You
can use an interface-style service set when you want to apply services to packets passing
through an interface.
To configure service sets for NAT services, include the service-set statement at the [edit
services] hierarchy level:
[edit services]
service-set service-set-name {
interface-service {
service-interface interface-name;
}
nat-rule-sets rule-set-name;
nat-rules rule-names;
stateful-firewall-rule-setsrule-set-name;
stateful-firewall-rules rule-names;
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
}
To configure service sets for IPsec VPN services, include the service-set statement at the
[edit services] hierarchy level:
[edit services]
service-set service-set-name {
interface-service {
service-interface interface-name;
}
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
ipsec-vpn-options {
local-gateway (address | interface);
no-anti-replay;
}
ipsec-vpn-rules rule-name;
}
• CoS for NAT Services on ACX Series Universal Access Routers on page 887
• Configuring Address Pools for Network Address Port Translation (NAPT) Overview on
page 1007
Only the interface name is needed, because Junos OS manages logical unit numbers
automatically. The services interface must be an inline-services interface for which you
have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router. When
you apply the service set to an interface, it automatically ensures that packets are directed
to the Network Address Translation (NAT) engine.
To associate a defined service set with an interface, include the service-set statement
with the input and output statement at the [edit interfaces interface-name unit
logical-unit-number family inet service] hierarchy level:
You configure the same service set on the input and output sides of the interface. You
can optionally include filters associated with each service set to refine the target and
additionally process the traffic. If you include the service-set statement without a
service-filter definition, Junos OS assumes that the match condition is true and selects
the service set for processing automatically.
NOTE: If you configure service sets with filters, you must configure the service
sets on the input and output sides of the interface.
To configure the service domain, include the service-domain statement at the [edit
interfaces interface-name unit logical-unit-number] hierarchy level:
The service-domain setting must match the configuration for the next-hop’s inside and
outside services interfaces. To configure the inside and outside services interfaces, include
the next-hop-service statement at the [edit services service-set service-set-name] hierarchy
level. The interfaces you specify must be logical interfaces on the same NAT engine. You
cannot configure unit 0 for this purpose, and the logical interface you choose must not
be used by another service set.
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
Traffic on which the service is applied is forced to the inside interface using a static route.
For example:
routing-options {
static {
route 10.1.2.3 next-hop si-0/0/0.1;
}
}
After the service is applied, traffic exits through the outside interface. A lookup is then
performed in the Packet Forwarding Engine to send the packet out of the NAT engine.
The reverse traffic enters the outside interface, is serviced, and sent to the inside interface.
The inside interface forwards the traffic out of the NAT engine.
1. To associate the two parts with logical interfaces, you configure two logical interfaces
with the service-domain statement, one with the inside value and one with the outside
value, to mark them as either an inside or outside service interface.
2. The router forwards the traffic to be serviced to the inside interface, using the next-hop
lookup table.
3. After the service is applied, the traffic exits from the outside interface. A route lookup
is then performed on the packets to be sent out of the router.
4. When the reverse traffic returns on the outside interface, the applied service is undone;
for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced
packets then emerge on the inside interface, the router performs a route lookup, and
the traffic exits the router.
A service rule’s match direction—whether input, output, or input and output—is applied
with respect to the traffic flow through the NAT engine, not through a specific inside or
outside interface.
When a packet is sent to an NAT engine, packet direction information is carried along
with it. This is true for both interface-style and next-hop-style service sets.
The match direction can also depend on the network topology. For example, you might
route all the external traffic through one interface that is used to protect the other
interfaces on the router, and configure various services on this interface specifically.
Alternatively, you might use one interface for priority traffic and configure special services
on it, but not care about protecting traffic on the other interfaces.
Packet direction that is determined by the NAT engine is used to route packets to the
NAT engine. If you use the inside-interface statement to route traffic, then the packet
direction is input. If you use the outside-interface statement to direct packets to the NAT
engine, then the packet direction is output.
The interface to which you apply the service sets affects the match direction. For example,
apply the following configuration:
[edit]
services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
services ipsec-vpn rule test-ipsec-rule match-direction input;
routing-options static route 10.0.0.0/24 next-hop si-0/0/0.1;
The essential difference between the two configurations is the change in the match
direction and the static routes’ next hop, pointing to either the NAT engine’s inside or
outside interface.
IPsec service sets require additional specifications that you configure at the [edit services
service-set service-set-name ipsec-vpn-options] hierarchy level:
• Configuring the Local Gateway Address for IPsec Service Sets on page 1095
• Configuring IKE Access Profiles for IPsec Service Sets on page 1096
• Configuring or Disabling Antireplay Service on page 1097
If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation),
you configure the following statement:
You can configure all the link-type tunnels that share the same local gateway address
in a single next-hop-style service set. The value you specify for the inside-service-interface
statement at the [edit services service-set service-set-name] hierarchy level need not
match the ipsec-inside-interface value, which you configure at the [edit services ipsec-vpn
rule rule-name term term-name from] hierarchy level. For more information about IPsec
configuration, see Configuring IPsec Rules.
You can configure Internet Key Exchange (IKE) gateway IP addresses that are present
in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through
the VRF instance.
For next-hop service sets, the key management process (kmd) places the IKE packets
in the routing instance that contains the outside-service-interface value you specify, as
in this example:
routing-instances vrf-nxthop {
instance-type vrf;
interface si-0/0/0.2;
...
}
services service-set service-set-1 {
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
...
}
For interface service sets, the service-interface statement determines the VRF, as in this
example:
routing-instances vrf-intf {
instance-type vrf;
interface si-0/0/0.3;
interface ge-1/2/0.1; # interface on which service set is applied
...
}
services service-set service-set-2 {
interface-service {
service-interface si-0/0/0.3;
}
...
}
The ike-access-profile statement must reference the same name as the profile statement
you configured for IKE access at the [edit access] hierarchy level. You can reference only
one access profile in each service set. This profile is used to negotiate IKE and IPsec
security associations with dynamic peers only.
NOTE: If you configure an IKE access profile in a service set, no other service
set can share the same local-gateway address.
Also, you must configure a separate service set for each VRF. All interfaces
referenced by the ipsec-inside-interface statement within a service set must
belong to the same VRF.
anti-replay-window-size bits;
This statement is useful for dynamic endpoint tunnels for which you cannot configure
the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term
term-name then] hierarchy level.
For static IPsec tunnels, this statement sets the antireplay window size for all the static
tunnels within this service set. If a particular tunnel needs a specific value for antireplay
window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn
rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled
for a particular tunnel in this service set, set the no-anti-replay statement at the [edit
services ipsec-vpn rule rule-name term term-name then] hierarchy level.
You can also include the no-anti-replay statement at the [edit services service-set
service-set-name ipsec-vpn-options] hierarchy level to disable IPsec antireplay service.
It occasionally causes interoperability issues for security associations.
no-anti-replay;
This statement is useful for dynamic endpoint tunnels for which you cannot configure
the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name
then] hierarchy level.
For static IPsec tunnels, this statement disables the antireplay check for all the tunnels
within this service set. If antireplay check has to be enabled for a particular tunnel, then
set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name
term term-name then] hierarchy level.
To configure an IPsec proposal, include the proposal statement and specify an IPsec
proposal name at the [edit services ipsec-vpn ipsec] hierarchy level:
ACX Series routers support Advanced Encryption Standard (AES) 128-bit encryption
algorithm.
To configure the hard lifetime value, include the lifetime-seconds statement and specify
the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name]
hierarchy level:
The default lifetime is 28,000 seconds. The range is from 180 through 86,400 seconds.
To configure the protocol for a dynamic SA, include the protocol statement and specify
esp at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
Dynamic security associations (SAs) require IKE configuration. With dynamic SAs, you
configure IKE first, and then the SA. IKE creates the dynamic SAs and negotiates them
for IPsec. The IKE configuration defines the algorithms and keys used to establish the
secure IKE connection with the peer security gateway.
You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to
protect the IKE connection between the IKE host and its peer.
To configure an IKE proposal, include the proposal statement and specify a name at the
[edit services ipsec-vpn ike] hierarchy level:
• des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits
long.
• 3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits
long.
For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the
second 8 bytes should be the same as the third 8 bytes.
To configure the lifetime for an IKE SA, include the lifetime-seconds statement at the
[edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
By default, the IKE SA lifetime is 3600 seconds. The range is from 180 through
86,400 seconds.
NOTE: For IKE proposals, there is only one SA lifetime value, specified by the
Junos OS. IPsec proposals use a different mechanism; for more information,
see Configuring the Lifetime for an IPsec SA.
A match is made when both policies from the two peers have a proposal that contains
the same configured attributes. If the lifetimes are not identical, the shorter lifetime
between the two policies (from the host and peer) is used.
You can create multiple, prioritized IPsec proposals at each peer to ensure that at least
one proposal matches a remote peer’s proposal.
First, you configure one or more IPsec proposals; then you associate these proposals
with an IPsec policy. You can prioritize a list of proposals used by IPsec in the policy
statement by listing the proposals you want to use, from first to last.
To configure an IPsec policy, include the policy statement, and specify the policy name
and one or more proposals to associate with the policy, at the [edit services ipsec-vpn
ipsec] hierarchy level:
This section includes the following topics related to configuring an IPsec policy:
• group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
• group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
• group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
• group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group
when performing the new Diffie-Hellman exchange.
The higher numbered groups provide more security than the lowered numbered groups,,
but require more processing time.
To configure the proposals in an IPsec policy, include the proposals statement and specify
one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name]
hierarchy level:
A match is made when both policies from the two peers have a proposal that contains
the same configured attributes. If the lifetimes are not identical, the shorter lifetime
between the two policies (from the host and peer) is used. The configured preshared
key must also match its peer.
You can create multiple, prioritized proposals at each peer to ensure that at least one
proposal matches a remote peer’s proposal.
First, you configure one or more IKE proposals; then you associate these proposals with
an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement
by listing the proposals you want to use, from first to last.
To configure an IKE policy, include the policy statement and specify a policy name at the
[edit services ipsec-vpn ike] hierarchy level:
To configure the proposals in an IKE policy, include the proposals statement and specify
one or more proposal names at the [edit services ipsec-vpn ike policy policy-name]
hierarchy level:
proposals [ proposal-names ];
an IKE Proposal. You must manually configure a preshared key, which must match that
of its peer. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal
key.
To configure the preshared key in an IKE policy, include the pre-shared-keys statement
and a key at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
To configure an IPsec rule, include the rule statement and specify a rule name at the [edit
services ipsec-vpn] hierarchy level:
}
}
Each IPsec rule consists of a set of terms, similar to a firewall filter. A term consists of
the following:
• from statement—Specifies the match conditions and applications that are included
and excluded.
The following sections explain how to configure the components of IPsec rules:
The match direction is used with respect to the traffic flow through the inline service
interface. When a packet is sent to the PIC, direction information is carried along with it.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the inline service interface. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output. For more information on inside and outside interfaces,
see “Configuring Service Sets to Be Applied to Services Interfaces” on page 1031.
On the inline services interface, a flow lookup is performed. If no flow is found, rule
processing is performed. All rules in the service set are considered. During rule processing,
the packet direction is compared against rule directions. Only rules with direction
information that match the packet direction are considered.
You can use either the source address or the destination address as a match condition,
in the same way that you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
IPsec services on ACX Series support IPv4 address formats. If you do not specifically
configure either the source address or destination address, the default value 0.0.0.0/0
(IPv4 ANY) is used.
• You configure a dynamic SA by including the dynamic statement at the [edit services
ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies
you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn
ike] hierarchy levels; for more information, see Configuring Dynamic Security Associations.
• You configure a manual SA by including the manual statement at the [edit services
ipsec-vpn rule rule-name term term-name then] hierarchy level; for more information,
see Configuring Manual Security Associations.
The rule-set statement defines a collection of IPsec rules that determine what actions
the router software performs on packets in the data stream. You define each rule by
specifying a rule name and configuring terms. Then, you specify the order of the rules by
including the rule-set statement at the [edit services ipsec-vpn] hierarchy level with a
rule statement for each rule:
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
Trace operations track IPsec events and record them in a log file in the /var/log directory.
By default, this file is named /var/log/kmd.
To trace IPsec operations, include the traceoptions statement at the [edit services
ipsec-vpn] hierarchy level:
• all—Trace everything.
The level statement sets the key management process (kmd) tracing level. The following
values are supported:
• Understanding Ethernet OAM Link Fault Management for ACX Series Routers on page 1112
• Configuring Ethernet Local Management Interface on ACX Series on page 1113
• Ethernet Frame Delay Measurements Overview on page 1117
• Ethernet Frame Loss Measurement Overview on page 1121
• Proactive Mode for SLA Measurement on page 1123
• On-Demand Mode for SLA Measurement on page 1125
• Configuring MEP Interfaces to Support Delay Measurement on page 1125
• Ethernet OAM Connectivity Fault Management on page 1126
• IEEE 802.1ag OAM Connectivity Fault Management in ACX Series Overview on page 1128
• Configuring Maintenance Association Intermediate Points in ACX Series on page 1129
• Example: Configuring IEEE 802.3ah OAM Support for an Interface on page 1133
• Enabling Dying Gasp Functionality on page 1135
• Ethernet Alarm Indication Signal Overview on page 1136
• Configuring Alarm Indication Signal on ACX Series Routers on page 1138
• Ethernet Synthetic Loss Measurement Overview on page 1140
• Transmission of ETH-SLM Messages on page 1141
• Format of ETH-SLM Messages on page 1144
• Guidelines for Configuring ETH-SLM on page 1146
• Scenarios for Configuration of ETH-SLM on page 1147
• Managing ETH-SLM Statistics and ETH-SLM Frame Counts on page 1148
• Starting a Proactive ETH-SLM Session on page 1153
• Starting an On-Demand ETH-SLM Session on page 1156
• Dynamic Ternary Content Addressable Memory Overview on page 1157
• Service Scaling on ACX5048 and ACX5096 Routers on page 1167
• Understanding Layer 2 Next Generation Mode on ACX5048 and ACX5096
Routers on page 1167
Understanding Ethernet OAM Link Fault Management for ACX Series Routers
The Juniper Networks Junos operating system (Junos OS) for Juniper Networks ACX
Series routers allows the Ethernet interfaces on these routers to support the IEEE 802.3ah
standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in access
networks. The standard defines OAM link fault management (LFM). You can configure
IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly
or through Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for
OAM capabilities even as Ethernet moves from being solely an enterprise technology to
a WAN and access technology, and the standard remains backward compatible with
the existing Ethernet technology.
Ethernet OAM provides tools that network management software and network managers
can use to determine how a network of Ethernet links is functioning. Ethernet OAM should:
• Rely only on the media access control (MAC) address or virtual LAN identifier for
troubleshooting.
• Work independently of the actual Ethernet transport and function over physical Ethernet
ports or a virtual service such as a pseudowire.
The following OAM LFM features are supported on ACX Series routers:
The discovery process is triggered automatically when OAM is enabled on the interface.
The discovery process permits Ethernet interfaces to discover and monitor the peer
on the link if it also supports the IEEE 802.3ah standard. You can specify the discovery
mode used for IEEE 802.3ah OAM support. In active mode, the interface discovers and
monitors the peer on the link if the peer also supports IEEE 802.3ah OAM functionality.
In passive mode, the peer initiates the discovery process. After the discovery process
has been initiated, both sides participate in the process. The router performs link
monitoring by sending periodic OAM protocol data units (PDUs) to advertise OAM
mode, configuration, and capabilities.
You can specify the number of OAM PDUs that an interface can skip before the link
between peers is considered down.
Remote fault detection uses flags and events. Flags are used to convey the following:
ACX Series routers can generate and receive dying-gasp packets. When LFM is
configured on an interface, a dying-gasp PDU is generated for the interface on the
following failure conditions:
• Power failure
You can specify the interval at which OAM PDUs are sent for fault detection.
NOTE: ACX Series routers support the receipt of dying-gasp packets, but
cannot generate them.
Remote loopback mode ensures link quality between the router and a remote peer
during installation or troubleshooting. In this mode, when the interface receives a frame
that is not an OAM PDU or a PAUSE frame, it sends it back on the same interface on
which it was received. The link appears to be in the active state. You can use the returned
loopback acknowledgement to test delay, jitter, and throughput.
If a remote data terminal equipment (DTE) supports remote loopback mode, Junos
OS can place the remote DTE into loopback mode. When you place a remote DTE into
loopback mode, the interface receives the remote loopback request and puts the
interface into remote loopback mode. When the interface is in remote loopback mode,
all frames except OAM PDUs and PAUSE frames are looped back. No changes are
made to the frames. OAM PDUs continue to be sent and processed.
to support Metro Ethernet services. The E-LMI protocol also provides user-to-network
interface (UNI) and Ethernet virtual connection (EVC) status information to the CE device.
The UNI and EVC information enables automatic configuration of CE operation based
on the Metro Ethernet configuration.
The E-LMI protocol operates between the CE device and the provider edge (PE) device.
It runs only on the PE-CE link and notifies the CE device of connectivity status and
configuration parameters of Ethernet services available on the CE port. The scope of the
E-LMI protocol is shown in Figure 60 on page 1114.
UNI UNI
CE Metro Ethernet Network CE
g017277
E-LMI E-LMI
The E-LMI implementation on ACX Series routers includes only the PE side of the E-LMI
protocol.
• Notification to the CE device of the addition or deletion of an EVC (active, not active)
• UNI attributes:
• CE-VLAN ID and EVC map type (all-to-one bundling, service multiplexing with
bundling, or no bundling)
• EVC attributes:
• EVC reference ID
The E-LMI protocol on ACX Series routers supports Layer 2 circuit and Layer 2 VPN EVC
types and enables link-loss forwarding for pseudowire (Layer 2 circuit and Layer 2 VPN)
services as follows:
• Interworking between the connectivity fault management (CFM) protocol and the
E-LMI protocol for Layer 2 circuit and Layer 2 VPN.
• In the case of pseudowire redundancy, CFM can be used to monitor active and backup
pseudowire sessions. The EVC status is declared as down to CE devices only when
both the active and backup pseudowire sessions go down.
• Interworking between remote defect indication (RDI) and E-LMI for Layer 2 circuit and
Layer 2 VPN.
• If a maintenance association end point (MEP) receives an RDI bit set in a continuity
check message (CCM) frame, and if RDI fault detection is enabled in the EVC
configuration at [edit protocols oam ethernet evcs evc-id evc-protocol cfm
management-domain name management-association name faults rdi], then the
pseudowire is declared as down to CE routers through E-LMI.
• If an end-to-end CFM session does not exist between UNIs, the pseudowire (Layer 2
circuit or Layer 2 VPN) up and down state triggers an asynchronous EVC state change
message to CE routers through E-LMI.
NOTE: ACX Series routers do not support E-LMI for Layer 2 services (bridging).
For information about configuring the OAM protocol (CFM), see IEEE 802.1ag OAM
Connectivity Fault Management Overview.
To assign an OAM protocol to an EVC, you must specify a name for the EVC by using the
evcs evc-id statement at the [edit protocols oam ethernet] hierarchy level. You can set
the evc-protocol statement to cfm, l2circuit, or l2vpn to monitor the EVC status and its
options at the [edit protocols oam ethernet evcs] hierarchy level. You can configure the
number of remote UNIs in the EVC by using the remote-uni-count number statement. The
remote-uni-count value defaults to 1.
You can configure an EVC by including the evcs statement at the [edit protocols oam
ethernet] hierarchy level:
To configure E-LMI, include the lmi statement at the [edit protocols oam ethernet]
hierarchy level:
You can set the status counter to count consecutive errors by using the status-counter
count statement at the [edit protocols oam ethernet lmi] hierarchy level. The status
counter is used to determine whether E-LMI is operational or not. The default value is 4.
You can set the polling-verification-timer value statement at the [edit protocols oam
ethernet lmi] hierarchy level. The default value is 15 seconds.
You can enable an interface and set its options for use with E-LMI by using the interface
name statement at the [edit protocols oam ethernet lmi] hierarchy level. Only ge, xe, and
ae interfaces are supported. You can use the interface uni-id option to specify a name
for the UNI. If uni-id is not configured, it defaults to the name variable in the interface
name statement.
You can specify the CE-VLAN ID and EVC map type by using the evc-map-type type
interface option. The options are all-to-one-bundling, bundling, and service-multiplexing.
Service multiplexing is with no bundling. The default type is all-to-one-bundling.
To specify the EVC that an interface uses, use the evc evc-id statement at the [edit
protocols oam ethernet lmi interface name] hierarchy level. You can specify an interface
as the default EVC interface by using the default-evc statement at the [edit protocols
oam ethernet lmi interface name evc evc-id] hierarchy level. All VLAN IDs that are not
mapped to any other EVCs are mapped to this EVC. Only one EVC can be configured as
the default.
You can map a list of VLANs to an EVC by using the vlan-list vlan-id-list statement at the
[edit protocols oam ethernet lmi interface name evc evc-id] hierarchy level.
Related • IEEE 802.1ag OAM Connectivity Fault Management in ACX Series Overview on page 1128
Documentation
• Creating a Maintenance Domain
• Configuring a CFM Action Profile to Specify CFM Actions for CFM Events
Junos OS supports key OAM standards that provide for automated end-to-end
management and monitoring of Ethernet service by service providers:
• ITU-T Recommendation Y.1731, which uses different terminology than IEEE 802.1ag and
defines Ethernet service OAM features for fault monitoring, diagnostics, and
performance monitoring.
These capabilities allow operators to offer binding service-level agreements (SLAs) and
generate new revenues from rate- and performance-guaranteed service packages that
are tailored to the specific needs of their customers.
NOTE: ACX Series routers do not support one-way Ethernet frame delay
measurement.
DMM Transmission
When you start a two-way frame delay measurement, the router sends delay
measurement message (DMM) frames— frames that carry the PDU for a two-way
ETH-DM request—from the initiator MEP to the responder MEP at the rate and for the
number of frames you specify. The router marks each DMM frame as drop-ineligible and
inserts a timestamp of the transmission time into the frame.
DMR Transmission
When an MEP receives a DMM frame, the responder MEP responds with a delay
measurement reply (DMR) frame, which carries ETH-DM reply information and a copy
of the timestamp contained in the DMM frame.
DMR Reception
When an MEP receives a valid DMR, the router that contains the MEP measures the
two-way delay for that frame based on the following sequence of timestamps:
1. TI
TxDMM
2. TR
RxDMM
3. TR
TxDMR
4. TI
RxDMR
[TI – TI ] – [TR – TR ]
RxDMR TxDMM TxDMR RxDMM
The calculation show that frame delay is the difference between the time at which the
initiator MEP sends a DMM frame and the time at which the initiator MEP receives the
associated DMR frame from the responder MEP, minus the time elapsed at the responder
MEP.
The delay variation is the difference between the current and previous delay values.
The router that contains the initiator MEP stores each set of two-way delay statistics in
the ETH-DM database. The ETH-DM database collects up to 100 sets of statistics for
any given CFM session (pair of peer MEPs). You can access these statistics at any time
by displaying the ETH-DM database contents.
Each router counts the number of two-way ETH-DM frames sent and received:
• For an initiator MEP, the router counts the number DMM frames transmitted, the number
of valid DMR frames received, and the number of invalid DMR frames received.
• For a responder MEP, the router counts the number of DMR frames sent.
Each router stores ETH-DM frame counts in the CFM database. The CFM database stores
CFM session statistics and, for interfaces that support ETH-DM, any ETH-DM frame
counts. You can access the frame counts at any time by displaying CFM database
information for Ethernet interfaces assigned to MEPs or for MEPs in CFM sessions.
NOTE: For a given two-way Ethernet frame delay measurement, frame delay
and frame delay variation values are available only at the router that contains
the initiator MEP.
• Ethernet frame delay measurements can be triggered only when the distributed periodic
packet management daemon (ppm) is enabled. To enable distributed ppm, include
the delegate-server-processing CLI statement at the [edit protocols oam ethernet
connectivity-fault-management performance-monitoring] hierarchy. For more
information about this limitation, see Guidelines for Configuring Routers to Support an
ETH-DM Session and Ensuring That Distributed ppm Is Not Disabled.
• You can monitor only one session at a time to the same remote MEP or MAC address.
For more information about starting an ETH-DM session, see Starting an ETH-DM
Session.
• ETH-DM statistics are collected at only one of the two peer routers in the ETH-DM
session. For a one-way ETH-DM session, you can display frame ETH-DM statistics at
the receiver MEP only, using ETH-DM-specific show commands. For a two-way ETH-DM
session, you can display frame delay statistics at the initiator MEP only, using the same
ETH-DM-specific show commands. For more information, see Managing ETH-DM
Statistics and ETH-DM Frame Counts.
• ETH-DM frame counts are collected at both MEPs and are stored in the respective
CFM databases.
• Accuracy of frame delay statistics is compromised when the system is changing (such
as from reconfiguration). We recommend performing Ethernet frame delay
measurements on a stable system.
Related • Understanding Ethernet OAM Link Fault Management for ACX Series Routers on page 1112
Documentation
• Guidelines for Configuring Routers to Support an ETH-DM Session
The key objectives of the OAM functionality are to measure quality-of-service attributes
such as frame delay, frame delay variation (also known as “frame jitter”), and frame loss.
Such measurements enable you to identify network problems before customers are
impacted by network defects. For more information about Ethernet frame delay
measurement, see Ethernet Frame Delay Measurements Overview.
NOTE: MX Series Virtual Chassis does not support Ethernet frame loss
measurement (ETH-LM).
• CFM PDUs received on the logical interface of the down MEP are classified
by the classifier as yellow or medium-high PLP
• A packet is identified as yellow when the input classifier marks the PLP as
medium-high.
16.1 Starting Junos OS Release 16.1, the Ethernet loss measurement (ETH-LM) results are
inaccurate when connectivity fault management (CFM) and performance monitoring
(PM) PDUs received locally at a maintenance endpoint (MEP) as classified as
belonging to the yellow class or a packet loss priority (PLP) of medium-high.
16.1 Starting with Junos OS Release 16.1, performance monitoring for connectivity fault
management (by including the performance-monitoring statement and its
substatements at the [edit protocols oam ethernet
connectivity-fault-management] hierarchy level) is not supported when the
network-to-network (NNI) or egress interface is an aggregated Ethernet interface
with member links on DPCs.
For every DPC or MPC, only 30 iterator instances for a cycle time value of 10 milliseconds
(ms) are supported. In Junos OS, 255 iterator profile configurations and 2000 remote
MEP associations are supported.
Iterators with cycle time value less than 100 ms are supported only for infinite iterators,
whereas the iterators with cycle time value greater than 100 ms are supported for both
finite and infinite iterators. Infinite iterators are iterators that run infinitely until the iterator
is disabled or deactivated manually.
NOTE: ACX5048 and ACX5096 routers supports iterator cycle time of only
1 second and above.
For two-way delay measurement and loss measurement, an iterator sends a request
message for the connection in the list (if any) and then sends a request message for the
connection that was polled in the former iteration cycle. The back-to-back request
messages for the SLA measurement frames and their responses help in computing delay
variation and loss measurement.
The Y.1731 frame transmission for a service attached to an iterator continues endlessly
unless intervened and stopped by an operator or until the iteration-count condition is
met. To stop the iterator from sending out any more proactive SLA measurement frames,
the operator must perform one of the following tasks:
• Enable the deactivate sla-iterator-profile statement at the [edit protocols oam ethernet
connectivity-fault-management maintenance-domain md-name maintenance association
ma-name mep mep-id remote-mep mep-id] hierarchy level. For more information, see
Verifying the Configuration of an Iterator Profile.
• Provision a disable statement under the corresponding iterator profile at the [edit
protocols oam ethernet connectivity-fault-management performance-monitoring
sla-iterator-profiles profile-name] hierarchy level. For more information, see Configuring
an Iterator Profile.
In one-way delay variation computation using the two-way delay measurement method,
the delay variation computation is based on the timestamps that are present in the DMR
frame (and not the 1DM frame). Therefore, there is no need for client-side and server-side
clocks to be in sync. Assuming that the difference in their clocks remains constant, the
one-way delay variation results are expected to be fairly accurate. This method also
eliminates the need to send separate 1DM frames just for the one-way delay variation
measurement purpose.
In proactive mode for loss measurement, the router sends packets in standard format
along with loss measurement TLV and iterator TLV.
In on-demand mode, the measurements are triggered by the user through the CLI.
When the user triggers the delay measurement through the CLI, the delay measurement
request that is generated is as per the frame formats specified by the ITU-T Y.1731
standard. For two-way delay measurement, the server-side processing can be delegated
to the Packet Forwarding Engine to prevent overloading on the Routing Engine. For more
information, see Configuring Routers to Support an ETH-DM Session. When the server-side
processing is delegated to the Packet Forwarding Engine, the delay measurement message
(DMM) frame receive counters and delay measurement reply (DMR) frame transmit
counters are not displayed by the show command.
When the user triggers the loss measurement through the CLI, the router sends the
packets in standard format along with the loss measurement TLV. By default, the
session-id-tlv argument is included in the packet to allow concurrent loss measurement
sessions from same local MEP. You can also disable the session ID TLV by using the
no-session-id-tlv argument.
Before you can start an Ethernet frame delay measurement (ETH-DM) session across
an Ethernet service, you must configure two ACX Series routers to support ETH-DM.
[edit interfaces]
interface {
ethernet-interface-name {
vlan-tagging;
unit logical-unit-number {
vlan-id vlan-id; # Both interfaces on this VLAN
}
}
}
2. On each router, attach peer MEPs to the two interfaces. The following configuration
is typical:
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain md-name { # On both routers
level number;
maintenance-association ma-name { # On both routers
continuity-check {
interval 100ms;
hold-interval 1;
}
mep mep-id { # Attach to VLAN interface
auto-discovery;
direction (up | down);
interface interface-name;
priority number;
}
}
}
}
}
}
The most complete connectivity fault management (CFM) is defined in IEEE 802.1ag.
This topic emphasizes the use of CFM in a Metro Ethernet environment.
• Fault monitoring using the continuity check protocol. This is a neighbor discovery and
health check protocol that discovers and maintains adjacencies at the VLAN or link
level.
• Path discovery and fault verification using the linktrace protocol. Similar to IP traceroute,
this protocol maps the path taken to a destination MAC address through one or more
bridged networks between the source and destination.
• Fault isolation using the loopback protocol. Similar to IP ping, this protocol works with
the continuity check protocol during troubleshooting.
CFM partitions the service network into various administrative domains. For example,
operators, providers, and customers might be part of different administrative domains.
Each administrative domain is mapped into one maintenance domain providing enough
information to perform its own management, thus avoiding security breaches and making
end-to-end monitoring possible. Each maintenance domain is associated with a
maintenance domain level from 0 through 7. Level allocation is based on the network
hierarchy, where outermost domains are assigned a higher level than the innermost
domains.
Customer end points have the highest maintenance domain level. In a CFM maintenance
domain, each service instance is called a maintenance association. A maintenance
association can be thought as a full mesh of maintenance endpoints (MEPs) having
similar characteristics. MEPs are active CFM entities generating and responding to CFM
protocol messages.
There is also a maintenance intermediate point (MIP), which is a CFM entity similar to
the MEP, but more passive (MIPs only respond to CFM messages).
MEPs can be up MEPs or down MEPs. A link can connect a MEP at level 5 to a MEP at
level 7. The interface at level 5 is an up MEP (because the other end of the link is at MEP
level 7), and the interface at level 7 is a down MEP (because the other end of the link is
at MEP level 5).
• By the service provider to check the connectivity among its provider edge (PE) routers
• By the customer to check the connectivity among its customer edge (CE) routers
NOTE: The configured customer CFM level must be greater than service
provider CFM level.
In many Metro Ethernet networks, CFM is used to monitor connectivity over a VPLS and
bridge network.
Ethernet interfaces on ACX Series routers support the IEEE 802.1ag standard for Operation,
Administration, and Management (OAM). The IEEE 802.1ag specification provides for
Ethernet connectivity fault management (CFM). The goal of CFM is to monitor an Ethernet
network that may comprise one or more service instances. Junos OS supports IEEE
802.1ag connectivity fault management.
Network entities such as operators, providers, and customers may be part of different
administrative domains. Each administrative domain is mapped into one maintenance
domain. Maintenance domains are configured with different level values to keep them
separate. Each domain provides enough information for the entities to perform their own
management, perform end-to-end monitoring, and still avoid security breaches.
IEEE 802.1ag OAM is supported on untagged, single VLAN tagged, and stacked VLAN
tagged interfaces.
Related • Understanding Ethernet OAM Link Fault Management for ACX Series Routers on page 1112
Documentation
• Configuring Ethernet Local Management Interface on ACX Series on page 1113
The following MIP configurations are supported in ACX5048 and ACX5096 routers:
• MIP with bridge domain when maintenance association end point is configured
NOTE: The Layer 2 CLI configurations and show commands for ACX5048
and ACX5096 routers differ compared to other ACX Series routers. For more
information, see “Understanding Layer 2 Next Generation Mode on ACX5048
and ACX5096 Routers” on page 1167.
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain default-6 {
vlan bd1;
mip-half-function default;
}
}
}
}
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain default-6 {
interface xe-0/0/42.0;
mip-half-function default;
}
}
}
}
Configuring the Maintenance Association Intermediate Points with Bridge Domain when
Maintenance Association End Point is Configured
In ACX5048 and ACX5096 routers, you can configure the MIP with bridge domain when
a maintenance association end point (MEP) is configured. The following is a sample to
configure the MIP with bridge domain when MEP is configured:
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain md2 {
level 5;
mip-half-function default;
maintenance-association ma2 {
continuity-check {
interval 1s;
}
mep 222 {
interface xe-0/0/42.0;
direction up;
}
}
}
}
}
}
Configuring the Maintenance Intermediate Points with Circuit Cross-Connect when Maintenance
Association End Point is Configured
In ACX5048 and ACX5096 routers, you can configure the MIP with circuit cross-connect
(CCC) when a maintenance association end point (MEP) is configured. The following is
a sample to configure the MIP with CCC when MEP is configured:
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain md2 {
level 5;
mip-half-function default;
maintenance-association ma2 {
continuity-check {
interval 1s;
}
mep 222 {
interface xe-0/0/42.0;
direction up;
}
}
}
}
}
}
Related • bridge-domain
Documentation
• connectivity-fault-management
• instance
• mip-half-function
• Configuring a CFM Action Profile to Specify CFM Actions for CFM Events
Junos OS for ACX Series routers allows the Ethernet interfaces on these routers to support
the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM)
of Ethernet in access networks. The standard defines OAM link fault management (LFM).
You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are
connected either directly or through Ethernet repeaters.
This example describes how to enable and configure OAM on a Gigabit Ethernet interface.
Requirements
This example uses the following hardware and software components:
CLI Quick To quickly configure IEEE 802.3ah Ethernet OAM, copy the following commands and
Configuration paste them into the CLI:
edit
edit protocols oam ethernet link-fault-management
set interface xe-0/0/0 link-discovery active pdu-interval 800 pdu-threshold 4
remote-loopback negotiation-options allow-remote-loopback
set interface xe-0/0/0 event-thresholds frame-error 30 frame-period 50
frame-period-summary 40 symbol-period 20
2. Specify that the interface initiates the discovery process by setting the link discovery
mode to active:
5. Configure the remote interface into loopback mode so that all frames except OAM
PDUs are looped back without any changes:
7. Set the threshold count for sending frame error events to 30:
8. Set the threshold count for sending frame period error events to 50:
9. Configure the threshold count for sending frame period summary error events to
40:
10. Set the threshold count for sending symbol period events to 20:
[edit]
user@router# show
[edit]
protocols {
oam {
ethernet {
link-fault-management {
interface xe-0/0/0 {
link-discovery active;
pdu-interval 800;
pdu-threshold 4;
remote-loopback;
negotiation-options {
allow-remote-loopback;
}
event-thresholds {
frame-error 30;
frame-period 50;
frame-period-summary 40;
symbol-period 20;
}
}
}
}
}
}
Related • link-fault-management
Documentation
• IEEE 802.3ah OAM Link-Fault Management Overview
Dying gasp means an unrecoverable condition such as a power failure. In this condition,
the local peer informs the remote peer about the failure state. When the remote peer
receives a dying-gasp PDU, it takes an action corresponding to the action profile configured
with the link-adjacency-loss event. Dying gasp helps to avoid file system corruption.
ACX Series routers can generate and receive dying-gasp packets. When LFM is configured
on an interface, a dying-gasp PDU is generated for the interface on the following failure
conditions:
• Power failure
ACX Series routers support the following CLI statements to enable dying-gasp
functionality:
The dgasp-int and dgasp-usb CLI statements are added under the [edit system] hierarchy
to enable dying-gasp functionality.
To enable dying-gasp functionality, you need to configure the dgasp-int and dgasp-usb
CLI statements as shown below:
root@host% cli
root@host> configure
Entering configuration mode
[edit]
root@host# set system dgasp-int
[edit]
root@host# set system dgasp-usb
[edit]
root@host# commit
commit complete
[edit]
root@host# show system
dgasp-int;
dgasp-usb;
Related • Understanding Ethernet OAM Link Fault Management for ACX Series Routers on page 1112
Documentation
ACX Series routers support ITU-T Y.1731 Ethernet Alarm Indication Signal function
(ETH-AIS) to provide fault management for service providers. ETH-AIS enables you to
suppress alarms when a fault condition is detected. Using ETH-AIS, an administrator
can differentiate between faults at customer level or faults at provider level.
When a fault condition is detected, a maintenance end point (MEP) generates ETH-AIS
packets to the configured client levels for a specified duration until the fault condition is
cleared. Any MEP configured to generate ETH-AIS packets signals to a level higher than
its own. A MEP receiving ETH-AIS recognizes that the fault is at a lower level and then
suppresses alarms at current level.
ACX Series routers support ETH-AIS PDU generation for server MEPs based on the
following defect conditions:
Alarm indication signaling is done through the transmission and propagation of ETH-AIS
PDUs. ETH-AIS should be enabled on MEPs. A MEP which is configured to issue packets
with ETH-AIS information is generally of server layer and continues to transmit periodic
packets with ETH-AIS information until the defect condition is cleared. CFM MEPs, upon
receiving ETH-AIS PDUs, suppresses loss of continuity alarms associated with its peer
MEPs. A MEP resumes loss of continuity alarm generation upon detecting loss of continuity
defect conditions in the absence of an ETH-AIS condition.
For point-to-point Ethernet connectivity, a MEP has only a single peer MEP. Therefore, a
MEP suppress alarms on its peer MEP when it receives the ETH-AIS information.
For multi-point Ethernet connectivity, a MEP which receives ETH-AIS information cannot
determine the exact MEP encountered a fault condition and therefore it will not be able
to isolate the exact peer MEP for alarm suppression. ITU-T Y.1731 recommends suppressing
alarms for all peer MEPs irrespective of the connectivity status.
AIS transmission—A MEP upon detecting a defect condition transmits ETH-AIS PDUs in
a direction opposite to its peer MEPs. The transmission of ETH-AIS PDUs is based on a
configured ETH-AIS transmission period. An ETH-AIS transmission period of 1 second is
recommended. The first ETH-AIS PDU must be transmitted immediately following the
detection of a defect condition.
AIS reception—A MEP upon receiving ETH-AIS PDUs examines it to ensure that its
maintenance domain (MD) level corresponds to the same MD level. Upon receiving an
ETH-AIS PDU, the MEP detects a defect condition. Following the detection of a defect
condition, if there are no ETH-AIS PDUs received within an interval of 3.5 times the
ETH-AIS transmission period indicated in the ETH-AIS PDUs received earlier, the MEP
clears the defect condition. After the fault condition is cleared, MEPs continue to report
alarms.
NOTE: ACX Series routers do not support ITU-T Y.1731 ETH-AIS for layer 2
services (bridging).
• Triggering of ETH-AIS messages over services (Layer 2 circuit and Layer 2 VPN) by the
link-loss server MEP is done on a best-effort manner. This is because the transmission
of ETH-AIS messages is independent of the service status and there is no guarantee
for delivering the ETH-AIS messages before service goes down.
Related • Configuring Alarm Indication Signal on ACX Series Routers on page 1138
Documentation
ACX Series routers support ITU-T Y.1731 Ethernet Alarm Indication Signal function
(ETH-AIS) to provide fault management for service providers. ETH-AIS enables you to
suppress alarms when a fault condition is detected.
• Client Maintenance Entity Group level—Maintenance Entity Group (MEG) level at which
the immediate client layer Maintenance Domain Intermediate Points (MIPs) and
Maintenance Association End Points (MEPs) exist.
To configure an action profile with ETH-AIS action, include the following statements at
the [edit protocols oam ethernet connectivity-fault-management] hierarchy level:
To attach an action profile to a CFM MEP, include the following statements at the [edit
protocols oam ethernet connectivity-fault-management] hierarchy level:
maintenance-domain maintenenace-domain-name {
level level-number;
maintenance-association maintenance-domain-name {
continuity-check {
interval 1s;
loss-threshold 3;
}
mep mep-id {
interface interface-name;
direction up | down;
priority priority-value;
action-profile action-profile-name;
}
}
}
NOTE: You cannot configure a maintenance domain level that is lower than
or equal to the level that it is associated with.
• Server MEP definition—Defines the association of server MEP identifier to the server
layer.
• For Layer 2 circuit and Layer 2 VPN, the logical interface connected to a customer
network (UNI) would be the identifier for the server layer that needs to be monitored
by the server MEP.
• For physical link loss detection, the physical interface under Ethernet protocol would
be the identifier for the server layer that needs to be monitored by the server MEP.
• Association action profile and server MEP—Defines the binding of server MEP and
action profile.
• Create an action profile with ETH-AIS action for server MEP defects.
• Attach the action profile to a server MEP
To create an action profile, include the following statements at the [edit protocols oam
ethernet connectivity-fault-management] hierarchy level:
}
action {
log-and-generate-ais {
level 1…n;
interval 1 second | 1 minute;
priority dot1p [range 0-7];
}
}
}
To attach an action profile to a server MEP, include the following statement at the [edit
protocols oam ethernet connectivity-fault-management] hierarchy level:
A near-end frame loss specifies frame loss associated with ingress data frames and a
far-end frame loss specifies frame loss associated with egress data frames. Both near-end
and far-end frame loss measurements contribute to near-end severely errored seconds
and far-end severely errored seconds that are used in combination to determine
unavailable time. ETH-SLM is performed using synthetic loss message (SLM) and
synthetic loss reply (SLR) frames. ETH-SLM facilitates each MEP to perform near-end
and far-end synthetic frame loss measurements by using synthetic frames because a
bidirectional service is defined as unavailable if either of the two directions is determined
to be unavailable.
There are the two types of frame loss measurement, defined by the ITU-T Y.1731 standards,
ETH-LM and ETH-SLM. Junos OS supports only single-ended ETH-SLM. In single-ended
ETH-SLM, each MEP sends frames with the ETH-SLM request information to its peer
MEP and receives frames with ETH-SLM reply information from its peer MEP to perform
synthetic loss measurements. Single-ended ETH-SLM is used for proactive or on-demand
OAM to perform synthetic loss measurements applicable to point-to-point Ethernet
connection. This method allows a MEP to initiate and report far-end and near-end loss
measurements associated with a pair of MEPs that are part of the same maintenance
entity group (MEG).
NOTE: MX Series Virtual Chassis does not support Ethernet synthetic loss
measurement (ETH-SLM).
NOTE: ACX5048 and ACX5096 routers support ETH-SLM for Layer 2 services.
The ETH-SLM functionality can process multiple synthetic loss message (SLM) requests
simultaneously between a pair of MEPs. The session can be a proactive or an on-demand
SLM session. Each SLM request is identified uniquely by a test ID.
A MEP can send SLM requests or respond to SLM requests. A response to an SLM request
is called a synthetic loss reply (SLR). After a MEP determines an SLM request by using
the test ID, the MEP calculates the far-end and near-end frame loss on the basis of the
information in the SLM message or the SLM protocol data unit (PDU).
A MEP maintains the following local counters for each test ID and for each peer MEP
being monitored in a maintenance entity for which loss measurements are to be
performed:
• TxFCl—Number of synthetic frames transmitted toward the peer MEP for a test ID. A
source MEP increments this number for successive transmission of synthetic frames
with ETH-SLM request information while a destination or receiving MEP increments
this value for successive transmission of synthetic frames with the SLR information.
• RxFCl—Number of synthetic frames received from the peer MEP for a test ID. A source
MEP increments this number for successive reception of synthetic frames with SLR
information while a destination or receiving MEP increments it for successive reception
of synthetic frames with ETH-SLM request information.
The following sections describe the phases of processing of SLM PDUs to determine
synthetic frame loss:
• The source MAC address is copied to the destination MAC address and the source
address contains the MEP’s MAC address.
• The value of the OpCode field is changed from SLM to SLR (54).
• TxFCb is saved with the value of the local counter RxFCl at the time of SLR frame
transmission.
• An SLR frame is generated every time an SLM frame is received; therefore, RxFCl in
the responder is equal to the number of SLM frames received and also equal to the
number of SLR frames sent. At the responder or receiving MEP, RxFCl equals TxFCl.
Reception of SLRs
After an SLM frame (with a given TxFCf value) is transmitted, a MEP expects to receive
a corresponding SLR frame (carrying the same TxTCf value) within the timeout value
from its peer MEP. SLR frames that are received after the timeout value (5 seconds) are
discarded. With the information contained in SLR frames, a MEP determines the frame
loss for the specified measurement period. The measurement period is a time interval
during which the number of SLM frames transmitted is statistically adequate to make a
measurement at a given accuracy. A MEP uses the following values to determine near-end
and far-end frame loss during the measurement period:
• Last received SLR frame's TxFCf and TxFCb values and the local counter RxFCl value
at the end of the measurement period. These values are represented as TxFCf[tc],
TxFCb[tc], and RxFCl[tc], where tc is the end time of the measurement period.
• SLR frame's TxFCf and TxFCb values of the first received SLR frame after the test
starts and local counter RxFCl at the beginning of the measurement period. These
values are represented as TxFCf[tp], TxFCb[tp], and RxFCl[tp], where tp is the start
time of the measurement period.
For each SLR packet that is received, the local RxFCl counter is incremented at the sending
or source MEP.
• Source MEP ID—Source MEP ID is a 2-octet field where the last 13 least significant bits
are used to identify the MEP transmitting the SLM frame. MEP ID is unique within the
MEG.
• Test ID—Test ID is a 4-octet field set by the transmitting MEP and is used to identify a
test when multiple tests run simultaneously between MEPs (including both concurrent
on-demand and proactive tests).
• TxFCf—TxFCf is a 4-octet field that carries the number of SLM frames transmitted by
the MEP toward its peer MEP.
• Version—0.
• TLV Offset—16.
• Source MEP ID—A 2-octet field used to identify the MEP transmitting the SLM frame.
In this 2-octet field, the last 13 least significant bits are used to identify the MEP
transmitting the SLM frame. MEP ID is unique within the MEG.
• Test ID—A 4-octet field set by the transmitting MEP and used to identify a test when
multiple tests run simultaneously between MEPs (including both concurrent on-demand
and proactive tests).
• TxFCf—A 4-octet field that carries the number of SLM frames transmitted by the MEP
toward its peer MEP.
• Optional TLV—A data TLV may be included in any SLM transmitted. For the purpose
of ETH-SLM, the value part of data TLV is unspecified.
• MEG Level—A 3-bit field the value of which is copied from the last received SLM PDU.
• Version—A 5-bit field the value of which is copied from the last received SLM PDU.
• Source MEP ID—A 2-octet field copied from the SLM PDU.
• Responder MEP ID—A 2-octet field used to identify the MEP transmitting the SLR
frame.
• TxFCb—A 4 octet field. This value represents the number of SLR frames transmitted
for this test ID.
• Type—Identifies the TLV type; value for this TLV type is Data (3).
• Length—Identifies the size, in octets, of the Value field containing the data pattern.
The maximum value of the Length field is 1440.
• Data pattern—An n-octet (n denotes length) arbitrary bit pattern. The receiver ignores
it.
Keep the following points in mind when you configure the ETH-SLM functionality:
• The monitoring application for Ethernet OAM is initiated in the master Routing Engine.
When a stateful switchover process occurs, the monitoring application is disabled. For
on-demand ETH-SLM, graceful Routing Engine switchover (GRES) support is not
applicable. For proactive ETH-SLM, the service-level agreement (SLA) iterators are
restored during a stateful switchover process. If the adjacencies do not time out, the
ETH-SLM statistics are preserved and proactive ETH-SLM supports GRES.
• ETH-SLM is initiated only when the MEP session is up. Unified in-service software
upgrade (ISSU) support for ETH-SLM depends on the unified ISSU support for CFM.
For CFM, unified ISSU is supported using the loss threshold TLV to avoid CFM
connectivity loss during the upgrade. The receiving or the destination MEP increases
the threshold time during the termination of sessions. If you start a unified ISSU
operation when on-demand ETH-SLM is in progress, the SLM request and reply
messages are lost at the local Packet Forwarding Engine.
• The maximum number of SLA iterator profiles that can be configured in the system is
255.
• ETH-SLM is not supported for virtual private LAN service (VPLS) (point-to-multipoint
measurements are not supported). The ETH-SLM frames are not generated with
multicast class 1 destination address. Similarly, ETH-SLM does not respond to ETH-SLM
requests with multicast DA. ETH-SLM for VPLS for point-to-point Ethernet connection
is supported using directed unicast destination MAC addresses, although
point-to-multipoint topologies are not supported.
• The number of ETH-SLM sessions for proactive ETH-SLM that can be supported is
limited to the total number of iterators that can be supported in the system. This
limitation includes the iterator support for other measurement types such as loss,
statistical frame loss, and two-way delay. A new iterator type, SLM, is added to support
ETH-SLM. The total number of SLA iterators that you can configure in the system is
equal to the total number of iterations supported in the system.
• For on-demand SLM, the minimum period between two SLM requests is 100
milliseconds.
• For proactive SLM, the minimum period between two SLM requests is 10 milliseconds
for distributed mode and 100 milliseconds for non-distributed mode.
• ETH-SLM frames are always marked as drop-ineligible in compliance with the ITU-T
Y.1731 standard.
ETH-SLM measures near-end and far-end frame loss between two MEPs that are part
of the same MEG level. You can configure ETH-SLM to measure synthetic loss for both
upward-facing or upstream MEP and downward-facing or downstream MEP. This section
describes the following scenarios for the operation of ETH-SLM:
Consider another scenario in which a MEP is configured in the downstream direction and
service protection for a VPWS over MPLS is enabled by specifying a working path or
protect path on the MEP. Service protection provides end-to-end connection protection
of the working path in the event of a failure. To configure service protection, you must
create two separate transport paths—a working path and a protect path. You can specify
the working path and protect path by creating two maintenance associations. To associate
the maintenance association with a path, you must configure the MEP interface in the
maintenance association and specify the path as working or protect.
Action • To display the on-demand ETH-SLM statistics collected for MEPs belonging to
maintenance association ma1 within maintenance domain md1:
• To display the on-demand ETH-SLM statistics collected for ETH-SLM sessions for the
local MEP 201 belonging to maintenance association ma2 within maintenance
domain md2:
• To display the on-demand ETH-SLM statistics collected for ETH-SLM sessions from
local MEPs belonging to maintenance association ma3 within maintenance domain md3
to the remote MEP 302:
Meaning The output displays on-demand ETH-SLM statistics for MEPs in the specified maintenance
association within the specified maintenance domain. For details about the output of
this command and the descriptions of the output fields, see show oam ethernet
connectivity-fault-management synthetic-loss-statistics.
Action • To display the on-demand ETH-SLM statistics and ETH-SLM frame counts for MEPs
in maintenance association ma1 within maintenance domain md1:
• To display the on-demand ETH-SLM statistics and ETH-SLM frame counts for the
local MEP 201 in maintenance association ma2 within maintenance domain md2:
• To display the on-demand ETH-SLM statistics and ETH-SLM frame counts for the
local MEP in maintenance association ma3 within maintenance domain md3 that
participates in an ETH-SLM session with the remote MEP 302:
Meaning The output displays on-demand ETH-SLM statistics and ETH-SLM frame counts for
MEPs in the specified maintenance association within the specified maintenance domain.
For details about the output of this command and the descriptions of the output fields,
see show oam ethernet connectivity-fault-management mep-statistics.
Purpose Display on-demand ETH-SLM frame counts for CFM maintenance association end points
(MEPs).
NOTE: At the router attached to the initiator MEP for a one-way session, or
at the router attached to the receiver MEP for a two-way session, you can
only display the ETH-SLM frame counts and not the MEP database details.
Action • To display CFM database information (including ETH-SLM frame counts) for all MEPs
in MA ma1 within maintenance domain md1:
• To display CFM database information (including ETH-SLM frame counts) only for the
local MEP 201 in MA ma1 within maintenance domain md1:
• To display CFM database information (including ETH-SLM frame counts) only for the
remote MEP 302 in MA ma3 within maintenance domain md3:
Meaning The output displays ETH-SLM frame counts for MEPs within a particular maintenance
domain, or for a specific local or remote MEP. For details about the output of this
command and the descriptions of the output fields, see show oam ethernet
connectivity-fault-management mep-database.
Purpose Display on-demand ETH-SLM frame counts for CFM maintenance association end points
(MEPs).
NOTE: At the router attached to the initiator MEP, you can only display the
ETH-SLM frame counts and not the MEP database details.
Action • To display CFM database information (including ETH-SLM frame counts) for all MEPs
attached to CFM-enabled Ethernet interfaces on the router:
• To display CFM database information (including ETH-SLM frame counts) only for the
MEPs attached to CFM-enabled router interface ge-5/2/9.0:
• To display CFM database information (including ETH-SLM frame counts) only for
MEPs enclosed within CFM maintenance domains at level 6:
Meaning The output displays ETH-SLM frame counts for MEPs for the specified interface. For
details about the output of this command and the descriptions of the output fields, see
show oam ethernet connectivity-fault-management interfaces.
Purpose Clear the on-demand ETH-SLM statistics and ETH-SLM frame counts.
By default, statistics and frame counts are deleted for all MEPs attached to CFM-enabled
interfaces on the router. However, you can filter the scope of the command by specifying
an interface name.
Action • To clear the on-demand ETH-SLM statistics and ETH-SLM frame counts for all MEPs
attached to CFM-enabled interfaces on the router:
• To clear the on-demand ETH-SLM statistics and ETH-SLM frame counts only for MEPs
attached to the logical interface ge-0/5.9.0:
Purpose Clear the existing iterator statistics and proactive ETH-SLM counters.
Multiple iterators can be associated with remote MEP. However, by default, only one
result pertaining to one iterator profile can be cleared.
Action • To clear the iterator statistics for remote MEP 1 and iterator profile i1 with MEPs
belonging to the maintenance association ma1 within the maintenance domain
default-1:
• To clear the iterator statistics for remote MEP 1 and iterator profile i2 with MEPs
belonging to the maintenance association ma1 within the maintenance domain default-1:
To start a proactive Ethernet synthetic loss measurement (ETH-SLM) session, you must
configure the Ethernet interfaces on maintenance association end points (MEPs) on
which packets transmitted with synthetic frame loss need to be analyzed. You must then
create an iterator profile to transmit service-level agreement (SLA) measurement packets
for ETH-SLM and associate the local and remote MEPs with the profile.
[edit interfaces]
interface {
ethernet-interface-name {
vlan-tagging;
unit logical-unit-number {
vlan-id vlan-id; # Both interfaces on this VLAN
}
}
}
2. On each router, attach peer MEPs to the two interfaces. The following configuration
is typical:
[edit protocols]
oam {
ethernet {
connectivity-fault-management {
maintenance-domain md-name { # On both routers
level number;
maintenance-association ma-name { # On both routers
continuity-check {
interval 100ms;
hold-interval 1;
}
mep mep-id { # Attach to VLAN interface
auto-discovery;
direction (up | down);
interface interface-name;
priority number;
}
}
}
}
}
}
NOTE: ACX5048 and ACX5096 routers supports iterator cycle time of only
1 second and above.
[edit]
user@host# edit protocols oam ethernet connectivity-fault-management
performance-monitoring
4. (Optional) Configure the cycle time, which is the amount of time (in milliseconds)
between back-to-back transmission of SLA frames for one connection, with a value
from 10 through 3,600,000. The default value is 1000 ms.
5. (Optional) Configure the iteration period, which indicates the maximum number of
cycles per iteration (the number of connections registered to an iterator cannot exceed
this value), with a value from 1 through 2000. The default value is 2000.
7. Configure the disable statement to stop the iterator (that is, disable the iterator profile).
4. (Optional) Set the size of the data TLV portion of the Y.1731 data frame with a value
from 1 through 1400 bytes. The default value is 1.
5. (Optional) Set the iteration count, which indicates the number of iterations for which
this connection should partake in the iterator for acquiring SLA measurements, with
a value from 1 through 65,535. The default value is 0 (that is, infinite iterations).
6. (Optional) Set the priority, which is the vlan-pcp value that is sent in the Y.1731 data
frames, with a value from 0 through 7. The default value is 0.
For example:
space limits. The allocation of TCAM resources for various filter applications are statically
distributed. This static allocation leads to inefficient utilization of TCAM resources when
all the filter applications might not use this TCAM resource simultaneously.
The dynamic allocation of TCAM space in ACX routers efficiently allocates the available
TCAM resources for various filter applications. In the dynamic TCAM model, various filter
applications (such as inet-firewall, bridge-firewall, cfm-filters, etc.) can optimally utilize
the available TCAM resources as and when required. Dynamic TCAM resource allocation
is usage driven and is dynamically allocated for filter applications on a need basis. When
a filter application no longer uses the TCAM space, the resource is freed and available
for use by other applications. This dynamic TCAM model caters to higher scale of TCAM
resource utilization based on application’s demand.
• Implicit filter—Routing Engine (RE) demons using filters to achieve its functionality.
For example, connectivity fault management, IP MAC validation, etc.
• Dynamic filters—Applications using filters to achieve the functionality at the PFE level.
For example, logical interface level fixed classifier, RFC 2544, etc. RE demons will not
know about these filters.
• System-init filters—Filters that require entries at the system level or fixed set of entries
at router's boot sequence. For example, Layer 2 and Layer 3 control protocol trap,
default ARP policer, etc.
NOTE: The System-init filter which has the applications for Layer 2 and
Layer 3 control protocols trap is essential for the overall system
functionality. The applications in this control group consume a fixed and
minimal TCAM space from the overall TCAM space. The system-init filter
will not use the dynamic TCAM infrastructure and will be created when the
router is initialized during the boot sequence.
Table 82 on page 1159 describes the list of tcam-apps that use TCAM resources.
cfm-vpls-ifl-filter Connectivity fault management implicit vpls logical interface filters Ingress
ing-out-iff Ingress application on behalf of egress family filter for log and syslog Ingress
mac-drop-cnt Statistics for drops by MAC validate and source MAC filters Ingress
napt-reverse-fil Reverse filters for network address port translation (NAPT) service Ingress
Table 83 on page 1161 summarizes the command-line interface (CLI) commands you can
use to monitor and troubleshoot dynamic TCAM resource usage.
Table 83: Show and Clear Commands to Monitor and Troubleshoot Dynamic TCAM
Task Command
Display the shared and the related applications for a particular application show pfe tcam app
Display the TCAM resource usage for an application and stages (egress, ingress, and show pfe tcam usage
pre-ingress)
Display the TCAM resource usage errors for applications and stages (egress, ingress, show pfe tcam errors
and pre-ingress)
Clears the TCAM resource usage error statistics for applications and stages (egress, clear pfe tcam-errors
ingress, and pre-ingress)
• Each bridge domain has one UNI and one NNI interface
• Multifield classifier with four terms to assign forwarding class and loss-priority.
Let us consider a scenario where there are 100 services configured on the router. With
this scale, all the applications are configured successfully and the status shows OK state.
To view the TCAM resource usage for all stages (egress, ingress, and pre-ingress), use
the show pfe tcam usage all-tcam-stages detail command.
For example, add 20 more services on the router, thereby increasing the total number
of services to 120. After adding more services, you can check the status of the
configuration by verifying either the syslog message using the command show log
messages, or by running the show pfe tcam errors command.
The following is a sample syslog message output showing the TCAM resource shortage
for Ethernet-switching family filters for newer configurations by running the show log
messages CLI command.
If you use the show pfe tcam errors all-tcam-stages detail CLI command to verify the
status of the configuration, the output will be as shown below:
---------------------------
Free [hw-grps: 3 out of 3]
No dynamic tcam usage
The output indicates that the fw-l2-in application is running out of TCAM resources
and moves into a FAILED state. Although there are two TCAM slices available at the
ingress stage, the fw-l2-in application is not able to use the available TCAM space
due to its mode (DOUBLE), resulting in resource shortage failure.
3. Fixing the applications that have failed due to the shortage of TCAM resouces.
The fw-l2-in application failed because of adding more number of services on the
routers, which resulted in shortage of TCAM resources. Although other applications
seems to work fine, it is recommended to deactivate or remove the newly added
services so that the fw-l2-in application moves to an OK state. After removing or
deactivating the newly added services, you need to run the show pfe tcam usage and
show pfe tcam error commands to verify that there are no more applications in failed
state.
To view the TCAM resource usage for all stages (egress, ingress, and pre-ingress), use
the show pfe tcam usage all-tcam-stages detail command.
-----------------------------------------------------------------
fw-l2-in 500 500 0 2 OK
fw-semantics 0 X X 1 OK
To view TCAM resource usage errors for all stages (egress, ingress, and pre-ingress),
use the show pfe tcam errors all-tcam-stages command.
You can see that all the applications using the TCAM resources are in OK state and
indicates that the hardware has been successfully configured.
NOTE: As shown in the example, you will need to run the show pfe tcam errors
and show pfe tcam usage commands at each step to ensure that your
configurations are valid and that the applications using TCAM resource are
in OK state.
In ACX5048 and ACX5096 routers, a typical service (such as ELINE, ELAN and IP VPN)
that is deployed might require applications (such as policers, firewall filters, connectivity
fault management IEEE 802.1ag, RFC2544) that uses the dynamic TCAM infrastructure.
NOTE: Service applications that uses TCAM resources is limited by the TCAM
resource availability. Therefore, the scale of the service depends upon the
consumption of the TCAM resource by such applications.
A sample use case for monitoring and troubleshooting service scale in ACX5048 and
ACX5096 routers can be found at the “Dynamic Ternary Content Addressable Memory
Overview” on page 1157 section.
Related
Documentation
The Layer 2 Next Generation mode, also called Enhanced Layer 2 Software (ELS), is
supported on ACX5048 and ACX5096 routers for configuring Layer 2 features. The Layer
2 CLI configurations and show commands for ACX5048 and ACX5096 routers differ
from those for other ACX Series routers (ACX1000, ACX1100, ACX2000, ACX2100,
ACX2200, and ACX4000) and MX Series routers.
For more information about Enhanced Layer 2 Software, see Getting Started with Enhanced
Layer 2 Software.
Table 84 on page 1167 shows the differences in CLI hierarchy for configuring Layer 2 features
in Layer 2 next generation mode.
Table 84: Differences in CLI Hierarchy for Layer 2 Features in Layer 2 Next Generation Mode
ACX1000, ACX1100, ACX2000, ACX2100,
Feature ACX2200, ACX4000, and MX Series Routers ACX5048 and ACX5096 Routers
Family bridge [edit interfaces interface-name unit unit-number [edit interfaces interface-name unit
family bridge] unit-number family ethernet-switching]
Table 84: Differences in CLI Hierarchy for Layer 2 Features in Layer 2 Next Generation
Mode (continued)
ACX1000, ACX1100, ACX2000, ACX2100,
Feature ACX2200, ACX4000, and MX Series Routers ACX5048 and ACX5096 Routers
Ethernet options [edit interfaces interface-name gigether-options] [edit interfaces interface-name ether-options]
Integrated routing and [edit bridge-domains bridge-domain-name] [edit vlans vlan-name] l3-interface irb.unit;
bridging (IRB) routing-interface irb.unit;
Internet Group Management [edit bridge-domains bridge-domain-name [edit protocols igmp-snooping vlan
Protocol (IGMP) snooping protocols igmp-snooping] vlan-name]
Family bridge firewall filter [edit firewall family bridge] [edit firewall family ethernet-switching]
Table 85 on page 1168 shows the differences in show commands for Layer 2 features in
Layer 2 next generation mode.
Table 85: Differences in show Commands for Layer 2 Features in Layer 2 Next Generation Mode
ACX1000, ACX1100, ACX2000, ACX2100,
Feature ACX2200, ACX4000, and MX Series Routers ACX5048 and ACX5096 Routers
Switch port listing with VLAN show l2-learning interface show ethernet-switching interfaces
assignments
Kernel state of flush database show route forwarding-table family bridge show route forwarding-table family
ethernet-switching
• Using the Unified Forwarding Table to Optimize Address Storage on page 1169
• Configuring the Unified Forwarding Table to Optimize Address Storage Using
Profiles on page 1170
• MAC addresses
Table 86 on page 1169 illustrates the predefined profiles in the unified forwarding table
and the respective table sizes.
l2-profile-one 288 KB 16 KB 16 KB
l2-profile-two 224 KB 80 KB 16 KB
l3-profile 96 KB 208 KB 16 KB
lpm-profile 32 KB 16 KB 128 KB
IPv4 unicast, IPv6 unicast, IPv4 multicast, and IPv6 multicast route addresses share the
Layer 3 host entry table. If the host table stores the maximum number of entries for any
given type, the entire table is full and is unable to accommodate any entries of any other
type. The IPv4 multicast and IPv6 unicast addresses occupy double the space as that
occupied by IPv4 unicast entries, and IPv6 multicast addresses occupy four times the
space of the IPv4 unicast addresses. Table 87 on page 1170 shows the Layer 3 host table
size for each profile.
l2-profile-one 16 KB 8 KB 8 KB 4 KB
l2-profile-two 80 KB 40 KB 40 KB 20 KB
lpm-profile 16 KB 8 KB 8 KB 4 KB
The Layer 3 LPM table is shared between IPv4 route prefixes and IPv6 route prefixes.
Table 88 on page 1170 illustrates the size of the table for different profiles of the IPv4 and
IPv4 addresses in the Layer 3 LPM table. When unicast reverse-path forwarding (unicast
RPF) is enabled, the table size reduces to half.
Profile IPv4 Unicast IPv6 Unicast (Prefix <= /64) IPv6 Unicast (Prefix > /64)
l2-profile-one 16 KB 8 KB 4 KB
l2-profile-two 16 KB 8 KB 4 KB
l2-profile-three (default) 16 KB 8 KB 4 KB
l3-profile 16 KB 8 KB 4 KB
lpm-profile 128 KB 40 KB 8 KB
By default, there is no space allocated for IPv6 prefix address longer than /64 in the LPM
table. Therefore, prefix address longer than /64 are not allowed in the table by default.
The entire table is available for IPv4 addresses and for IPv6 addresses that have prefixes
shorter than /64. You can provide space in the table for addresses with prefixes longer
than /64 by using CLI configuration. The number of entries reserved for these prefixes is
configured in multiples of 16.
Configuring the Unified Forwarding Table to Optimize Address Storage Using Profiles
You can use five predefined profiles (l2-profile-one, l2-profile-two, l2-profile-three,
l3-profile, lpm-profile) to allocate the table memory space. The sizes of the Layer 2 MAC
address table, Layer 3 host entry table, and Layer 3 LPM table are decided based on the
selected profile. You can configure and select the profiles that best suits your network
environment needs.
To configure the profile that you want, enter and commit the following statement:
[edit]
user@host# set chassis forwarding-options profile-name profile-name
NOTE: When you configure and commit a profile, the Packet Forwarding
Engine (PFE) process restarts and all the data interfaces on the router go
down and come back up.
The settings for l2-profile-three are configured by default. That is, if you do not configure
the forwarding–options chassis profile-name statement, the l2-profile-three profile settings
are configured.
Junos OS supports the generation of SNMP traps and alarms for performance monitoring
(PM) functionalities using MIB objects to manage Service Operations, Administration,
and Maintenance (OAM) capabilities that are in conformance with the service OAM
requirements and framework specified by Metro Ethernet Forum (MEF) 17, service OAM
performance monitoring requirements defined by SOAM-PM, and the service OAM
management objects specified in Technical Specification MEF 7.1. Junos OS supports an
enterprise-specific MIB, SOAM PM MIB, that defines the management objects for Ethernet
services operations, administration, and maintenance for performance monitoring. SNMP
support is available for the MIB objects defined in Technical Specification MEF 36.
The jnxSoamLmCfgTable includes configuration objects and operations for the frame
loss measurement function defined in [Y.1731] and [MEF SOAM-PM]. Each row in the
table represents a Loss Measurement session for the defined MEP. This table uses four
indices. The first three indices are the indices of the Maintenance Domain, MaNet, and
MEP tables. The fourth index is the specific LM session on the selected MEP. A Loss
Measurement session is created on an existing MEP by first accessing the
jnxSoamPmMepOperNextIndex object and using this value as the jnxSoamLmCfgIndex
in the row creation.
Some writable objects in this table are only applicable in certain cases (as described
under each object), and attempts to write values for them in other cases will be ignored.
The writable objects in this table need to be persistent upon reboot or restart of a device..
jnxSoamLmCfgVersion JnxSoamLmCfgEntry Indicates the version of the PDUs used to perform Loss
3 Measurement.
jnxSoamLmCfgMeasurementEnable JnxSoamLmCfgEntry
5
jnxSoamLmHistoryStatsBackwardAvgFlr counters.
• bSoamPdusSent (10)—Enables or disables the
jnxSoamLmCurrentStatsSoamPdusSent and
jnxSoamLmHistoryStatsSoamPdusSent counters.
• bSoamPdusReceivedbReceivedMeasurements
(11)—Enables or disables the
jnxSoamLmCurrentStatsSoamPdusReceived and
jnxSoamLmHistoryStatsSoamPdusReceived counters.
• bMeasuredStatsForwardMeasuredFlr(26)—Enables or
disables the jnxSoamLmMeasuredStatsForwardFlr
counter.
• bMeasuredStatsBackwardMeasuredFlr(27)— Enables
or disables the jnxSoamLmMeasuredStatsBackwardFlr
counter.
This object is only valid for the entity transmitting the Loss
Measurement frames, type 'lmSlm', and is ignored by the
entity receiving frames. It is not applicable for the 'lmCcm'
or 'lmLmm' types.
jnxSoamLmCfgDataPattern JnxSoamLmCfgEntry Specifies the LM data pattern included in a Data TLV when
9 the size of the LM frame is determined by the
jnxSoamLmFrameSize object and
jnxoamLmTestTlvIncluded is 'false'.
If the frame size object does not define the LM frame size
or jnxSoamLmTestTlvIncluded is 'true' the value of this
object is ignored.
jnxSoamLmCfgTestTlvIncluded JnxSoamLmCfgEntry Indicates whether a Test TLV or Data TLV is included when
10 the size of the LM frame is determined by the
jnxSoamLmFrameSize object.
If the frame size object does not define the LM frame size
the value of this object is ignored.
If the frame size object does not define the LM frame size
or jnxSoamLmTestTlvIncluded is 'false' the value of this
object is ignored.
This object is only valid for the entity transmitting the Loss
Measurement frames, types 'lmLmm' and 'lmSlm'. It is
not applicable for the 'lmCcm' type.
jnxSoamLmCfgDestIsMepId JnxSoamLmCfgEntry Specifies whether the MEP ID or the MAC address of the
14 destination MEP is used for SOAM LM frame transmission.
This object is only valid for the entity transmitting the Loss
Measurement frames, types 'lmLmm' and 'lmSlm'. It is
not applicable for the 'lmCcm' type.
jnxSoamLmCfgStartTimeType JnxSoamLmCfgEntry Specifies the type of start time of the SOAM LM session.
15 The start time can be disabled (none), immediate, relative,
or fixed.
jnxSoamLmCfgFixedStartDateAndTime JnxSoamLmCfgEntry Specifies the fixed start date/time for the SOAM Loss
16 Measurement session. This object is used only used if
jnxSoamLmStartTimeType is 'fixed' and is ignored
otherwise.
The default value is year 0000, month 01, day 01, time
00:00:00.00.
jnxSoamLmCfgRelativeStartTime JnxSoamLmCfgEntry Specifies the relative start time, from the current system
17 time, for the SOAM LM session. This object is used only if
jnxSoamLmStartTimeType is 'relative' and is ignored
otherwise.
jnxSoamLmCfgAlignMeasurementIntervals JnxSoamLmCfgEntry Specifies whether the Measurement Intervals for the Loss
19 Measurement session are aligned with a zero offset to real
time.
jnxSoamLmCfgAlignMeasurementOffset JnxSoamLmCfgEntry Specifies the offset in minutes from the time of day value
20 if jnxSoamLmCfgAlignMeasurementIntervals is 'true' and
the repetition time is a factor of 60 minutes. If not, the
value of this object is ignored.
jnxSoamLmCfgRowStatus JnxSoamLmCfgEntry Specifies the status of the row. The writable columns in
24 a row cannot be changed if the row is active, except for
jnxSoamLmCfgHistoryClear and jnxSoamLmCfgEnabled
objects. All columns must have a valid value before a row
can be activated.
The jnxSoamLmMeasuredStatsTable contains the last measured results for a SOAM Loss
Measurement session. Each row in the table represents a Loss Measurement session for
the defined MEP. This table uses four indices. The first three indices are the indices of
the Maintenance Domain, MaNet, and MEP tables. The fourth index is the specific LM
session on the selected MEP. Instances of this managed object are created automatically
by the SNMP Agent when the Loss Measurement session is running. Each object in this
table applies only if the corresponding bit is set in jnxSoamLmCfgMeasurementEnable.
The objects in this table do not need to be persistent upon reboot or restart of a device.
jnxSoamLmMeasuredStatsForwardFlr jnxSoamLmMeasuredStatsEntry Contains the last frame loss ratio in the forward
1 direction calculated by this MEP. The FLR value
is a ratio that is expressed as a percent with a
value of 0 (ratio 0.00) through 100000 (ratio
1.00). Units are in milli-percent, where 1 indicates
0.001 percent.
jnxSoamLmMeasuredStatsBackwardFlr jnxSoamLmMeasuredStatsEntry Contains the last frame loss ratio in the backward
2 direction calculated by this MEP. The FLR value
is a ratio that is expressed as a percent with a
value of 0 (ratio 0.00) through 100000 (ratio
1.00). Units are in milli-percent, where 1 indicates
0.001 percent.
The jnxSoamDmCfgTable includes configuration objects and operations for the Delay
Measurement function. Each row in the table represents a Delay Measurement session
for the defined MEP. This table uses four indices. The first three indices are the indices
of the Maintenance Domain, MaNet, and MEP tables. The fourth index is the specific DM
session on the selected MEP. A Delay Measurement session is created on an existing
MEP by first accessing the jnxSoamDmOperNextIndex object and using this value as the
jnxSoamDmCfgIndex in the row creation. Some writable objects in this table are only
applicable in certain cases(as described under each object), and attempts to write values
for them in other cases will be ignored. The writable objects in this table need to be
persistent upon reboot or restart of a device.
jnxSoamPmMepOperNextIndex needs to be
inspected to find an available index for
row-creation.
jnxSoamDmCfgMeasurementEnable jnxSoamDmCfgEntry 5
bSoamPdusSent(0)—Enables or disables
the jnxSoamDmCurrentStatsSoamPdusSent
and
jnxSoamDmHistoryStatsSoamPdusSent
counters.
bSoamPdusReceived(1)—Enables or
disables the
jnxSoamDmCurrentStatsSoamPdusReceived
and
jnxSoamDmHistoryStatsSoamPdusReceived
counters.
bFrameDelayTwoWayBins(2)—Enables or
disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'twoWayFrameDelay'.
bFrameDelayTwoWayMin(3)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayTwoWayMin
and
jnxSoamDmHistoryStatsFrameDelayTwoWayMin
counters.
bFrameDelayTwoWayMax(4)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayTwoWayMax
and
jnxSoamDmHistoryStatsFrameDelayTwoWayMax
counters.
bFrameDelayTwoWayAvg(5)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayTwoWayAvg
and
jnxSoamDmHistoryStatsFrameDelayTwoWayAvg
counters.
bFrameDelayForwardBins(6)—Enables or
disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'forwardFrameDelay'.
bFrameDelayForwardMin(7)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayForwardMin
and
jnxSoamDmHistoryStatsFrameDelayForwardMin
counters.
bFrameDelayForwardMax(8)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayForwardMax
and
jnxSoamDmHistoryStatsFrameDelayForwardMax
counters.
bFrameDelayForwardAvg(9)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayForwardAvg
and
jnxSoamDmHistoryStatsFrameDelayForwardAvg
counters.
bFrameDelayBackwardBins(10)—Enables
or disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'backwardFrameDelay'.
bFrameDelayBackwardMin(11)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayBackwardMin
and
jnxSoamDmHistoryStatsFrameDelayBackwardMin
counters.
bFrameDelayBackwardMax(12)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayBackwardMax
and
jnxSoamDmHistoryStatsFrameDelayBackwardMax
counters.
bFrameDelayBackwardAvg(13)—Enables or
disables the
jnxSoamDmCurrentStatsFrameDelayBackwardAvg
and
jnxSoamDmHistoryStatsFrameDelayBackwardAvg
counters.
bIfdvForwardBins(14)—Enables or disables
the jnxSoamDmCurrentStatsBinsEntry
counter and the
jnxSoamDmHistoryStatsBinsEntry counter
when the jnxSoamDmCfgMeasBinType is
'forwardIfdv'.
bIfdvForwardMin(15)—Enables or disables
the jnxSoamDmCurrentStatsIfdvForwardMin
and jnxSoamDmHistoryStatsIfdvForwardMin
counters.
bIfdvForwardMax(16)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvForwardMax
and
jnxSoamDmHistoryStatsIfdvForwardMax
counters.
bIfdvForwardAvg(17)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvForwardAvg
and
jnxSoamDmHistoryStatsIfdvForwardAvg
counters.
bIfdvBackwardBins(18)—Enables or disables
the jnxSoamDmCurrentStatsBinsEntry
counter and the
jnxSoamDmHistoryStatsBinsEntry counter
when the jnxSoamDmCfgMeasBinType is
'backwardIfdv'.
bIfdvBackwardMin(19)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvBackwardMin
and
jnxSoamDmHistoryStatsIfdvBackwardMin
counters.
bIfdvBackwardMax(20)—Enables or
disables the
jnxSoamDmCurrentStatsIfdvBackwardMax
and
jnxSoamDmHistoryStatsIfdvBackwardMax
counters.
bIfdvBackwardAvg(21)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvBackwardAvg
and
jnxSoamDmHistoryStatsIfdvBackwardAvg
counters.
bIfdvTwoWayBins(22)—Enables or disables
the jnxSoamDmCurrentStatsBinsEntry
counter and the
jnxSoamDmHistoryStatsBinsEntry counter
when the jnxSoamDmCfgMeasBinType is
'twoWayIfdv'.
bIfdvTwoWayMin(23)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvTwoWayMin
and
jnxSoamDmHistoryStatsIfdvTwoWayMin
counters.
bIfdvTwoWayMax(24)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvTwoWayMax
and
jnxSoamDmHistoryStatsIfdvTwoWayMax
counters.
bIfdvTwoWayAvg(25)—Enables or disables
the
jnxSoamDmCurrentStatsIfdvTwoWayAvg
and
jnxSoamDmHistoryStatsIfdvTwoWayAvg
counters.
bFrameDelayRangeForwardBins(26)—Enables
or disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'forwardFrameDelayRange'.
bFrameDelayRangeForwardMax(27)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeForwardMax
and
jnxSoamDmHistoryStatsFrameDelayRangeForwardMax
counters.
bFrameDelayRangeForwardAvg(28)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeForwardAvg
and
jnxSoamDmHistoryStatsFrameDelayRangeForwardAvg
counters.
bFrameDelayRangeBackwardBins(29)—Enables
or disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'backwardFrameDelayRange'.
bFrameDelayRangeBackwardMax(30)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeBackwardMax
and
jnxSoamDmHistoryStatsFrameDelayRangeBackwardMax
counters.
bFrameDelayRangeBackwardAvg(31)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeBackwardAvg
and
jnxSoamDmHistoryStatsFrameDelayRangeBackwardAvg
counters.
bFrameDelayRangeTwoWayBins(32)—Enables
or disables the
jnxSoamDmCurrentStatsBinsEntry counter
and the jnxSoamDmHistoryStatsBinsEntry
counter when the
jnxSoamDmCfgMeasBinType is
'twoWayFrameDelayRange'.
bFrameDelayRangeTwoWayMax(33)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeTwoWayMax
and
jnxSoamDmHistoryStatsFrameDelayRangeTwoWayMax
counters.
bFrameDelayRangeTwoWayAvg(34)—Enables
or disables the
jnxSoamDmCurrentStatsFrameDelayRangeTwoWayAvg
and
jnxSoamDmHistoryStatsFrameDelayRangeTwoWayAvg
counters.
bMeasuredStatsFrameDelayTwoWay(35)—Enables
or disables the
jnxSoamDmMeasuredStatsFrameDelayTwoWay
counter.
bMeasuredStatsFrameDelayForward(36)—Enables
or disables the
jnxSoamDmMeasuredStatsFrameDelayForward
counter.
bMeasuredStatsFrameDelayBackward(37)—Enables
or disables the
jnxSoamDmMeasuredStatsFrameDelayBackward
counter.
bMeasuredStatsIfdvTwoWay(38)—Enables
or disables the
jnxSoamDmMeasuredStatsIfdvTwoWay
counter.
bMeasuredStatsIfdvForward(39)—Enables
or disables the
jnxSoamDmMeasuredStatsIfdvForward
counter.
bMeasuredStatsIfdvBackward(40)—Enables
or disables the
jnxSoamDmMeasuredStatsIfdvBackward
counter.
jnxSoamLmThresholdCfgEnable jnxSoamLmThresholdCfgEntry 2
bJnxSoamLmMeasuredFlrForwardThreshold(0)—Enables
or disables measured frame loss forward
ratio threshold notification. The
notification is sent immediately when the
jnxSoamLmMeasuredStatsForwardFlr
value is greater than or equal to the
threshold value.
bJnxSoamLmMaxFlrForwardThreshold(1)—Enables
or disables maximum frame loss forward
ratio threshold notification. The
notification is sent immediately when the
jnxSoamLmCurrentStatsForwardMaxFlr
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamLmAvgFlrForwardThreshold(2)—Enables
or disables average frame loss forward
ratio threshold notification. The
notification is sent when at the end of a
Measurement Interval if the
jnxSoamLmCurrentStatsForwardAvgFlr
value is greater than or equal to the
threshold value.
bJnxSoamLmMeasuredFlrBackwardThreshold(3)—Enables
or disables measured frame loss
backward ratio threshold notification.
The notification is sent immediately when
the
jnxSoamLmMeasuredStatsBackwardFlr
value is greater than or equal to the
threshold value.
bJnxSoamLmMaxFlrBackwardThreshold(4)—Enables
or disables maximum frame loss
backward ratio threshold notification.
The notification is sent immediately when
the
jnxSoamLmCurrentStatsBackwardMaxFlr
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamLmAvgFlrBackwardThreshold(5)—Enables
or disables average frame loss backward
set to '1' and the selected threshold measurement is to have a threshold value configured.
Non-configured threshold measurements are disabled by default. The writable objects
in this table need to be persistent upon reboot or restart of a device.
jnxSoamDmThresholdCfgEnable jnxSoamDmThresholdCfgEntry 2
bJnxSoamDmMeasuredFrameDelayTwoWayThreshold(0)—Enables
or disables measured frame two-way
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmMeasuredStatsFrameDelayTwoWay
value is greater than or equal to threshold
value.
bJnxSoamDmMaxFrameDelayTwoWayThreshold(1)—Enables
or disables maximum frame two-way
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayTwoWayMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayTwoWayThreshold(2)—Enables
or disables average frame two-way delay
threshold notification. The notification is
sent when at the end of a Measurement
Interval if the
jnxSoamDmCurrentStatsFrameDelayTwoWayAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMeasuredIfdvTwoWayThreshold(3)—Enables
or disables measured frame IFDV
two-way threshold notification. The
notification is sent immediately when the
jnxSoamDmMeasuredStatsIfdvTwoWay
value is greater than or equal to threshold
value.
bJnxSoamDmMaxIfdvTwoWayThreshold(4)—Enables
or disables maximum frame IFDV
two-way threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsIfdvTwoWayMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgIfdvTwoWayThreshold(5)—Enables
or disables average frame IFDV two-way
threshold notification. The notification is
sent when at the end of a Measurement
Interval if the
jnxSoamDmCurrentStatsIfdvTwoWayAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMaxFrameDelayRangeTwoWayThreshold(6)—Enables
or disables maximum Frame Delay Range
two-way threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayRangeTwoWayMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayRangeTwoWayThreshold(7)—Enables
or disables average Frame Delay Range
two-way threshold notification. The
notification is sent when at the end of a
Measurement Interval if the
jnxSoamDmCurrentStatsFrameDelayRangeTwoWayAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMeasuredFrameDelayForwardThreshold(8)—Enables
or disables measured forward frame
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmMeasuredStatsFrameDelayForward
value is greater than or equal to threshold
value.
bJnxSoamDmMaxFrameDelayForwardThreshold(9)—Enables
or disables maximum forward frame
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayForwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayForwardThreshold(10)—Enables
or disables average forward frame delay
threshold notification. The notification is
sent when at the end of a Measurement
Interval if the
jnxSoamDmCurrentStatsFrameDelayForwardAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMeasuredIfdvForwardThreshold(11)—Enables
or disables measured frame IFDV forward
threshold notification. The notification is
sent immediately when the
jnxSoamDmMeasuredStatsIfdvForward
value is greater than or equal to threshold
value.
bJnxSoamDmMaxIfdvForwardThreshold(12)—Enables
or disables maximum frame IFDV forward
threshold notification. The notification is
sent immediately when the
jnxSoamDmCurrentStatsIfdvForwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgIfdvForwardThreshold(13)—Enables
or disables average frame IFDV forward
threshold notification. The notification is
sent when at the end of a Measurement
Interval if the
jnxSoamDmCurrentStatsIfdvForwardAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMaxFrameDelayRangeForwardThreshold(14)—Enables
or disables maximum Frame Delay Range
forward threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayRangeForwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayRangeForwardThreshold(15)—Enables
or disables average Frame Delay Range
forward threshold notification. The
notification is sent when at the end of a
Measurement Interval if the
jnxSoamDmCurrentStatsFrameDelayRangeForwardAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMeasuredFrameDelayBackwardThreshold(16)—Enables
or disables measured backward frame
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmMeasuredStatsFrameDelayBackward
value is greater than or equal to threshold
value.
bJnxSoamDmMaxFrameDelayBackwardThreshold(17)—Enables
or disables maximum backward frame
delay threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayBackwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayBackwardThreshold(18)—Enables
or disables average backward frame
delay threshold notification. The
notification is sent when at the end of a
Measurement Interval if the
jnxSoamDmCurrentStatsFrameDelayBackwardAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMeasuredIfdvBackwardThreshold(19)—Enables
or disables measured frame IFDV
backward threshold notification. The
notification is sent immediately when the
jnxSoamDmMeasuredStatsIfdvBackward
value is greater than or equal to threshold
value.
bJnxSoamDmMaxIfdvBackwardThreshold(20)—Enables
or disables maximum frame IFDV
backward threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsIfdvBackwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgIfdvBackwardThreshold(21)—Enables
or disables average frame IFDV backward
threshold notification. The notification is
sent when at the end of a Measurement
Interval if the
jnxSoamDmCurrentStatsIfdvBackwardAvg
value is greater than or equal to the
threshold value.
bJnxSoamDmMaxFrameDea
l yRangeBackwardThreshod
l (22)—Enabe
ls
or disables maximum Frame Delay Range
backward threshold notification. The
notification is sent immediately when the
jnxSoamDmCurrentStatsFrameDelayRangeBackwardMax
value is greater than or equal to threshold
value in a Measurement Interval.
bJnxSoamDmAvgFrameDelayRangeBackwardThreshod
l (23)—Enabe
ls
or disables average Frame Delay Range
backward threshold notification. The
notification is sent when at the end of a
Measurement Interval if the
jnxSoamDmCurrentStatsFrameDelayRangeBackwardAvg
value is greater than or equal to the
threshold value.
jnxSoamPmThresholdCrossingAlarm jnxSoamPmNotifications 3
"An jnxSoamPmThresholdCrossingAlarm
notification is sent if the following
conditions are met for a particular type.
For an aboveAlarm, the following five
conditions must be satisfied:
Introduction to VPLS
VPLS, in its implementation and configuration, has much in common with a Layer 2 VPN.
In VPLS, a packet originating within a service provider customer’s network is sent first to
a customer edge (CE) device (for example, a router or Ethernet switch). It is then sent
to a provider edge (PE) router within the service provider’s network. The packet traverses
the service provider’s network over a MPLS label-switched path (LSP). It arrives at the
egress PE router, which then forwards the traffic to the CE device at the destination
customer site.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
The difference is that for VPLS, packets can traverse the service provider’s network in
point-to-multipoint fashion, meaning that a packet originating from a CE device can be
broadcast to all the PE routers participating in a VPLS routing instance. In contrast, a
Layer 2 VPN forwards packets in point-to-point fashion only.
The paths carrying VPLS traffic between each PE router participating in a routing instance
are called pseudowires. The pseudowires are signaled using either BGP or LDP.
Virtual private LAN service (VPLS) allows you to provide a point-to-multipoint LAN
between a set of sites in a virtual private network (VPN).
To configure VPLS functionality, you must enable VPLS support on the provider edge
(PE) router. You must also configure PE routers to distribute routing information to the
other PE routers in the VPLS and configure the circuits between the PE routers and the
customer edge (CE) routers.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
Each VPLS is configured under a routing instance of type vpls. A vpls routing instance
can transparently carry Ethernet traffic across the service provider’s network. As with
other routing instances, all logical interfaces belonging to a VPLS routing instance are
listed under that instance.
Many configuration procedures for VPLS are identical to the procedures for Layer 2 VPNs
and Layer 3 VPNs.
Virtual private LAN service (VPLS) multihoming enables you to connect a customer site
to two or more PE routers to provide redundant connectivity. A redundant PE router can
provide network service to the customer site as soon as a failure is detected. VPLS
multihoming helps to maintain VPLS service and traffic forwarding to and from the
multihomed site in the event of the following types of network failures:
• PE router failure
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
Figure 63 on page 1237 illustrates how a CE device could be multihomed to two PE routers.
Device CE1 is multihomed to Routers PE1 and PE2. Device CE2 has two potential paths
to reach Device CE1, but only one path is active at any one time. If Router PE1 were the
designated VPLS edge (VE) device (also called a designated forwarder), BGP would
signal a pseudowire from Router PE3 to Router PE1. If a failure occurred over this path,
Router PE2 would be made the designated VE device, and BGP would re-signal the
pseudowire from Router PE3 to Router PE2.
Multihomed PE routers advertise network layer reachability information (NLRI) for the
multihomed site to the other PE routers in the VPLS network. The NLRI includes the site
ID for the multihomed PE routers. For all of the PE routers multihomed to the same CE
device, you need to configure the same site ID. The remote VPLS PE routers use the site
ID to determine where to forward traffic addressed to the customer site. To avoid route
collisions, the site ID shared by the multihomed PE routers must be different than the
site IDs configured on the remote PE routers in the VPLS network.
Although you configure the same site ID for each of the PE routers multihomed to the
same CE device, you can configure unique values for other parameters, such as the route
distinguisher. These values help to determine which multihomed PE router is selected
as the designated VE device to be used to reach the customer site.
Remote PE routers in the VPLS network need to determine which of the multihomed PE
routers should forward traffic to reach the CE device. To make this determination, remote
PE routers use the VPLS path-selection process to select one of the multihomed PE
routers based on its NLRI advertisement. Because remote PE routers pick only one of the
NLRI advertisements, it establishes a pseudowire to only one of the multihomed PE
routers, the PE router that originated the winning advertisement. This prevents multiple
paths from being created between sites in the network, preventing the formation of
Layer 2 loops. If the selected PE router fails, all PE routers in the network automatically
switch to the backup PE router and establish new pseudowires to it.
The PE routers run the BGP path selection procedure on locally originated and received
Layer 2 route advertisements to establish that the routes are suitable for advertisement
to other peers, such as BGP route reflectors. If a PE router in a VPLS network is also a
route reflector, the path selection process for the multihomed site has no effect on the
path selection process performed by this PE router for the purpose of reflecting Layer 2
routes. Layer 2 prefixes that have different route distinguishers are considered to have
different NLRIs for route reflection. The VPLS path selection process enables the route
reflector to reflect all routes that have different route distinguishers to the route reflector
clients, even though only one of these routes is used to create the VPLS pseudowire to
the multihomed site.
Junos OS supports VPLS multihoming for both FEC 128 and FEC 129. Support for FEC
129 is added in Junos OS Release 12.3.
vpls {
active-interface {
any;
primary interface-name;
}
connectivity-type (ce | irb | permanent);
control-word;
encapsulation-type encapsulation-type;
interface-mac-limit limit;
import-labeled-routes [ routing-instance-name ];
label-block-size size;
mac-table-aging-time time;
mac-table-size size;
neighbor neighbor-id;
no-control-word;
no-tunnel-services;
site site-name {
active-interface {
any;
primary interface-name;
}
interface interface-name {
interface-mac-limit limit;
}
mesh-group mesh-group-name;
multi-homing;
site-identifier identifier;
site-preference preference-value {
backup;
primary;
}
}
site-range number;
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>;
flag flag <flag-modifier> <disable>;
}
tunnel-services {
devices device-names;
primary primary-device-name;
}
vpls-id vpls-id;
}
NOTE: You cannot configure a routing protocol (OSPF, RIP, IS-IS or BGP)
inside a VPLS routing instance (instance-type vpls). The Junos CLI disallows
this configuration.
NOTE: Starting in Junos OS Release 16.1, you can use the import-labeled-routes
statement to specify one or more nondefault routing instances where you
want MPLS pseudowire labeled routes to be leaked from the mpls.0 path
routing table in the master routing instance.
The configuration for the VPLS routing instance statements is explained in the following
sections:
NOTE: You cannot configure both BGP signaling and LDP signaling for the
same VPLS routing instance. If you attempt to configure the statements that
enable BGP signaling for the VPLS routing instance (the site, site-identifier,
and site-range statements) and the statements that enable LDP signaling
for the same instance (the neighbor and vpls-id statements), the commit
operation fails.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
Configure BGP signaling for the VPLS routing instance by completing the steps in the
following sections:
• Configuring the VPLS Site Name and Site Identifier on page 1241
• Configuring Automatic Site Identifiers for VPLS on page 1242
• Configuring the Site Range on page 1243
• Configuring the VPLS Site Interfaces on page 1245
• Configuring the VPLS Site Preference on page 1245
When you configure BGP signaling for the VPLS routing instance, on each PE router you
must configure each VPLS site that has a connection to the PE router. All the Layer 2
circuits provisioned for a VPLS site are listed as the set of logical interfaces (using the
interface statement) within the site statement.
You must configure a site name and site identifier for each VPLS site.
To configure the site name and the site identifier, include the site and the site-identifier
statements:
site site-name {
interface interface-name {
interface-mac-limit limit;
}
site-identifier identifier;
}
The numerical identifier can be any number from 1 through 65,534 that uniquely identifies
the local VPLS site.
When you enable automatic site identifiers, the Junos OS automatically assigns site
identifiers to VPLS sites. To configure automatic site identifiers for a VPLS routing instance,
include the automatic-site-id statement:
automatic-site-id {
collision-detect-time seconds;
new-site-wait-time seconds;
reclaim-wait-time minimum seconds maximum seconds;
startup-wait-time seconds;
}
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
When you enable BGP signaling for each VPLS routing instance, you can optionally
configure the site range. The site range specifies an upper limit on the maximum site
identifier that can be accepted to allow a pseudowire to be brought up. You must specify
a value from 1 through 65,534. The default value is 65,534. We recommend using the
default. Pseudowires cannot be established to sites with site identifiers greater than the
configured site range. If you issue the show vpls connections command, such sites are
displayed as OR (out of range).
site-range number;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
There are networks that require that the site range be configured using a value smaller
than the local site identifier, for example, a hub-and-spoke VPLS with multihomed sites.
For this type of network, you need to allow pseudowires to be established between the
spoke routers and the hub router. However, you also need to prevent pseudowires from
being established between spoke routers directly. Due to the multihoming requirement
of spoke sites, Layer 2 VPN NRLIs need to be accepted from other spoke routers (at least
from spokes with the same site identifier as the locally configured sites) to determine
the status of local spoke routers (active or not active) based on the local preference
included in the NRLIs received from the other spoke routers.
This type of VPLS network can be implemented by, for example, numbering hub sites
with identifiers 1 through 8 and spoke sites with identifiers 9 and larger. You can then
configure a site range of 8 on each of the spoke sites. Although the spoke sites accept
NRLIs and install them in the Layer 2 VPN routing tables (allowing the multihomed sites
to determine the status of the local site), the spoke sites cannot establish pseudowires
directly to the other spoke sites due to the configured site range.
The following configurations illustrate this concept. The configurations are for the VPLS
routing instances on three routers, two spoke routers and one hub router:
Router 1—spoke:
routing-instance hub-and-spoke {
no-local-switching;
protocols {
vpls {
site-range 8;
no-tunnel-services;
site spoke-9 {
site-identifier 9 {
multi-homing;
site-preference primary;
}
}
site spoke-10 {
site-identifier 10 {
multi-homing;
site-preference backup;
}
}
}
}
}
Router 2—spoke:
routing-instance hub-and-spoke {
no-local-switching;
protocols {
vpls {
site-range 8;
no-tunnel-services;
site spoke-9 {
site-identifier 9 {
multi-homing;
site-preference backup;
}
}
site spoke-10 {
site-identifier 10 {
multi-homing;
site-preference primary;
}
}
}
}
}
Hub—router 3:
routing-instance hub-and-spoke {
no-local-switching;
protocols {
vpls {
no-tunnel-services;
site hub {
site-identifier 1;
}
}
}
}
You must configure an interface for each of the pseudowires you specify for the VPLS
site.
To configure an interface for the VPLS site, include the interface statement:
interface interface-name {
interface-mac-limit limit;
}
You can also configure a limit on the number of MAC addresses that can be learned from
the specified interface. For more information, see “Limiting the Number of MAC Addresses
Learned from an Interface” on page 1252.
You can specify the local preference value advertised for a particular VPLS site. The site
preference value is specified using the site-preference statement configured at the [edit
routing-instances routing-instance-name protocols vpls site site-name] hierarchy level. By
configuring the site-preference statement, a value configured for the local-preference
statement at the [edit protocols bgp] hierarchy level is ignored by the VPLS routing
instance. However, you can change the site preference value for VPLS routes exported
to other routers by configuring an export policy. When a PE router receives multiple
advertisements with the same VPLS edge (VE) device identifier, the advertisement with
the highest local preference value is preferred.
site-preference preference-value {
backup;
primary;
}
You can also specify either the backup option or the primary option for the site-preference
statement. The backup option specifies the preference value as 1, the lowest possible
value, ensuring that the VPLS site is the least likely to be selected. The primary option
specifies the preference value as 65,535, the highest possible value, ensuring that the
VPLS site is the most likely to be selected.
For a list of hierarchy levels at which you can include the site-preference statement, see
the statement summary section for this statement.
The Junos OS software does not support all of RFC 4762. When enabling LDP signaling
for a VPLS routing instance, network engineers should be aware that only the following
values are supported:
• FEC—128 or 129
• Control bit—0
LDP signaled VPLS supports the Virtual Circuit Connectivity Verification (VCCV) Type
Length Value (TLV) for pseudowire label mapping, label database display, and LDP
trace. When you enable LDP signaling for a pseudowire, LDP advertises the VCCV
capabilities to the neighboring routers. VCCV provides a control channel for a pseudowire
and includes both operations and management functions (for example, connectivity
verification). This control channel is established between the pseudowire's ingress and
egress devices. Once established, connectivity verification messages can be sent over
the VCCV control channel.
The Junos OS software supports the following VCCV capabilities for LDP signaled VPLS
(defined in RFC 5085 Section 8.1):
• LSP ping
If the peer device also advertises VCCV parameters during pseudowire setup, the Junos
OS software selects the set of common advertised parameters to use as the method for
performing VCCV OAM on the pseudowire.
The locally advertised and peer advertised VCCV parameters can be viewed using the
show ldp database command as show here:
Be aware of the following behavior with regard to TLVs when configuring LDP-signaled
VPLS in a network with equipment from other vendors:
• When a Juniper Network’s device receives a TLV with an empty address, LDP accepts
the TLV.
• When a MAC address is withdrawn, LDP specifies a zero address (0.0.0.0) for the
AddressList.
To enable LDP signaling for the set of PE routers participating in the same VPLS routing
instance, you need to use the vpls-id statement configured at the [edit routing-instances
routing-instance-name protocols vpls] hierarchy level to configure the same VPLS identifier
on each of the PE routers. The VPLS identifier must be globally unique. When each VPLS
routing instance (domain) has a unique VPLS identifier, it is possible to configure multiple
VPLS routing instances between a given pair of PE routers.
LDP signaling requires that you configure a full-mesh LDP session between the PE routers
in the same VPLS routing instance. Neighboring PE routers are statically configured.
Tunnels are created between the neighboring PE routers to aggregate traffic from one
PE router to another. Pseudowires are then signaled to demultiplex traffic between VPLS
routing instances. These PE routers exchange the pseudowire label, the MPLS label that
acts as the VPLS pseudowire demultiplexer field, by using LDP forwarding equivalence
classes (FECs). Tunnels based on both MPLS and generic routing encapsulation (GRE)
are supported.
NOTE: You cannot configure both BGP signaling and LDP signaling for the
same VPLS routing instance. If you attempt to configure the statements that
enable BGP signaling for the VPLS routing instance (the site, site-identifier,
and site-range statements), and the statements that enable LDP signaling
for the same instance, neighbor and vpls-id, the commit operation fails.
To enable LDP signaling for the VPLS routing instance, complete the steps in the following
sections:
• Configuring LDP Signaling for the VPLS Routing Instance on page 1247
• Configuring LDP Signaling on the Router on page 1248
vpls-id vpls-id;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
To configure the VPLS routing instance to use LDP signaling, you also must include the
neighbor statement to specify each of the neighboring PE routers that are a part of this
VPLS domain:
neighbor neighbor-id;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
interface interface-name;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
You can enable LDP on all the interfaces on the router using the all option for the interfaces
statement. For more information about how to configure LDP, see the MPLS Applications
Feature Guide.
connectivity-type ce;
You can alternatively specify that the VPLS connection remain up so long as an Integrated
Routing and Bridging (IRB) interface is configured for the VPLS routing instance by
specifying the irb option for the connectivity-type statement:
connectivity-type irb;
To ensure that the VPLS connection remain up until explicitly taken down, specify the
permanent option for the connectivity-type statement:
connectivity-type permanent;
This option is reserved for use in configuring Layer 2 Wholesale subscriber networks. See
the Broadband Subscriber Management Solutions Guide for details about configuring a
Layer 2 Wholesale network.
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
ACX Series routers do not support irb interface in VPLS instance, therefore
connectivity-type irb for VPLS is not supported.
• ethernet—Ethernet
If you do not specify an encapsulation type for the VPLS routing instance or the VPLS
neighbor, ethernet is used.
To specify an encapsulation type for the VPLS routing instance, include the
encapsulation-type statement:
You can also specify an encapsulation type for a specific VPLS neighbor by including the
encapsulation-type statement at the following hierarchy levels:
Configuring the MPLS Routing Table to Leak Routes a Nondefault Routing Instance
Starting in Junos OS Release 16.1, you can specify one or more nondefault routing instances
where you want MPLS routes to be leaked from the mpls.0 path routing table in the
master routing instance. This capability is useful in an L2VPN/VPLS configuration when
the remote PE router is learned from the IGP in a nondefault routing instance, because
L2VPN/VPLS installs ingress-labeled routes only in the master mpls.0 table.
By default, routes in the mpls.0 routing table in the master routing instance are not leaked
to the corresponding routing tables in nondefault routing instances. When L2VPN/VPLS
traffic is received on the core-facing interface in a nondefault routing instance, the router
performs a lookup in the table that corresponds to that interface,
routing-instance-name.mpls.0. Because the routes are not leaked by default, then no
routes are found in the routing-instance-name.mpls.0 routing table and all the incoming
traffic is dropped.
import-labeled-routes [ routing-instance-name ];
To modify the timeout interval for the VPLS table, include the mac-table-aging-time
statement:
mac-table-aging-time seconds;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
NOTE: T4000 routers with Type 5 FPCs support up to 262,143 MAC addresses
per VPLS routing instance. To enable the improved VPLS MAC address
learning limit (that is, 262,143 MAC addresses), you must Include the
enhanced-mode statement at the [edit chassis network-services] hierarchy
level, reboot the router, and then modify the size of the VPLS MAC address
table.
If the MAC table limit is reached, new MAC addresses can no longer be added to the
table. Eventually the oldest MAC addresses are removed from the MAC address table
automatically. This frees space in the table, allowing new entries to be added. However,
as long as the table is full, new MAC addresses are dropped.
To change the VPLS MAC table size for each VPLS or VPN routing instance, include the
mac-table-size statement:
mac-table-size size;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
When you include the mac-table-size statement, the affected interfaces include all
interfaces within the VPLS routing instance, including the local interfaces, the LSI
interfaces, and the VT interfaces.
Because this limit applies to each VPLS routing instance, the MAC addresses of a single
interface can consume all the available space in the table, preventing the routing instance
from acquiring addresses from other interfaces.
You can limit the number of MAC addresses learned from each interface configured for
a VPLS routing instance. To do so, include the interface-mac-limit statement:
interface-mac-limit limit;
NOTE: ACX Series routers do not support interface-mac-limit limit for VPLS.
The interface-mac-limit statement affects the local interfaces only (the interfaces facing
CE devices).
You can also limit the number of MAC addresses learned by a specific interface configured
for a VPLS routing instance. This gives you the ability to limit particular interfaces that
you expect might generate a lot of MAC addresses.
To limit the number of MAC addresses learned by a specific interface, include the
interface-mac-limit statement at the following hierarchy levels:
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
The MAC limit configured for an individual interface at this hierarchy level overrides any
value configured at the [edit routing-instances routing-instance-name protocols vpls]
hierarchy level. Also, the MAC limit configured using the mac-table-size statement can
override the limit configured using the interface-mac-limit statement.
You can clear dynamically learned MAC addresses from the MAC address database by
including the mac-flush statement:
mac-flush [ explicit-mac-flush-message-options ];
To clear dynamically learned MAC addresses globally across all devices participating in
the routing instance, you can include the statement at the following hierarchy levels:
To clear the MAC addresses on the routers in a specific mesh group, you can include the
statement at the following hierarchy levels:
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
For certain cases where MAC flush processing is not initiated by default, you can also
specify explicit-mac-flush-message-options to additionally configure the router to send
explicit MAC flush messages under specific conditions. For a list of the explicit MAC flush
message options you can include with this statement, see the summary section for this
statement.
16.1 Starting in Junos OS Release 16.1, you can specify one or more nondefault routing
instances where you want MPLS routes to be leaked from the mpls.0 path
routing table in the master routing instance.
12.3R4 Starting in Junos OS Release 12.3R4, if you do not configure the parameter to
limit the number of MAC addresses to be learned by a VPLS instance, the default
value is not effective.
Related • Configuring Improved VPLS MAC Address Learning on T4000 Routers with Type 5 FPCs
Documentation
• enhanced-mode
On each PE router and for each VPLS routing instance, specify which interfaces are
intended for the VPLS traffic traveling between PE and CE routers. To specify the interface
for VPLS traffic, include the interface statement in the routing instance configuration:
interface interface-name;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
You must also define each interface by including the following statements:
vlan-tagging;
encapsulation encapsulation-type;
unit logical-unit-number {
family vpls;
vlan-id vlan-id-number;
}
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
The following sections provide enough information to enable you to configure interfaces
for VPLS routing. For detailed information about configuring interfaces and the statements
at the [edit interfaces] hierarchy level, see the Junos OS Network Interfaces Library for
Routing Devices.
physical.logical
For example, in ge-1/2/1.2, ge-1/2/1 is the physical portion of the interface name and 2 is
the logical portion. If you do not specify the logical portion of the interface name, 0 is set
by default.
If you enable a routing protocol on all instances by specifying interfaces all when
configuring the master instance of the protocol at the [edit protocols] hierarchy level,
and you configure a specific interface for VPLS routing at the [edit routing-instances
routing-instance-name] hierarchy level, the latter interface statement takes precedence
and the interface is used exclusively for VPLS.
If you explicitly configure the same interface name at both the [edit protocols] and [edit
routing-instances routing-instance-name] hierarchy levels and then attempt to commit
the configuration, the commit operation fails.
To configure the encapsulation type on the physical interface, include the encapsulation
statement:
You can include the encapsulation statement for physical interfaces at the following
hierarchy levels:
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
You can configure the following physical interface encapsulations for VPLS routing
instances:
On M Series routers (except the M320 router), the 4-port Fast Ethernet TX PIC and
the 1-port, 2-port, and 4-port, 4-slot Gigabit Ethernet PICs can use the Ethernet VPLS
encapsulation type.
NOTE: The built-in Gigabit Ethernet PIC on an M7i router does not support
extended VLAN VPLS encapsulation.
Interfaces with VLAN VPLS encapsulation accept packets carrying standard TPID
values only. On M Series routers (except the M320 router), the 4-port Fast Ethernet
TX PIC and the 1-port, 2-port, and 4-port, 4-slot Gigabit Ethernet PICs can use the
Ethernet VPLS encapsulation type.
To configure the encapsulation type for logical interfaces, include the encapsulation
statement:
You can include the encapsulation statement for logical interfaces at the following
hierarchy levels:
You can configure the following logical interface encapsulations for VPLS routing
instances:
Interfaces with VLAN VPLS encapsulation accept packets carrying standard TPID
values only. On M Series routers (except the M320 router), the 4-port Fast Ethernet
TX PIC and the 1-port, 2-port, and 4-port, 4-slot Gigabit Ethernet PICs can use the
Ethernet VPLS encapsulation type.
When you configure the physical interface encapsulation as vlan-vpls, you also need to
configure the same interface encapsulation for the logical interface. You need to configure
the vlan-vpls encapsulation on the logical interface because the vlan-vpls encapsulation
allows you to configure a mixed mode, where some of the logical interfaces use regular
Ethernet encapsulation (the default for logical interfaces) and some use vlan-vpls.
NOTE: Starting with Junos OS release 13.3, a commit error occurs when you
configure vlan-vpls encapsulation on a physical interface and configure family
inet on one of the logical units. Previously, it was possible to commit this
invalid configuration.
Gigabit Ethernet interfaces can be partitioned. You can assign up to 4095 different logical
interfaces, one for each VLAN, but you are limited to a maximum of 1024 VLANs on any
single Gigabit Ethernet or 10-Gigabit Ethernet port.
vlan-id number;
You can also configure a logical interface to forward packets and learn MAC addresses
within each VPLS routing instance configured with a VLAN ID that matches a VLAN ID
specified in a list using the vlan-id-list statement. VLAN IDs can be entered individually
using a space to separate each ID, entered as an inclusive list separating the starting
VLAN ID and ending VLAN ID with a hyphen, or a combination of both.
For example, to configure the VLAN IDs 20 and 45 and the range of VLAN IDs between
30 and 40, issue the following command from the CLI:
To configure a list of VLAN IDs for a logical interface, include the vlan-id-list statement:
vlan-id-list list-of-vlan-ids;
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
For more information about how to configure VLANs, see the Junos OS Network Interfaces
Library for Routing Devices. For detailed information about how VLAN identifiers in a VPLS
routing instance are processed and translated, see the MX Series Layer 2 Configuration
Guide.
Sample Scenario of Hierarchical Virtual Private LAN Service on Logical Tunnel Interface
This section describes how to configure the hierarchical virtual private LAN service
(H-VPLS) on ACX5048 and ACX5096 routers. Junos OS for ACX5048 and ACX5096
routers supports configuring H-VPLS using the logical tunnel interface encapsulation.
For example, you have three provider edge devices (PE1, PE2 and PE3). PE2 device
connects both PE1 and PE3 devices. The pseudowire connecting PE1 and PE2 devices
are encapsulated with circuit cross-connect (CCC). In this case, PE1 device acts as a
spoke and PE2 as a hub. The pseudowire connecting PE2 and PE3 devices are
encapsulated with VPLS. You need to encapsulate CCC and VPLS pseudowires using
the logical tunnel interface on the PE2 device.
The following steps describe how to encapsulate CCC and VPLS pseudowires using the
logical tunnel interface on the PE2 device:
1. Create a logical tunnel interface on the PE2 device by using the set chassis fpc fpc-slot
pic pic-slot tunnel-services port port-number CLI command. The port-number can be
any port on the chassis which is not used for regular traffic forwarding. For example,
[edit]
user@host# set chassis fpc 0 pic 0 tunnel-services port 65
2. Encapsulate the CCC and VPLS pseudowires using the logical tunnel interface
(lt-0/0/65) created on the PE2 device. Use the Ethernet CCC (ethernet-ccc) and
Ethernet VPLS (ethernet-vpls) encapsulation types at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level as shown in the example:
Device PE2
[edit]
user@host# set interfaces lt-0/0/65 unit 0 encapsulation ethernet-ccc;
user@host# set interfaces lt-0/0/65 unit 0 encapsulation peer-unit 1;
user@host# set interfaces lt-0/0/65 unit 1 encapsulation ethernet-vpls;
user@host# set interfaces lt-0/0/65 unit 1 encapsulation peer-unit 0;
3. Verify the configuration by entering the show command at the logical tunnel interface
level. The output should display as follows:
[edit interfaces lt-0/0/65]
user@host# show
unit 0 {
encapsulation ethernet-ccc;
peer-unit 1;
}
unit 1 {
encapsulation ethernet-vpls;
peer-unit 0;
}
For more information about how aggregated Ethernet interfaces function in the context
of VPLS, see VPLS and Aggregated Ethernet Interfaces.
To configure aggregated Ethernet interfaces for VPLS, configure the interface for the
VPLS routing instance as follows:
interfaces aex {
vlan-tagging;
encapsulation encapsulation-type;
unit logical-unit-number {
vlan-id number;
}
}
You can configure the following physical link-layer encapsulation types for the VPLS
aggregated Ethernet interface:
• ethernet-vpls
• extended-vlan-vpls
• flexible-ethernet-services
• vlan-vpls
NOTE: ACX Series routers do not support the extended-vlan-vpls and vlan-vpls
encapsulation types.
For the interface configuration statement, in aex, the x represents the interface instance
number to complete the link association; x can be from 0 through 127, for a total of
128 aggregated interfaces.
For more information about how to configure aggregated Ethernet interfaces, see the
Ethernet Interfaces Feature Guide for Routing Devices.
The aggregated Ethernet interface must also be configured for the VPLS routing instance
as shown in the following example:
[edit]
routing-instances {
green {
instance-type vpls;
interface ae0.0;
route-distinguisher 10.255.234.34:1;
vrf-target target:11111:1;
protocols {
vpls {
site-range 10;
site green3 {
site-identifier 3;
}
}
}
}
}
Interface ae0.0 represents the aggregated Ethernet interface in the routing instance
configuration. The VPLS routing instance configuration is otherwise standard.
Configuring VLAN Identifiers for VLANs and VPLS Routing Instances in ACX Series
You can configure VLAN identifiers for a VLAN or a VPLS routing instance in the following
ways:
• By using the input-vlan-map and the output-vlan-map statements at the [edit interfaces
interface-name unit logic-unit-number] or [edit logical-systems logical-system-name
interfaces interface-name unit logic-unit-number] hierarchy level to configure VLAN
mapping.
The vlan-id and vlan-tags statements are used to specify the normalizing VLAN identifier
under the VLAN or VPLS routing instance. The normalizing VLAN identifier can translate
or normalize the VLAN tags of packets received into a learn VLAN identifier.
NOTE: You cannot configure VLAN mapping using the input-vlan-map and
output-vlan-map statements if you configure a normalizing VLAN identifier
for a VLAN or VPLS routing instance using the vlan-id or vlan-tags statements.
To configure a VLAN identifier for a VLAN, include either the vlan-id or the vlan-tags
statement at the [edit interfaces interface-name unit logic-unit-number] or [edit
logical-systems logical-system-name interfaces interface-name unit logic-unit-number]
hierarchy level, and then include that logical interface in the VLAN configuration.
For a VPLS routing instance, include either the vlan-id or vlan-tags statement at the [edit
interfaces interface-name unit logic-unit-number] or [edit logical-systems
logical-system-name interfaces interface-name unit logic-unit-number] hierarchy level, and
then include that logical interface in the VPLS routing instance configuration.
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
NOTE: For a single VLAN or VPLS routing instance, you can include either
the vlan-id or the vlan-tags statement, but not both. If you do not configure
a vlan-id or vlan-tags for the VLAN or the VPLS routing instance, the Layer 2
packets received are forwarded to the outbound Layer 2 interface without
having the VLAN tag modified unless an output-vlan-map is configured on
the Layer 2 interface. This results in a frame being forwarded to a Layer 2
interface with a VLAN tag that is different from what is configured for the
Layer 2 interface. Note that a frame received from the Layer 2 interface is still
required to match the VLAN tag(s) specified in the interface configuration.
The invalid configuration may cause a Layer 2 loop to occur. In ACX5048 and
ACX5096 routers, if the interface VLAN is configured as vlan-id-list, it is
mandatory to normalize the VPLS routing instance. vlan-id all is not supported
in ACX5048 and ACX5096 routers.
The VLAN tags associated with the inbound logical interface are compared with the
normalizing VLAN identifier. If the tags are different, they are rewritten as described in
Table 48 on page 758. The source MAC address of a received packet is learned based on
the normalizing VLAN identifier.
If the VLAN tags associated with the outbound logical interface and the normalizing
VLAN identifier are different, the normalizing VLAN identifier is rewritten to match the
VLAN tags of the outbound logical interface, as described in Table 49 on page 758.
The following steps outline the process for bridging a packet received over a Layer 2
logical interface when you specify a normalizing VLAN identifier using either the vlan-id
number or vlan-tags statement for a VLAN or a VPLS routing instance:
1. When a packet is received on a physical port, it is accepted only if the VLAN identifier
of the packet matches the VLAN identifier of one of the logical interfaces configured
on that port.
2. The VLAN tags of the received packet are then compared with the normalizing VLAN
identifier. If the VLAN tags of the packet are different from the normalizing VLAN
identifier, the VLAN tags are rewritten as described in Table 48 on page 758.
3. If the source MAC address of the received packet is not present in the source MAC
table, it is learned based on the normalizing VLAN identifier.
4. The packet is then forwarded toward one or more outbound Layer 2 logical interfaces
based on the destination MAC address. A packet with a known unicast destination
MAC address is forwarded only to one outbound logical interface. For each outbound
Layer 2 logical interface, the normalizing VLAN identifier configured for the VLAN or
VPLS routing instance is compared with the VLAN tags configured on that logical
interface. If the VLAN tags associated with an outbound logical interface do not match
the normalizing VLAN identifier configured for the VLAN or VPLS routing instance, the
VLAN tags are rewritten as described in Table 49 on page 758.
The tables below show how VLAN tags are applied for traffic sent to and from the VLAN,
depending on how the vlan-id and vlan-tags statements are configured for the VLAN and
on how identifiers are configured for the logical interfaces in a VLAN or VPLS routing
instance. Depending on your configuration, the following rewrite operations are performed
on VLAN tags:
• pop—Remove a VLAN tag from the top of the VLAN tag stack.
• pop-pop—Remove both the outer and inner VLAN tags of the frame.
• pop-swap—Remove the outer VLAN tag of the frame and replace the inner VLAN tag
of the frame.
• swap-push—Replace the VLAN tag of the frame and add a new VLAN tag to the top
of the VLAN stack.
• swap-swap—Replace both the outer and inner VLAN tags of the frame.
Table 103 on page 1264 shows the supported input and output VLAN map configurations.
Table 48 on page 758 shows specific examples of how the VLAN tags for packets sent to
the VLAN are processed and translated, depending on your configuration. “–” means
that the statement is not supported for the specified logical interface VLAN identifier.
“No operation” means that the VLAN tags of the received packet are not translated for
the specified input logical interface.
Table 104: Statement Usage and Input Rewrite Operations for VLAN Identifiers for a VLAN
VLAN Configurations for a VLAN
vlan-tags outer 2000 pop 2000, pop 300 pop 2000, swap 300 swap 2000 to 100
inner 300 to 200
vlan-tags outer 100 pop 100, pop 400 pop 100, swap 400 swap 400 to 300
inner 400 to 200
Table 49 on page 758 shows specific examples of how the VLAN tags for packets sent
from the VLAN are processed and translated, depending on your configuration. “–” means
that the statement is not supported for the specified logical interface VLAN identifier.
“No operation” means that the VLAN tags of the outbound packet are not translated for
the specified output logical interface.
Table 105: Statement Usage and Output Rewrite Operations for VLAN Identifiers for a VLAN
VLAN Configurations for a VLAN
1000 push 1000 swap 200 to 1000 pop 100, swap 300
to 1000
vlan-tags outer 2000 push 2000, push 300 swap 200 to 300, swap 100 to 2000
inner 300 push 2000
vlan-tags outer 100 inner 400 push 100, push 400 swap 200 to 400, swap 300 to 400
push 100
You can configure a VPLS domain using static pseudowires. A VPLS domain consists of
a set of PE routers that act as a single virtual Ethernet bridge for the customer sites
connected to these routers. By configuring static pseudowires for the VPLS domain, you
do not need to configure the LDP or BGP protocols that would normally be used for
signaling. However, if you configure static pseudowires, any changes to the VPLS network
topology have to be managed manually.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
Static pseudowires require that you configure a set of in and out labels for each
pseudowire configured for the VPLS domain. You still need to configure a VPLS identifier
and neighbor identifiers for a static VPLS domain. You can configure both static and
dynamic neighbors within the same VPLS routing instance.
To configure a static pseudowire for a VPLS neighbor, include the static statement:
You must configure an incoming and outgoing label for the static pseudowire using the
incoming-label and outgoing-label statements. These statements identify the static
pseudowire’s incoming traffic and destination.
To configure a static pseudowire for a VPLS neighbor, include the static statement at
the [edit routing-instances routing-instance-name protocols vpls neighbor address] hierarchy
level.
You can also configure the static statement for a backup neighbor (if you configure the
neighbor as static the backup must also be static) by including it at the [edit
routing-instances routing-instance-name protocols vpls neighbor address backup-neighbor
address] hierarchy level and for a mesh group by including it at the [edit routing-instances
routing-instance-name protocols vpls mesh-group mesh-group-name neighbor address]
hierarchy level.
For a list of hierarchy levels at which you can include the static statement, see the
statement summary section for this statement.
To enable static VPLS on a router, you need to either configure a virtual tunnel interface
(requires the router to have a tunnel services PIC) or you can configure a label switching
interface (LSI). To configure an LSI, include the no-tunnel-services statement at the [edit
protocols vpls static-vpls] hierarchy level. For more information, see “Configuring VPLS
Without a Tunnel Services PIC” on page 1267.
If you issue a show vpls connections command, static neighbors are displayed with "SN"
next to their addresses in the command output.
VPLS normally uses a dynamic virtual tunnel logical interface on a Tunnel Services PIC
to model traffic from a remote site (a site on a remote PE router that is in a VPLS domain).
All traffic coming from a remote site is treated as coming in over the virtual port
representing this remote site, for the purposes of Ethernet flooding, forwarding, and
learning. An MPLS lookup based on the inner VPN label is done on a PE router. The label
is stripped and the Layer 2 Ethernet frame contained within is forwarded to a Tunnel
Services PIC. The PIC loops back the packet and then a lookup based on Ethernet MAC
addresses is completed. This approach requires that the router have a Tunnel Services
PIC and that the PE router complete two protocol lookups.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
You can configure VPLS without a Tunnel Services PIC by configuring the
no-tunnel-services statement. This statement creates a label-switched interface (LSI)
to provide VPLS functionality. An LSI MPLS label is used as the inner label for VPLS. This
label maps to a VPLS routing instance. On the PE router, the LSI label is stripped and
then mapped to a logical LSI interface. The Layer 2 Ethernet frame is then forwarded
using the LSI interface to the correct VPLS routing instance.
By default, VPLS requires a Tunnel Services PIC. To configure VPLS on a router without
a Tunnel Services PIC and create an LSI, include the no-tunnel-services statement:
no-tunnel-services;
For a list of the hierarchy levels at which you can include this statement, see the summary
section for this statement.
To configure a VPLS routing instance on a router without a tunnel services PIC, include
the no-tunnel-services statement at the [edit routing-instances routing-instance-name
protocols vpls] hierarchy level. To configure static VPLS on a router without a tunnel
services PIC, include the no-tunnel-services statement at the [edit protocols vpls
static-vpls] hierarchy level.
When you configure VPLS without a Tunnel Services PIC by including the
no-tunnel-services statement, the following limitations apply:
VPLS multihoming allows you to connect a customer site to multiple PE routers to provide
redundant connectivity while preventing the formation of Layer 2 loops in the service
provider’s network. A VPLS site multihomed to two or more PE routers provides redundant
connectivity in the event of a PE router-to-CE device link failure or the failure of a PE
router. For more information about VPLS multihoming, see “VPLS Multihoming Overview”
on page 1237.
NOTE: If you want to enable multihoming for a VPLS routing instance, you
cannot also enable LDP signaling. You can only enable BGP signaling.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
The following sections describe how to configure VPLS multihoming. Some information
is also provided on single-homed site configuration versus multihomed site configuration.
• Assign the same site ID on all PE routers connected to the same CE devices.
When two PE routers use the same site ID, VPLS assumes multihoming behavior by
default. The site preference value is used to signal the primary and backup PE router.
In such cases, when multihoming is explicitly configured using the multi-homing
statement , it is only used for tracking the BGP peer status, such as to prevent isolation
of the PE router from the core or split brain. There are scenarios, however that require
preventing of BGP peer tracking, such as in a two-PE-router topology. In such cases,
multihoming should not be explicitly configured as it can break node redundancy.
When identical site IDs are used without configuring multihoming, a collision log
message is generated at each signaling: RPD_L2VPN_SITE_COLLISION: Same site ID 2
configured on remote PE (RD 8.8.8.1:1013:) and local PE in VPN 1013 (non-multihomed
site 2). This is expected behavior.
• Reference all interfaces assigned to the multihomed VPLS site on each PE router. Only
one of these interfaces is used to send and receive traffic for this site at a time.
• Either designate a primary interface or allow the router to select the interface to be
used as the primary interface.
If the router selects the interface, the interface used to connect the PE router to the
site depends on the order in which interfaces are listed in the PE router’s configuration.
The first operational interface in the set of configured interfaces is chosen to be the
designated interface. If this interface fails, the next interface in the list is selected to
send and receive traffic for the site.
The following configuration shows the statements you need to configure to enable VPLS
multihoming:
NOTE: If you add a direct connection between CE devices that are multihomed
to the same VPLS site on different PE routers, the traffic can loop and a loss
of connectivity might occur. We do not recommend this topology.
Most of these statements are explained in more detail in the rest of this chapter. The
following sections explain how to configure the statements that are specific to VPLS
multihoming:
You need to specify one of the interfaces for the multihomed site as the primary interface.
If there are multiple interfaces, the remaining interfaces are activated only when the
primary interface goes down. If no active interfaces are configured at the site level, all
traffic for a VPLS site travels through a single, non-multihomed PE router.
You must configure one of the following options for the active-interface statement:
• any—One configured interface is randomly designated as the active interface for the
VPLS site.
To specify a multihomed interface as the primary interface for the VPLS site, include the
active-interface statement:
active-interface {
any;
primary interface-name;
}
When a CE device is connected to the same VPLS site on more than one PE router,
including the multi-homing statement on all associated PE routers results in tracking of
BGP peers. If no BGP peer is available, VPLS deactivates all active interfaces for a site.
When two PE routers use the same site ID, VPLS assumes multihoming behavior by
default. The site preference value is used to signal the primary and backup PE router. In
such cases, when multihoming is explicitly configured using the multi-homing statement
, it is only used for tracking the BGP peer status, such as to prevent isolation of the PE
router from the core or split brain.
NOTE: When identical site IDs are used without configuring multihoming, a
collision log message is generated at each signaling:
RPD_L2VPN_SITE_COLLISION: Same site ID 2 configured on remote PE (RD
8.8.8.1:1013:) and local PE in VPN 1013 (non-multihomed site 2). This is expected
behavior.
• active-interface
• multi-homing
You can configure both firewall filters and policers for VPLS. Firewall filters allow you to
filter packets based on their components and to perform an action on packets that match
the filter. Policers allow you to limit the amount of traffic that passes into or out of an
interface.
VPLS filters and policers act on a Layer 2 frame that includes the media access control
(MAC) header (after any VLAN rewrite or other rules are applied), but does not include
the cyclical redundancy check (CRC) field.
You can apply VPLS filters and policers on the PE router to customer-facing interfaces
only.
The following sections explain how to configure filters and policers for VPLS:
}
then {
actions;
}
}
}
For more information about how to configure firewall filters, see the Routing Policies,
Firewall Filters, and Traffic Policers Feature Guide. For information on how to configure a
VPLS filter match condition, see “Firewall Filter Match Conditions for VPLS Traffic” on
page 1070.
When you configure a firewall filter for VPLS and apply it to multiple interfaces, you can
specify individual counters specific to each interface. This allows you to collect separate
statistics on the traffic transiting each interface.
For more information about the interface-specific statement and an example of how to
configure it, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
You can configure the following actions for a VPLS filter at the [edit firewall family vpls
filter filter-name term term-name then] hierarchy level: accept, count, discard,
forwarding-class, loss-priority, policer.
filter {
input input-filter-name;
output output-filter-name;
}
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
In the input statement, list the name of the VPLS filter to be evaluated when packets are
received on the interface. In the output statement, list the name of the VPLS filter to be
evaluated when packets are transmitted on the interface.
For the statement summaries for these statements, see the Junos OS Network Interfaces
Library for Routing Devices.
When specifying policing bandwidth, the VPLS policer considers all Layer 2 bytes in a
packet to determine the packet length.
To configure a VPLS policer, include the policer statement at the [edit firewall] hierarchy
level:
[edit firewall]
policer policer-name {
bandwidth-limit limit;
burst-size-limit limit;
then action;
}
For the statement summaries of these statements and more information about how to
configure policers, see the Routing Policies, Firewall Filters, and Traffic Policers Feature
Guide.
policer {
input input-policer-name;
output output-policer-name;
}
NOTE: ACX Series routers do not support the [edit logical-systems] hierarchy.
In the input statement, list the name of the VPLS policer to be evaluated when packets
are received on the interface. In the output statement, list the name of the VPLS policer
to be evaluated when packets are transmitted on the interface.
For the statement summaries for these statements, see the Junos OS Network Interfaces
Library for Routing Devices.
A single VPLS routing instance can encompass one set of PE routers that use BGP for
signaling and another set of PE routers that use LDP for signaling. Within each set, all of
the PE routers are fully meshed in both the control and data planes and have a
bidirectional pseudowire to each of the other routers in the set. However, the BGP-signaled
routers cannot be directly connected to the LDP-signaled routers. To be able to manage
the two separate sets of PE routers in a single VPLS routing instance, a border PE router
must be configured to interconnect the two sets of routers.
The VPLS RFCs and Internet drafts require that all of the PE routers participating in a
single VPLS routing instance must be fully meshed in the data plane. In the control plane,
each fully meshed set of PE routers in a VPLS routing instance is called a PE router mesh
group. The border PE router must be reachable by and have bidirectional pseudowires
to all of the PE routers that are a part of the VPLS routing instance, both the LDP-signaled
and BGP-signaled routers.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
For LDP BGP interworking to function, LDP-signaled routers can be configured with
forwarding equivalence class (FEC) 128 or FEC 129.
The following sections describe how to configure BGP LDP interworking for VPLS:
• ACX5048
• ACX5096
• M7i
• M10i
• M40e
• M120
• M320
• MX Series routers
• T Series routers
• TX Matrix routers
• EX Series switches
Configuring FEC 128 VPLS Mesh Groups for LDP BGP Interworking
To configure FEC 128 LDP BGP interworking for VPLS, include the mesh-group statement
in the VPLS routing instance configuration of the PE border router:
mesh-group mesh-group-name {
local-switching;
mac-flush [ explicit-mac-flush-message-options ];
neighbor address;
peer-as all;
vpls-id number;
}
Using the neighbor statement, configure each PE router that is a part of the mesh group.
You must separate the LDP-signaled routers and the BGP-signaled routers into their own
respective mesh groups. The LDP-signaled routers can be divided into multiple mesh
groups. The BGP-signaled routers must be configured within a single mesh group for
each routing instance.
Configuring FEC 129 VPLS Mesh Groups for LDP BGP Interworking
Configuration for a mesh group for FEC 129 is very similiar to the configuration for FEC
128.
• Each user-defined mesh group must have a unique route distinguisher. Do not use the
route distinguisher that is defined for the default mesh group at the [edit
routing-intances] hierarchy level.
• Each user-defined mesh group must have its own import and export route target.
• Each user-defined mesh group can have a unique Layer 2 VPN ID. By default, all the
mesh groups that are configured for the a VPLS routing-instance use the same Layer
2 VPN ID, the one that you configure at the [edit routing-instances] hierarchy level.
• Configure a mesh group for each Layer 2 circuit pseudowire terminating at a VPLS
routing instance. The Junos OS can support up to 16 mesh groups on MX Series routers
and up to 128 on M Series and T Series routers. However, two mesh groups are created
by default, one for the CE routers and one for the PE routers. Therefore, the maximum
number of user-defined mesh groups is 14 for MX Series routers and 126 for M Series
and T Series routers.
• Configure a single mesh group, terminate all the Layer 2 circuit pseudowires into it, and
enable local switching between the pseudowires by including the local-switching
statement at the [edit routing-instances routing-instance-name protocols vpls
mesh-group mesh-group-name] hierarchy level. By default, you cannot configure local
switching for mesh groups (except for the CE mesh group) because all of the VPLS PE
routers must be configured in a full mesh. However, local switching is useful if you are
terminating Layer 2 circuit pseudowires in a mesh group configured for an LDP signaled
VPLS routing instance.
local-switching;
Configuring Integrated Routing and Bridging Support for LDP BGP Interworking with VPLS
Beginning with Junos OS Release 9.4, you can configure an integrated routing and bridging
(IRB) interface on a router that functions as an autonomous system border router (ASBR)
in an inter-AS VPLS environment between BGP-signaled VPLS and LDP-signaled VPLS.
Previously, IRB interfaces were supported only on Provider Edge (PE) routers.
NOTE: ACX Series routers do not support configuring IRB for LDP BGP
Interworking with VPLS.
To configure a IRB support for LDP BGP Interworking with VPLS, include the
routing-interface interface-name statement.
For inter-AS VPLS to function properly, you need to configure IBGP peering between the
PE routers, including the ASBRs in each AS, just as you do for a typical VPLS configuration.
You also need to configure EBGP peering between the ASBRs in the separate ASs. The
EBGP peering is needed between the ASBRs only. The link between the ASBR routers
does not have to be Ethernet. You can also connect a CE router directly to one of the
ASBRs, meaning you do not have to have a PE router between the ASBR and the CE
router.
The configuration for the connection between the ASBRs makes inter-AS VPLS with
MAC operations unique. The other elements of the configuration are described in other
sections of this manual.
The following sections describe how to configure inter-AS VPLS with MAC operations:
This section provides a summary of all of the elements which must be configured to
enable inter-AS VPLS with MAC operations. These procedures are described in detail
later in this chapter and in other parts of theJunos OS VPNs Library for Routing Devices.
The following lists all of major elements of an inter-AS VPLS with MAC operations
configuration:
• Configure IBGP between all of the routers within each AS, including the ASBRs.
• Configure EBGP between the ASBRs in the separated ASs. The EBGP configuration
includes the configuration that interconnects the ASs.
• Configure a VPLS routing instance encompassing the ASBR routers. The ASBRs are
VPLS peers and are linked by a single pseudowire. Multihoming between ASs is not
supported. A full mesh of pseudowires is needed between the ASBR routers in all of
the interconnected ASs.
• Configure the VPLS routing instances using either BGP signaling or LDP signaling. LDP
BGP interworking is supported for inter-AS VPLS with MAC operations, so it is possible
to interconnect the BGP-signaled VPLS routing instances with the LDP-signaled VPLS
routing instances.
• Configure a single VPLS mesh group for all of the ASBRs interconnected using inter-AS
VPLS.
This section describes the configuration on the ASBRs needed to enable inter-AS VPLS
with MAC operations.
On each ASBR, you need to configure a VPLS mesh group within the VPLS routing instance
which needs to include all of the PE routers within the AS, in addition to the ASBR. You
need to configure the same mesh group for each of the ASs you want to interconnect
using inter-AS VPLS. The mesh group name should be identical on each AS. You also
must include the peer-as all statement. This statement enables the router to establish
a single pseudowire to each of the other ASBRs.
To configure the mesh group on each ASBR, include the mesh-group and peer-as all
statements:
mesh-group mesh-group-name {
peer-as all;
}
You can configure a VPLS routing instance where some of the PE routers use BGP for
signaling and some use LDP for signaling.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
The following concepts form the basis of the configuration needed to include both
BGP-signaled and LDP-signaled PE routers in a VPLS routing instance:
• Border router—A PE router that must be reachable by all of the other PE routers
participating in a VPLS routing instance, whether they are LDP-signaled or BGP-signaled.
Bidirectional pseudowires are created between the border router and all of these PE
routers. The border router is aware of the composition of each PE mesh group configured
as a part of the VPLS routing instance. It can also have direct connections to local CE
routers, allowing it to act as a typical PE router in a VPLS routing instance.
The following sections describe how the LDP-signaled and BGP-signaled PE routers
function when configured to interoperate within a VPLS routing instance:
Figure 64: BGP and LDP Signaling for a VPLS Routing Instance
Two-way pseudowires are established between the PE routers in each mesh group and
between each PE router in the VPLS routing instance and the border router. In
Figure 64 on page 1280, two-way pseudowires are established between routers PE1 and
PE2 in mesh group LDP-1, routers PE3, PE4, and PE5 in mesh group LDP-2, and routers
PE6, PE7, and PE8 in the BGP mesh group. Routers PE1 through PE8 also all have two-way
pseudowires to the Border router. Based on this topology, the LDP-signaled routers are
able to interoperate with the BGP-signaled routers. Both the LDP-signaled and
BGP-signaled PE routers can logically function within a single VPLS routing instance.
NOTE: The following features are not supported for VPLS routing instances
configured with both BGP and LDP signaling:
• Point-to-multipoint LSPs
• IGMP snooping
For example, if a multicast packet is received by the border router in Figure 64 on page 1280,
it is flooded to the two local CE routers. It is also flooded to routers PE1 and PE2 in the
LDP-1 mesh group and to routers PE3, PE4, and PE5 in the LDP-2 mesh group. However,
the packet is not flooded to routers PE6, PE7, and PE8 in the BGP mesh group.
Unicast packets originating within a mesh group are dropped if the destination is another
PE router within the same mesh group. However, if the destination MAC address of the
unicast packet is a PE router located in a different mesh group, the packet is forwarded
to that PE router.
A PE router mesh group consists of a set of routers participating in a VPLS routing instance
that share the same signaling protocol, either BGP or LDP. Each VPLS routing instance
can have just one BGP mesh group. However, you can configure multiple LDP mesh
groups for each routing instance.
The Junos OS can support up to 16 mesh groups on MX Series routers and up to 128 on
M Series and T Series routers. However, two mesh groups are created by default, one for
the CE routers and one for the PE routers. Therefore, the maximum number of user-defined
mesh groups is 14 for MX Series routers and 126 for M Series and T Series routers.
NOTE: In the VPLS documentation, the word router in terms such as PE router
is used to refer to any device that provides routing functions.
The Junos OS supports both forwarding equivalency class (FEC) 128 and FEC 129. FEC
129 uses VPLS autodiscovery to convey endpoint information. FEC 128 requires manually
configured pseudowires.
• LDP-signaled PE routers (FEC 129)—Configuration for a mesh group for FEC 129 is very
similiar to the configuration for FEC 128.
• Each user-defined mesh group must have a unique route distinguisher. Do not use
the route distinguisher that is defined for the default mesh group at the [edit
routing-intances] hierarchy level.
• Each user-defined mesh group must have its own import and export route target.
• Each user-defined mesh group can have a unique Layer 2 VPN ID. By default, all the
mesh groups that are configured for the a VPLS routing-instance use the same Layer
2 VPN ID, the one that you configure at the [edit routing-instances] hierarchy level.
Example: Configuring BGP-Based H-VPLS Using Different Mesh Groups for Each Spoke
Router
This example shows how to configure the hierarchical virtual private LAN service (H-VPLS)
using different mesh groups to provide H-VPLS functionality and provides steps for
verifying the configuration. This is one type of H-VPLS configuration possible in the Juniper
Networks implementation. For information about the alternate type of configuration see
“Example: Configuring LDP-Based H-VPLS Using a Single Mesh Group to Terminate the
Layer 2 Circuits” on page 1304.
Using mesh groups improves LDP-based VPLS control plane scalability and avoids the
requirement for a full mesh of LDP sessions. This example uses BGP-based VPLS.
Requirements
This example uses the following hardware components:
• Four MX Series 3D Universal Edge Routers for Router PE1, Router PE2, Router PE3, and
Router PE4
• Two EX Series Ethernet Switches for Device CE1 and Device CE2
• Router PE3 and Router PE4 are configured as PE-r routers, each using an LDP-based
VPLS routing instance.
• The LDP and OSPF protocols are configured on all of the MTU devices and PE-r routers.
• Optionally, the VPLS routing instances can be configured on PE-r routers with the
no-tunnel-interface statement. This allows the routers to use a label-switched interface
(LSI), which is useful if your routers do not have Tunnel Services PICs or built-in support
for tunnel services.
• BGP is configured on the PE-r routers. Optionally, you can configure route reflection.
This is useful for scaling internal BGP (IBGP). The BGP configuration includes the
signaling statement at the [edit protocols bgp group group-name family l2vpn] hierarchy
level to support Layer 2 VPN signaling using BGP.
Figure 66 on page 1284 shows the logical topology used in this example.
• The MTU devices (Router PE1 and Router PE2) have Layer 2 circuit connections to the
PE-r routers (Router PE3 and Router PE4). For redundancy, a backup neighbor is
configured for the Layer 2 circuit connections to the PE-r routers.
• The l2circuit statement in the [edit protocols] hierarchy is included on the MTU devices.
• In the VPLS routing instance on the PE-r routers, mesh groups are created to terminate
the Layer 2 circuit pseudowires that originate at the MTU devices.
• Each PE-r router’s mesh groups configuration includes VPLS ID values that match the
virtual circuit IDs used on the MTU devices.
Configuration
To configure H-VPLS with different mesh groups for each spoke PE-r router using
BGP-based VPLS, perform the following tasks:
Step-by-Step 1. On Router PE1, configure the Gigabit Ethernet interface connected to Router CE1.
Procedure Include the encapsulation statement and specify the ethernet-ccc option. Also
configure the logical interface by including the family statement and specifying the
ccc option.
[edit interfaces]
ge-2/0/5 {
encapsulation ethernet-ccc;
unit 0 {
family ccc;
}
}
2. On Router PE1, configure the Layer 2 circuit by including the neighbor statement and
specifying the IP address of Router PE3 as the neighbor. Configure the Gigabit
Ethernet logical interface by including the virtual-circuit-id statement and specifying
100 as the ID. Also configure a backup neighbor for the Layer 2 circuit by including
the backup-neighbor statement, specifying the loopback interface IP address of
Router PE4 as the backup neighbor, and including the standby statement.
[edit protocols]
l2circuit {
neighbor 192.0.2.3 {
interface ge-2/0/5.0 {
virtual-circuit-id 100;
backup-neighbor 192.0.2.4 { # Backup H-VPLS PE router
standby;
}
}
}
3. On Router PE2, configure the Gigabit Ethernet interface connected to Router CE2.
Include the encapsulation statement and specify the ethernet-ccc option. Also
configure the logical interface by including the family statement and specifying the
ccc option.
[edit interfaces]
ge-2/0/6 {
encapsulation ethernet-ccc;
unit 0 {
family ccc;
}
}
4. On Router PE2, configure the Layer 2 circuit by including the neighbor statement
and specifying the IP address of Router PE3 as the neighbor. Configure the Gigabit
Ethernet logical interface by including the virtual-circuit-id statement and specifying
200 as the ID. Configure the encapsulation by including the encapsulation-type
statement and specifying the ethernet option. Also configure a backup neighbor for
the Layer 2 circuit by including the backup-neighbor statement, specifying the
loopback interface IP address of Router PE4 as the backup neighbor, and including
the standby statement.
[edit protocols]
l2circuit {
neighbor 192.0.2.3 {
interface ge-1/0/2.0 {
virtual-circuit-id 200; # different VC-ID
encapsulation-type ethernet; # default encapsulation
backup-neighbor 192.0.2.4 {
standby;
}
}
}
}
Step-by-Step 1. On Router PE3 (the primary hub), configure the Gigabit Ethernet interface connected
Procedure to Router CE3. Include the encapsulation statement and specify the ethernet-vpls
option. Also configure the logical interface by including the family vpls statement.
[edit interfaces]
ge-2/0/0 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.0.2.3/24;
}
}
}
2. On Router PE4 (the backup hub), configure the Gigabit Ethernet interface connected
to Router CE4. Include the encapsulation statement and specify the ethernet-vpls
option. Also configure the logical interface by including the family vpls statement.
[edit interfaces]
ge-2/1/7 {
encapsulation ethernet-vpls;
unit 0 {
description to_CE4;
family vpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.0.2.4/24;
}
}
}
3. On PE-r Router PE3, configure the BGP-based VPLS routing instance by including
the instance-type statement at the [edit routing-instances H-VPLS] hierarchy level
and specifying the vpls option. Include the interface statement and specify the
Gigabit Ethernet interface connected to Router CE3. Configure a route distinguisher
to ensure that the route advertisement is unique by including the route-distinguisher
statement and specifying 192.0.2.3:33 as the value. Also configure the VPN routing
and forwarding (VRF) route target to be included in the route advertisements to
the other routers participating in the VPLS. To configure the VRF route target, include
the vrf-target statement and specify target:64510:2 as the value. Optionally, include
the no-tunnel-services statement to enable the use of LSI interfaces, which is useful
if the device does not have tunnel services. The no-tunnel-services statement is
omitted in this example. Optionally, you can include the site-range statement to
specify an upper limit on the maximum site identifier that can be accepted to allow
a pseudowire to be brought up. The site-range statement is omitted in this example.
We recommend using the default of 65,534.
Configure the VPLS protocol and the mesh groups for each MTU PE device.
To configure the VPLS protocol, include the vpls statement at the [edit
routing-instances H-VPLS protocols] hierarchy level. Include the site statement and
specify a name for the site. Include the interface statement and specify the Gigabit
Ethernet interface connected to Device CE3.
Configuring mesh groups under the VPLS instance terminates the Layer 2 circuit
into the VPLS instance. To configure each mesh group, include the mesh-group
statement and specify the mesh group name. In this example, the mesh group name
is the name of the MTU device associated with each mesh group. Include the vpls-id
statement and specify the ID that matches the virtual circuit ID configured in
“Configuring the Spoke MTU PE Routers” on page 1284. Also include the neighbor
statement and specify the IP address of the spoke PE router associated with each
mesh group. Optionally, include the local-switching statement if you are not using
a full mesh of VPLS connections. The local-switching statement is useful if you are
configuring a single mesh group and terminating multiple Layer 2 circuit pseudowires
into it. The local-switching statement is omitted in this example.
routing-instances {
H-VPLS {
instance-type vpls;
interface ge-2/1/3.0;
route-distinguisher 192.0.2.3:33;
vrf-target target:64510:2;
protocols {
vpls {
site pe3 {
site-identifier 3;
interface ge-2/1/3.0;
}
mesh-group pe1 {
vpls-id 100;
neighbor 192.0.2.1;
}
mesh-group pe2 {
vpls-id 200;
neighbor 192.0.2.2;
}
}
}
}
}
4. On PE-r Router PE4, configure a routing instance like the one on Router PE3.
routing-instances {
H-VPLS {
instance-type vpls;
interface ge-2/1/7.0;
route-distinguisher 192.0.2.4:44;
vrf-target target:64510:2;
protocols {
vpls {
site pe4 {
site-identifier 4;
interface ge-2/1/7.0;
}
mesh-group pe1 {
vpls-id 100;
neighbor 192.0.2.1;
}
mesh-group pe2 {
vpls-id 200;
neighbor 192.0.2.2;
}
}
}
}
}
Step-by-Step This section describes the operational commands that you can use to validate that the
Procedure H-VPLS is working as expected.
1. On Router PE1 and Router PE2, use the show l2circuit connections command to
verify that the Layer 2 circuit to Router PE3 is Up and the Layer 2 circuit to Router
PE4 is in standby mode.
The output also shows the assigned label, virtual circuit ID, and the ETHERNET
encapsulation type.
2. On Router PE1 and Router PE2, use the show ldp neighbor command to verify that
the targeted LDP sessions have been created between the loopback interface to
the primary and backup H-VPLS hub neighbors.
3. On Router PE3 and Router PE4, use the show vpls connections command to verify
that the VPLS connection status is Up for both the LDP-based VPLS and the
BGP-based VPLS Layer 2 circuits that are terminated.
Instance: H-VPLS
BGP-VPLS State
Local site: pe3 (3)
connection-site Type St Time last up # Up trans
4 rmt Up Oct 18 15:58:39 2012 1
Remote PE: 192.0.2.4, Negotiated control-word: No
Incoming label: 800267, Outgoing label: 800266
Local interface: vt-2/0/9.135266562, Status: Up, Encapsulation: VPLS
Description: Intf - vpls H-VPLS local site 3 remote site 4
LDP-VPLS State
Mesh-group connections: pe1
Neighbor Type St Time last up # Up trans
192.0.2.1(vpls-id 100) rmt Up Oct 18 15:55:07 2012 1
Remote PE: 192.0.2.1, Negotiated control-word: No
Incoming label: 800001, Outgoing label: 299840
Negotiated PW status TLV: No
Local interface: vt-2/0/10.135266560, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls H-VPLS neighbor 192.0.2.1 vpls-id 100
Mesh-group connections: pe2
Neighbor Type St Time last up # Up trans
192.0.2.2(vpls-id 200) rmt Up Oct 18 15:55:07 2012 1
Remote PE: 192.0.2.2, Negotiated control-word: No
Incoming label: 800002, Outgoing label: 299872
Negotiated PW status TLV: No
Local interface: vt-2/0/8.135266561, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls H-VPLS neighbor 192.0.2.2 vpls-id 200
Instance: H-VPLS
BGP-VPLS State
Local site: pe4 (4)
connection-site Type St Time last up # Up trans
3 rmt Up Oct 18 15:58:39 2012 1
Remote PE: 192.0.2.3, Negotiated control-word: No
4. On Router PE3 and Router PE4, use the show vpls flood command to verify that the
H-VPLS PE router created a flood group for each spoke PE site.
5. On Router PE3 and Router PE4, use the show vpls mac-table command to verify
that MAC addresses of the CE devices have been learned.
00:21:59:0f:35:32 D vt-2/0/8.135266560
00:21:59:0f:35:33 D ge-2/1/3.0
00:21:59:0f:35:d4 D vt-2/0/9.135266561
00:21:59:0f:35:d5 D vt-2/0/10.135266562
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
192.0.2.3:NoCtrlWord:5:100:Local/96
*[L2CKT/7] 00:12:16, metric2 1
> to 10.10.1.2 via ge-2/0/10.0
192.0.2.3:NoCtrlWord:5:100:Remote/96
*[LDP/9] 00:12:16
Discard
192.0.2.4:NoCtrlWord:5:100:Local/96
*[L2CKT/7] 00:12:10, metric2 1
> to 10.10.9.2 via ge-2/0/8.0
192.0.2.4:NoCtrlWord:5:100:Remote/96
*[LDP/9] 00:12:15
Discard
192.0.2.3:NoCtrlWord:5:200:Local/96
*[L2CKT/7] 00:13:13, metric2 1
> to 10.10.4.1 via ge-2/0/8.0
192.0.2.3:NoCtrlWord:5:200:Remote/96
*[LDP/9] 00:13:13
Discard
192.0.2.4:NoCtrlWord:5:200:Local/96
*[L2CKT/7] 00:13:13, metric2 1
> to 10.10.5.2 via ge-2/0/9.0
192.0.2.4:NoCtrlWord:5:200:Remote/96
*[LDP/9] 00:13:13
Discard
192.0.2.3:33:3:1/96
*[L2VPN/170/-101] 03:19:26, metric2 1
Indirect
192.0.2.4:44:4:1/96
*[BGP/170] 03:15:45, localpref 100, from 192.0.2.4
AS path: I, validation-state: unverified
> to 10.10.6.2 via ge-2/0/9.0
192.0.2.3:33:3:1/96
*[BGP/170] 03:21:17, localpref 100, from 192.0.2.3
AS path: I, validation-state: unverified
> to 10.10.6.1 via ge-2/0/9.0
192.0.2.4:44:4:1/96
*[L2VPN/170/-101] 03:17:47, metric2 1
Indirect
Results The configuration and verification parts of this example have been completed. The
following section is for your reference.
description to_PE4;
family inet {
address 10.10.9.1/30;
}
family mpls;
}
}
ge-2/0/9 {
unit 0 {
description to_PE2;
family inet {
address 10.10.3.1/30;
}
family mpls;
}
}
ge-2/0/10 {
unit 0 {
description to_PE3;
family inet {
address 10.10.1.1/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.0.2.1/24;
}
}
}
}
protocols {
mpls {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
}
ldp {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
interface lo0.0;
}
l2circuit {
neighbor 192.0.2.3 {
interface ge-2/0/5.0 {
virtual-circuit-id 100;
backup-neighbor 192.0.2.4 {
standby;
}
}
}
}
}
}
protocols {
mpls {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
}
ldp {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
interface lo0.0;
}
l2circuit {
neighbor 192.0.2.3 {
interface ge-2/0/6.0 {
virtual-circuit-id 200;
backup-neighbor 192.0.2.4 {
standby;
}
}
}
}
}
}
ge-2/0/10 {
unit 0 {
description to_PE1;
family inet {
address 10.10.1.2/30;
}
family mpls;
}
}
ge-2/1/3 {
encapsulation ethernet-vpls;
unit 0 {
description to_CE3;
family vpls;
}
}
lo0 {
unit 0{
family inet {
address 192.0.2.3/24;
}
}
}
}
protocols {
mpls {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
bgp {
group internal-peers {
type internal;
local-address 192.0.2.3;
family l2vpn {
signaling;
}
neighbor 192.0.2.4;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
}
ldp {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
interface lo0.0;
}
}
routing-instances {
H-VPLS {
instance-type vpls;
interface ge-2/1/3.0;
route-distinguisher 192.0.2.3:33;
vrf-target target:64510:2;
protocols {
vpls {
site pe3 {
site-identifier 3;
interface ge-2/1/3.0;
}
mesh-group pe1 {
vpls-id 100;
neighbor 192.0.2.1;
}
mesh-group pe2 {
vpls-id 200;
neighbor 192.0.2.2;
}
}
}
}
}
routing-options {
autonomous-system 64510;
}
address 10.10.5.2/30;
}
family mpls;
}
}
ge-2/1/7 {
encapsulation ethernet-vpls;
unit 0 {
description to_CE4;
family vpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.0.2.4/24;
}
}
}
}
protocols {
mpls {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
bgp {
group internal-peers {
type internal;
local-address 192.0.2.4;
family l2vpn {
signaling;
}
neighbor 192.0.2.3;
}
}
ospf {
traffic-engineering;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
}
}
ldp {
interface ge-2/0/8.0;
interface ge-2/0/9.0;
interface ge-2/0/10.0;
interface lo0.0;
}
}
routing-instances {
H-VPLS {
instance-type vpls;
interface ge-2/1/7.0;
route-distinguisher 192.0.2.4:44;
vrf-target target:64510:2;
protocols {
vpls {
site pe4 {
site-identifier 4;
interface ge-2/1/7.0;
}
mesh-group pe1 {
vpls-id 100;
neighbor 192.0.2.1;
}
mesh-group pe2 {
vpls-id 200;
neighbor 192.0.2.2;
}
}
}
}
}
routing-options {
autonomous-system 64510;
}
}
}
}
Related • Example: Configuring LDP-Based H-VPLS Using a Single Mesh Group to Terminate
Documentation the Layer 2 Circuits on page 1304
This example shows how to configure a single mesh group to terminate the Layer 2
circuits into an LDP-based VPLS. This is one type of hierarchical virtual private LAN service
(H-VPLS) configuration possible in the Juniper Networks implementation. For information
about the alternate type of configuration see “Example: Configuring BGP-Based H-VPLS
Using Different Mesh Groups for Each Spoke Router” on page 1282.
This example provides step-by-step configuration instructions and also provides steps
for verifying and troubleshooting the configuration.
Requirements
This example uses the following hardware components:
• Four MX Series 3D Universal Edge Routers for Routers PE1, PE2, PE3, and PE4
• Two M Series Multiservice Edge Routers for Routers CE4 and PE5
• Two T Series Core Routers for Routers P1 and the route reflector
• Local switching is used to switch traffic between Layer 2 circuit pseudowires from the
different spoke PE routers.
• The spoke PE routers are configured with the same virtual circuit ID and VPLS ID pair
in a mesh group.
Configuration
To configure a single mesh group to terminate the Layer 2 circuits into an LDP-based
VPLS, perform the following tasks:
Step-by-Step Configure a single mesh group to terminate all the Layer 2 circuit pseudowires and enable
Procedure local switching between the pseudowires.
1. On Router PE1, configure the Layer 2 circuit by including the l2circuit statement at
the [edit protocols] hierarchy level. Include the neighbor statement and specify the
IPv4 address of the hub PE router. Also configure the logical interface by including
the interface statement and specify the interface connected to Router CE1.
[edit protocols]
l2circuit {
neighbor 192.0.2.5 {
interface ge-1/0/0.0 {
virtual-circuit-id 100;
backup-neighbor 192.0.2.3 {
standby;
}
}
}
}
2. On Router PE2, configure the Layer 2 circuit by including the l2circuit statement at
the [edit protocols] hierarchy level. Include the neighbor statement and specify the
IPv4 address of the hub PE router. Configure the logical interface by including the
interface statement and specifying the interface connected to Router CE2.
[edit protocols]
l2circuit {
neighbor 192.0.2.5 {
interface ge-1/0/2.0 {
virtual-circuit-id 100;
encapsulation-type ethernet;
backup-neighbor 192.0.2.3 {
standby;
}
}
}
}
3. On Router PE4, configure the Layer 2 circuit by including the l2circuit statement at
the [edit protocols] hierarchy level. Include the neighbor statement and specify the
IPv4 address of the hub PE router. Configure the logical interface by including the
interface statement and specify the interface connected to Router CE4.
[edit protocols]
l2circuit {
neighbor 192.0.2.5 {
interface ge-1/2/0.0 {
virtual-circuit-id 100;
backup-neighbor 192.0.2.3 {
standby;
}
}
}
}
Step-by-Step Configure a single mesh group to terminate all the Layer 2 circuit pseudowires and enable
Procedure local switching between the pseudowires.
1. On Router PE3, configure the Gigabit Ethernet interface connected to Router CE3
by including the encapsulation statement and specifying the ethernet-vpls option.
Also configure the logical interface by including the family statement and specifying
the vpls option.
[edit interfaces]
ge-1/0/1 {
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
2. On Router PE3, configure the logical loopback interface by including the family
statement and specifying the inet option. Include the address statement and specify
the IPv4 address for the interface.
[edit interfaces]
lo0 {
unit 0 {
family inet {
address 192.0.2.3/24;
}
}
}
3. On Router PE3, configure the LDP-based VPLS routing instance by including the
instance-type statement at the [edit routing-instances H-VPLS] hierarchy level and
specifying the vpls option. Include the interface statement and specify the Gigabit
Ethernet interface connected to Router CE3.
Configure the VPLS protocol by including the vpls statement at the [edit
routing-instances H-VPLS protocols] hierarchy level. Include the no-tunnel-services
statement to enable the router to use an LSI interface.
[edit routing-instances]
H-VPLS {
instance-type vpls;
interface ge-1/0/1.0;
protocols {
vpls {
no-tunnel-services;
}
}
}
4. On Router PE3, configure the mesh group by including the mesh-group statement
at the [edit routing-instances H-VPLS protocols vpls] hierarchy level and specifying
L2-Circuits as the name of the group. Include the vpls-id statement and specify 100
as the ID value. Include the local-switching statement to enable the router to switch
traffic between the pseudowires.
For each neighbor in the mesh group, include the neighbor statement and specify
the IPv4 address of the spoke PE router.
Verification
Step-by-Step 1. On Router PE5, use the show ldp neighbor command to verify that LDP sessions
Procedure have been created to each of the spoke PE routers.
2. On Router PE5, use the show vpls connections extensive command to verify that
the mesh group neighbor session is Up, that inbound and outbound labels have
been assigned, that the VPLS ID is correct, and that the virtual tunnel interface is
being used.
Related • Example: Configuring BGP-Based H-VPLS Using Different Mesh Groups for Each Spoke
Documentation Router on page 1282
This example shows how to configure the hierarchical virtual private LAN service
(H-VPLS). VLANs are configured in this example.
Requirements
No special configuration beyond device initialization is required before configuring this
example.
Overview
H-VPLS uses LDP-based VPLS to signal and establish pseudowires. LDP-based VPLS
is defined in RFC 4762, Virtual Private LAN Service (VPLS) Using Label Distribution Protocol
(LDP) Signaling. RFC 4762 also defines a hierarchical mode of operation for LDP VPLS
called H-VPLS.
VPLS and H-VPLS are different with respect to scaling. VPLS requires a full mesh of
tunnel label-switched paths (LSPs) among all of the provider edge (PE) routers that
participate in the VPLS service. For each VPLS service, n*(n-1)/2 pseudowires must be
set up between the PE routers. In contrast, H-VPLS partitions the network into several
edge domains that are interconnected using an MPLS core. Each edge device only needs
to learn of one local PE device and therefore needs less routing table support. This has
the potential to allow service providers to use relatively less costly devices (such as EX
Series switches) at the customer edge.
• PE-r—PE device that runs VPLS with other PE-r devices, but which also has pseudowires
(it can be based on QinQ access) with another device called a multi-tenant unit (MTU),
which provides the access layer.
• MTU—PE device that represents the access layer on the H-VPLS architecture and
establishes pseudowires to one or more PE-r devices through which VPLS traffic is
forwarded.
Figure 68: Basic H-VPLS With One MTU and Two PE-r Devices
(MTU)
172.16.0.5/24 ge-2/0/9
g041351
CE3
The example shows one MTU (Device PE1) connected to two PE-r devices (Device PE2
and Device PE3).
The pseudowire between Device PE1 and Device PE3 is the primary or working path. The
pseudowire between Device PE1 and Device PE2 is the backup path.
To support VLANs with H-VPLS, you must include the output-vlan-map swap statement
in the configuration of the MTU device as a workaround to prevent a VLAN ID mismatch.
Otherwise, the PE-r devices report a VLAN ID mismatch, as shown here:
Instance: customer
VPLS-id: 601
Neighbor Type St Time last up # Up trans
10.255.14.217(vpls-id 601) rmt VM
“CLI Quick Configuration” on page 1312 shows the configuration for all of the devices in
Figure 68 on page 1311. The section “Step-by-Step Procedure” on page 1314 describes the
steps on Device PE1 and Device PE2.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Device PE3 set interfaces ge-2/0/10 unit 0 family inet address 192.0.2.5/24
set interfaces ge-2/0/10 unit 0 family iso
set interfaces ge-2/0/10 unit 0 family mpls
set interfaces ge-2/1/3 vlan-tagging
set interfaces ge-2/1/3 encapsulation vlan-vpls
set interfaces ge-2/1/3 unit 601 encapsulation vlan-vpls
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
On the MTU device interface that connects to the customer edge, configure one of
the circuit cross-connect (CCC) encapsulation types and the CCC address family.
This enables Layer 2 circuits.
On the core-facing interfaces, enable MPLS labels. The ISO address is needed as
well on the core-facing interfaces because IS-IS is used in the core.
[edit interfaces]
On the MTU device interfaces that connect to other PE devices, configure MPLS
and LDP.
On the MTU device interfaces that connect to other PE devices, configure an interior
gateway protocol (IGP), such as OSPF or IS-IS.
The neighbor 10.255.14.225 is Device PE3’s loopback interface address. This sets
up the working path.
The neighbor 10.255.14.216 is Device PE2’s loopback interface address. This sets up
the backup path.
The virtual circuit ID must match the VPLS ID that is configured on Device PE2 and
Device PE3.
[edit routing-options]
user@PE1# set router-id 10.255.14.217
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
On the PE-r device interface that connects to the customer edge, configure one of
the VPLS encapsulation types and the VPLS address family. This enables VPLS.
On the core-facing interfaces, enable MPLS labels. The ISO address is needed as
well on the core-facing interfaces because IS-IS is used in the core.
[edit interfaces]
user@PE2# set ge-2/0/6 vlan-tagging
user@PE2# set ge-2/0/6 encapsulation vlan-vpls
user@PE2# set ge-2/0/6 unit 601 encapsulation vlan-vpls
user@PE2# set ge-2/0/6 unit 601 vlan-id 601
user@PE2# set ge-2/0/6 unit 601 family vpls
On the MTU device interfaces that connect to other PE devices, configure MPLS
and LDP.
On the MTU device interfaces that connect to other PE devices, configure an interior
gateway protocol (IGP), such as OSPF or IS-IS.
4. Configure VPLS.
The VPLS ID must match the virtual circuit ID that is configured on the MTU (Device
PE1).
[edit routing-options]
user@PE2# set router-id 10.255.14.216
Results From configuration mode, confirm your configuration by entering the show interfaces,
show protocols, show routing-instances, and show routing-options commands. If the
output does not display the intended configuration, repeat the instructions in this example
to correct the configuration.
unit 0 {
family inet {
address 192.0.2.3/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.14.217/32;
}
family iso {
address 49.0001.0102.5501.4217.00;
}
}
}
vlan-id 601;
family vpls;
}
}
ge-2/0/10 {
unit 0 {
family inet {
address 192.0.2.4/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.14.216/32;
}
family iso {
address 49.0001.0102.5501.4216.00;
}
}
}
If you are done configuring the devices, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Action From operational mode, enter the show l2circuit connections command.
Meaning As expected, the Layer 2 circuit connection to Device PE3 is operational, and the
connection to Device PE2 is in standby mode.
Purpose Verify that the VPLS connections are operational on the PE-r devices.
Action From operational mode, enter the show vpls connections command.
Instance: customer
VPLS-id: 601
Neighbor Type St Time last up # Up trans
10.255.14.217(vpls-id 601) rmt Up Oct 9 16:29:02 2012 1
Remote PE: 10.255.14.217, Negotiated control-word: No
Incoming label: 800001, Outgoing label: 299904
Negotiated PW status TLV: No
Local interface: vt-2/0/10.84934914, Status: Up, Encapsulation: VLAN
Description: Intf - vpls customer neighbor 10.255.14.217 vpls-id 601
Instance: customer
VPLS-id: 601
Neighbor Type St Time last up # Up trans
10.255.14.217(vpls-id 601) rmt Up Oct 9 16:29:02 2012 1
Remote PE: 10.255.14.217, Negotiated control-word: No
Incoming label: 800001, Outgoing label: 299920
Negotiated PW status TLV: No
Local interface: vt-2/0/10.68157698, Status: Up, Encapsulation: VLAN
Description: Intf - vpls customer neighbor 10.255.14.217 vpls-id 601
Meaning As expected, the VPLS connections are operational on both PE-r devices.
Checking Connectivity
Purpose Make sure that the pseudowire between Device PE1 and Device PE2 becomes operational.
Meaning The successful ping from Device CE1 to Device CE2 shows that the pseudowire between
Device PE1 and PE2 is operational. Now, if you ping Device CE3 from Device CE1, the ping
should fail.
• Configuring Redundant Pseudowires for Layer 2 Circuits and VPLS on page 606
Time Domain Reflectometry (TDR) is a technology used for diagnosing copper cable
states. This technique can be used to determine if cabling is at fault when you cannot
establish a link. TDR detects the defects by sending a signal through a cable, and reflecting
it from the end of the cable. Open circuits, short circuits, sharp bends and other defects
in the cable, reflects the signal back, at different amplitudes, depending on the severity
of the defect.
Several factors that result in degraded or low-quality cable plants can cause packet loss,
suboptimal connection speed, reduced network efficiency, and complete connection
failures. These types of problems can occur because of poor cable construction,
identification of pair twists, loose connectors, poor contacts between the points, and
stretched or broken pairs of cables. Broadcom transceivers enable you to analyze the
condition of the cable plant or topology and identify any problems that have occurred.
This functionality is effectively used in the following scenarios:
TDR supports the following capabilities for examination of cable faults on ACX Series
routers:
• Cable status pair (open or short)—When the router operates in Gigabit Ethernet mode,
all the four pairs (8 wires) are used. Only Pair-A and Pair-B are required to operate in
10/100BASE-T Ethernet mode. If either of these required pairs is open or short-circuited,
the transceiver reports the following faults:
• Polarity Swap—Each cable pair carries a differential signal from one end to the other
end of the cable. Each wire within the pair is assigned a polarity. The wires in a pair are
normally connected in a one-to-one form. This connection enables the transmitter at
one end to be connected to the receiver at the other end with same polarity. Sometimes,
the wiring within the pair is also swapped. This type of connection is called polarity
swap. Broadcom transceivers can detect such swapping and automatically adjust the
connection to enable the links to operate normally. However, the transceiver reports
polarity swaps that it detects in the cable plant.
On 4-port Gigabit Ethernet and 8-port Gigabit Ethernet MICs with copper SFP transceivers
(using BCM54880) and 4-port Gigabit Ethernet, 6-port Gigabit Ethernet, and 8-port
Gigabit Ethernet MICs with copper and optical SFP transceivers (using BCM54640E
PHY), only 10BASE-T pair polarity is supported. 100BASE-T and 1000BASE-T polarities
are not supported.
When the Gigabit Ethernet link cannot be established (for example, if only two pairs are
present that are fully functional), TDR in the physical layer (PHY) brings down the link
to a 100 MB link, which is called a downshift in the link. The physical layer might require
10-20 seconds for the link to come up if a downgrade in wire speed occurs because it
attempts to connect at 1000 MB five times before it falls back to 100BASE-TX.
TDR diagnostics is supported only on copper interfaces and not on fiber interfaces.
• If you connect a port undergoing a TDR test to a Gigabit Ethernet interface that is
enabled to automatically detect MDI (Media Dependent Interface) and MDIX (Media
Dependent Interface with Crossover) port connections, the TDR result might be invalid.
• If you connect a port undergoing a TDR test to a 100BASE-T copper interface, the
unused pairs are reported as faulty because the remote end does not terminate these
pairs.
• You must not modify the port configuration while the TDR test is running.
• Because of cable characteristics, you need to run the TDR test multiple times to get
accurate results.
• Do not change the port status (such as removing the cable at the near or far end)
because such a change can result in inaccurate statistics in the results.
• While measuring the cable length or distance to fault (per pair), sometimes, a few
cable length inconsistencies might be observed during a TDR test. Broadcom
transceivers have the following cable length limitations:
• For a properly-terminated good cable, the accuracy of the cable length reported is
plus or minus 10 meters.
• If a pair is open or short-circuited, the far-end termination does not affect the
computed result for that pair.
• The accuracy of the measured cable length, when open and short-circuit conditions
are detected, is plus or minus 5 meters.
• The accuracy of a good pair, when one or more pairs are open or short-circuited, is
plus or minus 10 meters.
• The TDR test does not impact the traffic if the interface operates at 10-Gigabit Ethernet
per second of bandwidth, which is the default configuration. However, if the speed of
the interface is configured to be other than 10-Gigabit Ethernet, running the TDR test
affects the traffic.
TDR diagnostics might bring the link down and initialize the physical layer (PHY) with
default configuration to perform its operation.
When the TDR validation test is completed, the PHY layer resumes operation in the
same manner as before the cable diagnostics test was performed. However, link flaps
might be momentarily observed. We recommend that you run the TDR test at a speed
of 1 gigabit per second, which is the default configuration, to obtain more accurate
results.
• On ACX1000 routers, 4 RJ45 (Cu) ports or 8-port Gigabit Ethernet MICs with small
form-factor pluggable (SFP) transceivers and RJ45 connectors.
On ACX1100 routers, 4-port or 8-port Gigabit Ethernet MICs with SFP transceivers and
RJ45 connectors.
• On ACX2000 routers, 8-port Gigabit Ethernet MICs with SFP transceivers and RJ45
connectors.
• On ACX2100 and ACX2200 routers, 4-port Gigabit Ethernet MICs with SFP transceivers
and RJ45 connectors.
• On ACX4000 routers, 4-port, 6-port, or 8-port Gigabit Ethernet MICs with SFP
transceivers and RJ45 connectors.
You must select the media type as copper for the 1-Gigabit Ethernet interfaces. To specify
the media type, include the media-type statement with the copper option at the [edit
interfaces interface-name] hierarchy level. Media type selection is applicable to ports only
in slot 2. When media-type is not set, the port accepts either type of connection. The
media type is fiber if a transceiver is installed in the SFP connection. If no transceiver is
installed, the media type is copper. The COMBO ports (combination ports) on ACX routers
support both the copper and fiber-optic media types. On such ports or interfaces, you
must configure the media type as copper to run the TDR test.
You can run the TDR test from operational mode and view the success or failure results
of the test. To start a test on a specific interface, issue the request diagnostics tdr start
interface interface-name command. To stop the TDR test currently in progress on the
specified interface, issue the request diagnostics tdr abort interface interface-name
command. To display the test results for all copper interfaces, enter the show diagnostics
tdr command. To display the test results for a particular interface, enter the show
diagnostics tdr interface interface-name command.
Related • Diagnosing a Faulty Twisted-Pair Cable on ACX Series Routers on page 1330
Documentation
Problem Description: A 10/100BASE-T Ethernet interface has connectivity problems that you
suspect might be caused by a faulty cable.
Solution Use the time domain reflectometry (TDR) test to determine whether a twisted-pair
Ethernet cable is faulty.
• Detects and reports faults for each twisted pair in an Ethernet cable. Faults detected
include open circuits, short circuits, and impedance mismatches.
• Detects and reports pair swaps, pair polarity reversals, and excessive pair skew.
The TDR test is supported on the following ACX routers and interfaces:
• On ACX1000 routers, 4 RJ45 (Cu) ports or 8-port Gigabit Ethernet MICs with small
form-factor pluggable (SFP) transceivers and RJ45 connectors.
• On ACX1100 routers, 4-port or 8-port Gigabit Ethernet MICs with SFP transceivers and
RJ45 connectors.
• On ACX2000 routers, 8-port Gigabit Ethernet MICs with SFP transceivers and RJ45
connectors.
• On ACX2100 and ACX2200 routers, 4-port Gigabit Ethernet MICs with SFP transceivers
and RJ45 connectors.
• On ACX4000 routers, 4-port, 6-port, or 8-port Gigabit Ethernet MICs with SFP
transceivers and RJ45 connectors.
TDR diagnostics are applicable for copper ports only and not for optical fiber
ports.
2. View the results of the TDR test with the show diagnostics tdr command.
3. Examine the Cable status field for the four MDI pairs to determine if the cable has a
fault. In the preceding example, the twisted pair on pins 4 and 5 is broken or cut at
approximately one meter from the ge-0/0/10 port connection.
NOTE: The Test Status field indicates the status of the TDR test, not the
cable. The value Passed means the test completed—it does not mean that
the cable has no faults.
• The TDR test can take some seconds to complete. If the test is still running when you
execute the show diagnostics tdr command, the Test status field displays Started. For
example:
• You can terminate a running TDR test before it completes by using the request
diagnostics tdr abort interface interface-name command. The test terminates with no
results, and the results from any previous test are cleared.
• You can display summary information about the last TDR test results for all interfaces
on the router that support the TDR test by not specifying an interface name with the
show diagnostics tdr command. For example:
Related • Time Domain Reflectometry on ACX Series Routers Overview on page 1327
Documentation
• request diagnostics tdr
RFC 2544 defines a series of tests that can be used to describe the performance
characteristics of network interconnecting devices. RFC2544-based benchmarking tests
methodology can be applied to a single device under test (DUT), or a network service
(set of devices working together to provide end-to-end service). When applied to a
service, the RFC2544 test results can characterize the Service-Level-Agreement (SLA)
parameters.
RFC 2544 tests are performed by transmitting test packets from a device that functions
as the generator or the initiator. These packets are sent to a device that functions as the
reflector, which receives and returns the packets back to the initiator.
ACX Series routers support RFC 2544 tests to measure the following:
• Throughput
• Latency
• Back-to-back frames
With embedded RFC 2544, an ACX Series router can be configured as an initiator and
another ACX Series router as a reflector.
Figure 69 on page 1336 shows the components, role of intiator and reflector, and the flow
of test packets in an RFC 2544-based benchmarking test.
To run RFC 2544-based tests, you need a router to generate service test traffic and a
router to reflect the service test traffic back. You need to:
1. Identify two service endpoints between which the RFC2544-based test needs to be
run.
4. Review the results after the test is complete. Test results are reported in a specific
format.
In ACX Series routers, you can run the following RFC 2544-based performance
measurement tests:
• Throughput test:
• Sends a specific number of frames at a specified rate from the initiator through the
network service or a DUT. The test starts with a user-configured theoretical maximum
rate.
• Counts the number of transmitted frames and the number of received frames.
• If the number of frames received is less than those transmitted, the test is repeated
with a 50 percent reduced frame rate.
• Throughput is the maximum rate at which the count of test frames received is
equal to the number of test frames transmitted through the network service.
• Latency test:
NOTE: To run latency test, you need to determine the throughput for DUT
or a network service at each of the specified frame sizes.
• Starts with a stream of frames at a particular frame size through the DUT at the
determined throughput rate.
• Sends an identifying tag in one frame after 60 seconds and calculate the latency
when the frame with the same tag is received by the initiator.
• Is repeated for at least 20 times with the reported latency value being the average
of the recorded values.
• Involves sending a specific number of frames at a specified rate through the DUT or
a network service to be tested and counting the frames that are transmitted.
• Runs a trial for the frame rate that corresponds to 100 percent of the configured
maximum theoretical rate.
• Is repeated for the frame rate that corresponds to 90 percent of the maximum rate
used and then for 80 percent of the maximum rate until a certain trial result shows
no lost frames.
You repeat the frame loss rate tests for different frame sizes.
• Involves sending a burst of frames with minimum interframe gaps through the DUT
or a network service and counting the number of frames forwarded.
• Is rerun with an increased length of burst frames if the count of transmitted frames
is equal to the number of frames forwarded.
• Is rerun with a reduced length of burst frames if the count of forwarded frames is
less than the number of frames transmitted.
The back-to-back value is the number of frames in the longest burst that the DUT or
a network service can handle without the loss of any frames.
You can repeat back-to-back frame tests for different frame sizes.
NOTE: In ACX Series routers, RFC 2544 tests are supported only for E-LINE,
ELAN, and EVPL services.
Related • Layer 2 and Layer 3 RFC 2544-Based Benchmarking Test Overview on page 1338
Documentation
• Configuring RFC 2544-Based Benchmarking Tests on page 1341
In ACX Series routers, RFC 2544-based benchmark tests can be run to measure the
performance characteristic of the E-LINE, E-LAN, and EVPL services.
• Between two IPv4 endpoints—In this mode, the generator sends test packets to
user-configured IP destination or UDP port (which is of the reflector).
• Interoperation of the RFC 2544 benchmarking tests with other third-party customer
premises equipment (CPE) that provides embedded or dedicated benchmarking test
capability is not supported.
and the other end or the destination device to reflect the received frames back to the
initiator.
• RFC 2544 generator and reflector are supported with testing bandwidth up to 1 Gbps.
ACX5048 and ACX5096 routers supports test bandwidth of up to 40 Gbps.
• The test session is supported in out-of-service mode for the underlying service. You
must not transmit any traffic to the UNI port, configured as a generator or a reflector,
that is being tested during the duration of the test. However, other services that are
not configured for the testing session are not impacted.
• RFC 2544 generator traffic undergoes the same traffic classifier and policer or shaper
processing as the ingress customer traffic from the UNI port.
• RFC 2544 generator produces a report with clear details of pass or fail for each critical
testing metric, based on the configured thresholds.
• The testing packets can be configured and the format of the packet depends on the
underlying service on which the test is configured. For IP-based service, the IP or port
values can be configured. For Ethernet-based service, unicast untagged or VLAN
ID-tagged dot1p formats (IEEE 802.1p or packet classification Layer 2 headers) are
supported. The Ethernet destination address and source address that you configured
are used.
• You can run RFC 2544 benchmarking inet tests on Layer 3 VPN or virtual router.
• For an inet service, each test session needs to use a unique UDP port. On the initiator
device, the source UDP port that you specify by using the source-udp-port statement
must be unique and not used by other UDP services that terminate at the initiator. On
the reflector device, the UDP port of the destination to be used in the UDP header for
the generated frames by using the destination-udp-port statement must be unique
and not used by other UDP services that terminate at the reflector.
• You must start the test on the router that operates as the reflector before you start
the test on router that functions as the initiator.
• You must configure the size of the test packet based on the configured MTU of the
packets.
• For computation of the test results for a user-to-network interface (UNI) or ingress
direction of an Ethernet pseudowire service, the customer edge (CE) device that is
configured as a reflector for inet must have the reflected destination address resolved
using ARP or a statically configured route must be present on the CE device to connect
to the initiator.
• For a CCC family and with the test performed in the egress or network-to-network
interface (NNI) direction, the tests stop on the initiator and reflector when the
pseudowire goes down.
• For an RFC 2544 test that is run in the egress or network-to-network interface (NNI)
direction of an Ethernet service for a CCC family, the ingress features are not applied.
• In ACX5048 and ACX5096 routers, for a CCC family, the pseudowire has to be opened
prior to the start of the RFC 2544 test and during the course of the test.
• The configured packet size denotes the untagged packet size. Any additional VLAN in
the payload causes the packet length to be increased correspondingly.
• For an inet service, if you configure an interface on an initiator for the RFC 2544-based
benchmarking test to be run without specifying the source IPv4 address for the test
frames, the primary IP address of the interface is used for the test frames. If the primary
IP address is not configured, the first IPv4 address of the interface is used. Similarly,
for an unnumbered interface on an initiator on which the RFC 2544 test is run, the
primary or the first IP address of the donor loopback interface is retrieved and used in
the test frames. You must explicitly configure the source IPv4 address for the test
frames by using the source-ipv4-address statement if you want a particular address
to be used.
• RFC 2544 test generates packets for performance benchmarking testing. The packets
can be destined for known or unknown unicast MAC addresses, and they can be either
tagged or untagged frames. UDP/IP packet is used as the frame payload. Refer to
“Configuring RFC 2544-Based Benchmarking Tests” on page 1341 for the frame fields
that can be configured.
• Supported outer TPIDs for tagged frames are 0x8100, 0x88a8, 0x9100, and 0x9200.
• RFC 2544 benchmark tests can be run in out-of-service and in in-service modes.
NOTE: In out-of-service mode, while the test is running, all the data traffic
sent to and from the UNI port under test on the service is interrupted.
Control protocol packets are not interrupted.
In in-service mode, while the test is running, only the data traffic
corresponding to the test session is interrupted, rest of the data traffic flow
sent to and from the UNI port under test on the service are not affected.
Control protocol packets are not interrupted.
• The source MAC address, destination MAC address, and the UNI port under test
configured uniquely identifies the RFC 2544 benchmark test session (or test stream).
• You can run only one test at a time. Multiple simultaneous tests cannot be run at a
time.
• The maximum theoretical test bandwidth supported by ACX Series routers for RFC
2544 test initiator or reflector is 1 Gpbs. On AC5048 and ACX5096 routers, the
maximum theoretical test bandwidth supported for RFC 2544 reflector is 40 Gbps.
• RFC 2544 tests can be run with different frame sizes. In ACX Series routers, the
supported frame sizes are 64, 68, 72, 128, 256, 512, 768, 1024, 1280, 1518, 1522, 1600,
1728, 2496, 3584, 4016, 9104, and 9136 bytes.
• The minimum mandated duration for RFC 2544 benchmark tests to run is 10 seconds.
• The test results can be copied to the local file system or a remote file system, optionally.
NOTE: RFC 2544 test is not supported to compute the performance attributes
of multicast or broadcast traffic streams.
To configure a RFC 2544 benchmark test on an initiator, you must first configure a
test-profile and reference the test-profile in a unique test-name. The test-name defines
the parameters for the tests to be performed.
To configure a test-name, include the test-name test-name statement at the [edit services
rpm rfc2544-benchmarking] hierarchy level.
To configure Ethernet loopback as the test mode on a logical interface, include the
Ethernet-loopback statement at the [edit services rpm rfc2544-benchmarking] hierarchy
level.
NOTE: The test-profile is not required while configuring the reflector for RFC
2544 test.
Table 106 on page 1341 lists the parameters for configuring test-profile at initiator.
The valid packet sizes are 64, 68, 72, 128, 256, 512, 768, 1024, 1280, 1518, 1522, 1600, 1728,
2496, 3584, 4016, 9104, and 9136 bytes.
bandwidth-kbps Define the maximum bandwidth limit, in kilobits per second (kbps).
Default: 10 percent
Table 107 on page 1342 lists the parameters for configuring a test-name at initiator and
reflector.
check-test-interface-mtu When the check-test-interface-mtu parameter is configured, the parameter validates the MTU
size of the test packets with the MTU size configured on the interface and the following would be
the behavior for initiator and reflector modes:
• On the initiator, if the MTU size of the test packet is larger than the MTU size configured on the
interface, then the RFC2544-based benchmarking test fails to start.
• On the reflector, if the test packets coming to the reflector does not confirm to the MTU size
configured on the interface, then these test packets do not get reflected and are dropped.
This parameter is mandatory when family inet is specified and optional when family ccc is specified.
This parameter is optional when family ccc is specified. If not specified, then the default value of
0x00:0x11:0xAE:0x92:0x2F:0x28 is used.
destination-udp-port Specify the destination UDP port number for the test frames. Default: 4041.
direction Specify the test direction (egress | ingress). This parameter is valid only when family ccc and bridge.
dscp-code-points Specify the value of the Differentiated Services (DiffServ) field. For example, 001111.
halt-on-prefix-down If specified, a prefix that moves to the down state causes the corresponding tests to be stopped.
ignore-test-interface-state When the ignore-test-interface-state parameter is configured for RFC2544 benchmarking tests,
the test continues to run even if there are any occurrences of interface up or down events. This is
applicable to both initiator and reflector test modes.
in-service If specified, only the data traffic corresponding to the test session is interrupted, rest of the data
traffic flow sent to and from the UNI port under test on the service are not affected.
ivlan-priority Configure the priority value for the IEEE 802.1p bit in the inner VLAN tag.
Range: 0 through 7.
• ethernet-loopback—Test frames are loopbacked to the measuring device after the source MAC
address and the destination MAC addresses are swapped.
• initiate-and-terminate—Test frames are initiated and terminated at the same end. If you specify
this mode, then a reflector should be configured on the peer end to bring back the test frames.
• reflect—Test frames are reflected on the chosen service.
ovlan-priority Configure the priority value for the IEEE 802.1p bit in the outer VLAN tag.
Range: 0 through 7
reflect-etype Specify the EtherType ID to be used for reflection of test frames. This parameter is valid only in
mode reflect. If not specified, then all EtherTypes are reflected.
reflector-port Port used to configure reflector functionality for RFC 2544 test. The range of ports that can be
used based on the front panel port number are:
skip-arp-iteration This parameter is valid only in family inet mode. ARP iteration is a 3-second iteration that is run
for all inet tests. The results of ARP iteration are ignored in test result calculations. The primary
use of sending test frames for 3 seconds is to ensure that all devices on the path to destination
build their ARP entries.
source-ipv4-address Specify the source IPv4 address used for the test frames. If a value is not specified for this
parameter, then:
• For family ccc, if a value is not specified, then by default 192.168.1.10 is used.
• For family inet, the source address of the interface is used to send out test frames.
This parameter is optional when family ccc is specified. If not specified, then the default value of
0x00:0x60:0x67:0x71:0xC6:0x62 is used.
source-udp-port Specify the source UDP port number for the test frames.
Default: 4040
test-finish-wait-duration Number of seconds to wait after transmitting the last frame and before concluding that the test
as complete.
The default value for test types throughput, back-to-back frames and frame loss rate is 20 seconds.
The default value for test type latency is 120 seconds.
test-interface Specify the name of the logical interface (UNI) on which the test needs to be run.
When you specify the family as inet and mode as initiate-and-terminate the test-interface is ignored,
instead the test is run on egress logical interface that is determined by the route lookup on the
specified destination-ipv4-address.
When you specify the family as inet and mode as reflect, the test-interface is used as the interface
to enable reflection service. If test-interface is not specified, a lookup is performed on the
source-ipv4-address parameter to determine the interface hosting the address.
test-profile Specify the name of the test-profile to be used for the test.
Range: 0 through 7.
The following topics describe how to configure a test-profile and a test-name, start and
stop a RFC2544-benchmark test, and copy the test result to a local or a remote file.
• Configuring a Test Profile for an RFC 2544-Based Benchmarking Test on page 1346
• Configuring a Test Name for an RFC 2544-Based Benchmarking Test on page 1348
• Starting and Stopping the RFC 2544-Based Benchmarking Test on page 1354
• Copying an RFC 2544-Based Benchmarking Test Result on page 1354
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
5. Define the theoretical maximum bandwidth for the test in kilobits per second, with a
value from 1,000 Kbps through 1,000,000 Kbps. Specify a complete decimal number.
6. Specify the size of the test packet in bytes, with a value from 64 through 9136, to be
used for each test iteration. You can specify up to 10 packet sizes, separated by a
space, that are used sequentially for the test. The valid packet sizes are 64, 68, 72,
128, 256, 512, 768, 1024, 1280, 1518, 1522, 1600, 1728, 2496, 3584, 4016, 9104, and
9136 bytes. If you specify a packet size other than the ones listed here as valid sizes,
the configuration is saved when you commit the setting and no error message is
displayed. However, when you start the test by entering the test services rpm
rfc2544-benchmarking test test-name start command, an error message is displayed
specifying that you configured an invalid packet size in the test profile associated with
the test name.
NOTE:
• The minimum frame size for untagged frames should be 64.
7. Specify the step percentage for frame-loss tests with a value from 1 through 100. This
parameter is not applicable for other test types.
• To configure a throughput test, use the throughput option with the test-type
statement.
• To configure a latency test, use the latency option with the test-type statement.
• To configure a frame-loss test, use the frame-loss option with the test-type
statement.
• To configure a back-to-back frames test, use the back-back-frames option with the
test-type statement.
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
4. Define a name for the test—for example, test1. The test name identifier can be up to
32 characters in length.
5. Configure the destination IPv4 address for the test packets. This parameter is required
only if you configure an IPv4 family inet. This option is not required if you specify circuit
cross-connect (CCC) as the family. If you do not configure the destination IPv4 address,
the default value of 192.168.1.20 is used.
6. Specify the source MAC address used in generated test frames. This parameter is
effective for a CCC family and it is not applicable for an inet family. If you specify this
parameter for an inet family, a commit error occurs when you commit the configuration.
This parameter is optional for a CCC family. If you do not configure the destination
MAC address, the default value of 0x00:0x60:0x67:0x71:0xC6:0x62 is used.
8. Specify the logical interface on which the RFC 2544-based benchmarking test is run.
This is a local user-to-network interface (UNI) on behalf of which the test frames are
generated when the test direction is egress.
10. Specify the test mode for the packets that are sent during the benchmarking test. The
initiate-and-terminate option causes the test frames to be initiated from one end and
terminated at the same end. The initiation and termination mode requires a reflector
to be configured at the peer end to return the test frames from the peer to the
originator. The reflect option causes the test frames to be reflected on the chosen
service (IPv4, Ethernet, or bridge).
• To configure the initiation and termination mode as the test mode on a router, use
the initiate-and-terminate option.
• To configure the reflection mode as the test mode on a router, use the reflect option.
11. Specify the direction (egress | ingress) of the interface on which the test must be run.
The egress option causes the test to be run in the egress direction of the interface
(traffic sent from user-to-network interface (UNI) toward network-to-network
interface (NNI)). The ingress option causes the test to be run in the ingress direction
of the interface (traffic sent on user-to-network interface (UNI)). You cannot configure
ingress for a bridge family.
12. Configure the outer VLAN ID for the test frames. This parameter is valid only for a CCC
or an Ethernet pseudowire family.
13. Configure the inner VLAN ID for the test frames. This parameter is valid only for a CCC
or an Ethernet pseudowire family.
14. Configure the priority value for the IEEE 802.1p bit in the outer VLAN tag. The priority
value is configured when the UNI interface is dual-tagged.
15. Configure the priority value for the IEEE 802.1p bit in the inner VLAN tag. This
configuration is optional.
16. Configure the CFI value for the outer VLAN tag. This configuration is optional.
17. Specify the source IPv4 address to be used in generated test frames. This parameter
is optional for both CCC and inet families. If you do not configure the
source-ipv4-address for an inet family, the source address of the interface is used to
transmit the test frames. If you do not configure the source-ipv4-address for a CCC
family, the default value of 192.168.1.10 is used.
18. Specify the destination IPv4 address to be used in generated test frames.
19. Specify the source UDP port to be used in the UDP header for the generated frames.
If you do not specify the UDP port, the default value of 4040 is used.
20. Specify the destination UDP port to be used in the UDP header for the generated
frames. If you do not specify the UDP port, the default value of 4041 is used.
21. Specify the value of the Differentiated Services (DiffServ) field within the IP header
of the test frames. The DiffServ code point (DSCP) bits value must be set to a valid
6-bit pattern. If you do not specify this value, 0 is used in the DSCP fields in the IP
header.
22. Configure the address type family for the benchmarking test. The inet option indicates
that the test is run on an IPv4 service. The ccc option indicates that the test is run on
an CCC or Ethernet pseudowire service. The direction statement that you configured
in Step 11 specifies the direction (ingress or egress) to be used for the test.
23. Specify the forwarding class to be used for test frames. The forwarding class specifies
the manner in which the test frames are processed by the Packet Forwarding Engine
of the router. If you do not configure this parameter, test frames are treated as
best-effort traffic.
24. Specify the halt-on-prefix-down option to enable a prefix that moves to the down
state to cause the corresponding tests to be stopped. The show command output for
the test displays that the test was aborted because the prefix went down. By default,
the RFC 2544-based benchmarking test ignores a prefix-down event (when the prefix
associated with the test goes down) and continues to run.
25. Specify the duration of each iteration in seconds. If you configure this value, the default
value of each iteration depends on the type of test being run. For throughput, bursty
or back-back-frames, and frame-loss types of tests, the default value is 20 seconds.
For latency tests, the default value is 120 seconds.
26. Specify the name of the test profile to be associated with a particular test name. You
must have previously configured the profile by using the test-profile profile1 statement
at the [edit services rpm rfc2544-benchmarking] hierarchy level. The test profile is
required when the test mode is configured as initiation and termination. The test-profile
profile1 parameter is disregarded when the test mode is configured as reflection. A
reflection service does not use the parameters specified in the test profile because
the reflection service uses the same parameters for the test frames as the received
test frames when it returns the frames to the initiator.
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
4. Define a name for the test—for example, test1. The test name identifier can be up to
32 characters in length.
5. Specify the test mode for the packets that are sent during the benchmarking test. The
reflect option causes the test frames to be reflected back to the intiator end..
7. Specify the direction (egress | ingress) of the interface on which the test must be run.
The egress option causes the test to be run in the egress direction of the interface
(traffic sent from user-to-network interface (UNI) toward network-to-network
interface (NNI)). The ingress option causes the test to be run in the ingress direction
of the interface (traffic sent on user-to-network interface (UNI)). You cannot configure
ingress for a bridge family.
8. Configure the destination IPv4 address for the test packets. This parameter is required
only if you configure an IPv4 family inet. This option is not required if you specify circuit
cross-connect (CCC) as the family. If you do not configure the destination IPv4 address,
the default value of 192.168.1.20 is used.
9. Specify the source MAC address used in generated test frames. This parameter is
effective for a CCC family and it is not applicable for an inet family. If you specify this
parameter for an inet family, a commit error occurs when you commit the configuration.
This parameter is optional for a CCC family. If you do not configure the destination
MAC address, the default value of 0x00:0x60:0x67:0x71:0xC6:0x62 is used.
10. Specify the destination MAC address used in generated test frames.
11. Specify the logical interface on which the RFC 2544-based benchmarking test is run.
This is a local user-to-network interface (UNI) on behalf of which the test frames are
generated when the test direction is egress.
13. Specify the forwarding class to be used for test frames. The forwarding class specifies
the manner in which the test frames are processed by the Packet Forwarding Engine
of the router. If you do not configure this parameter, test frames are treated as
best-effort traffic.
14. Configure the address type family for the benchmarking test. The inet option indicates
that the test is run on an IPv4 service. The ccc option indicates that the test is run on
an CCC or Ethernet pseudowire service. The direction statement that you configured
in Step 7 specifies the direction (ingress or egress) to be used for the test.
15. Specify the EtherType to be used for reflection of the test frames, which is a two-octet
field in an Ethernet frame that defines the protocol encapsulated in the frame payload.
This parameter is valid only if you configured the test mode to be a reflector. If you do
not configure this parameter, all EtherTypes are reflected. Use an EtherType value
that matches the EtherType value set on the customer premises equipment (CPE)
to which your router connects. The EtherType value appears in the Ethernet type field
of the packet. It specifies the protocol being transported in the Ethernet frame. This
is an optional parameter.
16. Specify the reflection mode for the benchmarking test. This configuration is optional.
• mac-swap—Swaps the source and destination MAC addresses in the test frame.
This is the default behavior.
• no-mac-swap—Does not swap the source and destination MAC addresses in the
test frame. The frame is returned to the originator without any modification to the
MAC addresses.
To stop an RFC 2544-based benchmarking test, issue the run test services rpm
rfc2544-benchmarking test test-name stop CLI command.
To start an RFC 2544 benchmarking inet tests on Layer 3 VPN or virtual router, issue the
run test services rpm rfc2544-benchmarking test test-name routing-instance
routing-instance-name start CLI command.
To stop an RFC 2544 benchmarking inet tests on Layer 3 VPN or virtual router, issue the
run test services rpm rfc2544-benchmarking test test-name routing-instance
routing-instance-name stop CLI command.
• To copy test results to a local file, use the run show services rpm rfc2544-benchmarking
test-id number detail | save rfc-2544-test-result-session-id-number CLI command.
• To copy test results to a remote file, use the run show services rpm
rfc2544-benchmarking test-id number detail | save
ftp://username:password@sftpchannel.example.com/rfc-2544-test-result-session-id-number
Ethernet loopback is a feature that you can use for verifying the connectivity and identifying
or isolating faults in a network.
Figure 70 on page 1355 shows a scenario where UNI-B interface is configured in Ethernet
loopback mode in the egress direction. The packets received on the network-to-network
interface (NNI) of the ACX Series router are forwarded to the UNI-B interface and looped
back at the UNI-B interface after the source and destination MAC addresses are swapped.
This is a use case for testing an end-to-end service.
You can use the following optional parameters to identify an egress traffic flow for
Ethernet loopback:
• VLAN
• EtherType
While performing RFC2544 benchmarking tests, configure Ethernet loopback as the test
mode on a logical interface by including the Ethernet-loopback CLI statement at the [edit
services rpm rfc2544-benchmarking] hierarchy level.
If you configure Ethernet loopback on logical interfaces without configuring any of the
optional parameters, then any unknown unicast traffic in the same bridge domain also
gets looped back and does not get forwarded to other logical interfaces while the test
is being performed.
}
}
ge-0/1/6 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
input-vlan-map {
push;
vlan-id 1000;
}
output-vlan-map pop;
}
}
[edit routing-options]
ppm {
traceoptions {
file ppmd size 100m;
flag packet;
flag event;
flag distribute;
flag pipe;
flag all;
}
}
[edit firewall]
family bridge {
filter ft1 {
term t1 {
from {
user-vlan-id 100;
}
then count loopback;
}
}
}
[edit bridge-domains]
bd1 {
interface ge-0/1/4.0;
interface ge-0/1/6.0;
}
• Example: Configuring an RFC 2544-Based Benchmarking Test for Layer 3 IPv4 Services
on page 1359
When you trigger an RFC 2544-based benchmarking test, it passes through a series of
states. These states are displayed in the Test state field in the brief or detailed output of
the show services rpm rfc2544-benchmarking command. The following are the names of
the states through which the test progresses after it is initiated:
Example: Configuring an RFC 2544-Based Benchmarking Test for Layer 3 IPv4 Services
This example shows how to configure the benchmarking test for a Layer 3 IPv4 service.
NOTE: This example is not applicable for ACX5048 and ACX5096 routers.
Requirements
This example uses the following hardware and software components:
Overview
Consider a sample topology in which a router, Router A, functions as an initiator and
terminator of the test frames for an RFC 2544-based benchmarking test. Router A is
connected over a Layer 3 network to another router, Router B, which functions as a
reflector to reflect back the test frames it receives from Router A. IPv4 is used for
transmission of test frames over the Layer 3 network. This benchmarking test is used to
compute the IPv4 service parameters between Router A and Router B. Logical interfaces
on both the routers are configured with IPv4 addresses to measure the performance
attributes, such as throughput, latency, frame loss, and bursty frames, of network devices
for the IPv4 service.
Figure 71 on page 1360 shows the sample topology to perform an RFC 2544 test for a Layer
3 IPv4 service.
Figure 71: RFC 2544-Based Benchmarking Test for a Layer 3 IPv4 Service
Configuration
In this example, you configure the benchmarking test for a Layer 3 IPv4 service that is
between interface ge-0/0/0 on Router A and interface ge-0/0/4 on Router B to detect
and analyze the performance of the interconnecting routers. You need not configure a
test profile on Router B because it operates as a reflector.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Configuring
Benchmarking Test
Parameters on Router
A
Configuring
Benchmarking Test
Parameters on Router
B
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit ge-0/0/0
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
13. Specify the period—for example, 20 minutes—for which the test is to be performed
in hours, minutes, or seconds by specifying a number followed by the letter h (for
hours), m (for minutes), or s (for seconds), respectively.
14. Define the theoretical maximum bandwidth for the test in kilobits per second, with
a value from 1,000 Kbps through 1,000,000 Kbps.
15. Enter the up command to go the previous level in the configuration hierarchy.
16. Enter the up command to go the previous level in the configuration hierarchy.
17. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
18. Specify the name of the test profile—for example, throughput—to be associated
with a particular test name.
19. Specify the logical interface, ge-0/0/0.1, on which the RFC 2544-based
benchmarking test is run.
20. Specify the test mode for the packets that are sent during the benchmarking test
as initiation and termination.
21. Configure the address type family, inet, for the benchmarking test.
22. Configure the destination IPv4 address for the test packets.
23. Specify the UDP port of the destination to be used in the UDP header for the
generated frames as 4001.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit]
user@host# edit interfaces
[edit interfaces]
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
10. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
11. Specify the logical interface, ge-0/0/4.1, on which the RFC 2544-based
benchmarking test is run.
12. Specify reflect as the test mode for the packets that are sent during the
benchmarking test.
13. Configure the address type family, inet, for the benchmarking test.
14. Configure the destination IPv4 address for the test packets as 200.0.0.1.
15. Specify the UDP port of the destination to be used in the UDP header for the
generated frames as 4001.
After the test is successfully completed at the initiator, you can stop the test at the
reflector by entering the test services rpm rfc2544-benchmarking test test1 start
command.
Results
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
address 200.0.0.1/24;
}
}
}
tests {
test-name test1 {
test-profile throughput;
interface ge-0/0/0.1;
mode initiate,terminate;
family inet;
dest-address 200.0.0.2
udp-port 4001;
}
}
}
[edit interfaces]
ge-0/0/4 {
unit 0 {
family inet {
address 200.0.0.2/24;
}
}
}
After you have configured the device, enter the commit command in configuration mode.
Verifying the Results of the Benchmarking Test for Layer 3 IPv4 Services
Examine the results of the benchmarking test that is performed on the configured service
between Router A and Router B.
Purpose Verify that the necessary and desired statistical values are displayed for the benchmarking
test that is run on the configured service between Router A and Router B.
Action In operational mode, enter the run show services rpm rfc2544-benchmarking (aborted-tests
| active-tests | completed-tests | summary) command to display information about the
results of each category or state of the RFC 2544-based benchmarking test, such as
aborted tests, active tests, and completed tests, for each real-time performance
monitoring (RPM) instance.
Meaning The output displays the details of the benchmarking test that was performed. For more
information about the run show ptp clock operational command, see show services rpm
rfc2544-benchmarking in the CLI Explorer.
This example shows how to configure the benchmarking test for a network-to-network
interface (NNI) direction of an Ethernet pseudowire service.
Requirements
This example uses the following hardware and software components:
Overview
Consider a sample topology in which a router, Router A, functions as an initiator and
terminator of the test frames for an RFC 2544-based benchmarking test. Router A
operates as a provider edge device, PE1, which is connected to a customer edge device,
CE1, on one side and over an Ethernet pseudowire to another router, Router B, which
functions as a reflector to reflect back the test frames it receives from Router A. Router
B operates as a provider edge device, PE2, which is the remote router located at the other
side of the service provider core. The UNI direction of CE1 is connected to the NNI direction
of PE1. An MPLS tunnel connects PE1 and PE2 over the Ethernet pseudowire or the
Ethernet line (E-LINE).
Figure 72 on page 1368 shows the sample topology to perform an RFC 2544 test for the
NNI direction of an Ethernet pseudowire service.
Configuration
In this example, you configure the benchmarking test for the NNI direction of an Ethernet
pseudowire service that is enabled between two routers to detect and analyze the
performance of the interconnecting routers.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Configuring
Benchmarking Test
Parameters on Router
A
Configuring
Benchmarking Test
Parameters on Router
B
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit ge-0/0/0
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
10. Configure an RFC 2544-based benchmarking test for the RPM instance.
14. Specify the period—for example, 20 minutes—for which the test is to be performed
in hours, minutes, or seconds by specifying a number followed by the letter h (for
hours), m (for minutes), or s (for seconds).
15. Define the theoretical maximum bandwidth for the test in kilobits per second, with
a value from 1 Kbps through 1,000,000 Kbps.
16. Enter the up command to go the previous level in the configuration hierarchy.
17. Enter the up command to go the previous level in the configuration hierarchy.
18. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
19. Specify the name of the test profile—for example, throughput—to be associated
with a particular test name.
20. Specify the logical interface, ge-0/0/0.1, on which the RFC 2544-based
benchmarking test is run.
21. Specify the test mode for the packets that are sent during the benchmarking test
as initiation and termination.
22. Configure the address type family, ccc, for the benchmarking test.
23. Specify the direction of the interface on which the test must be run, which is NNI in
this example.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit ge-0/0/4
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
10. Configure an RFC 2544-based benchmarking test for the RPM instance.
11. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
12. Specify the logical interface, ge-0/0/4.1, on which the RFC 2544-based
benchmarking test is run.
13. Specify reflect as the test mode for the packets that are sent during the
benchmarking test.
14. Configure the address type family, ccc, for the benchmarking test.
15. Specify the direction of the interface on which the test must be run, which is NNI in
this example.
Results
[edit interfaces]
ge-0/0/0 {
vlan-tagging;
unit 0 {
encapsulation vlan-ccc;
vlan-id 101;
}
}
profiles {
test-profile throughput {
test-type throughput
packet-size 64;
test-duration 20m;
bandwidth-kbps 500;
}
}
tests {
test-name test1 {
interface ge-0/0/0.1;
test-profile throughput;
mode initiate,terminate;
family ccc;
direction nni;
}
}
}
[edit interfaces]
ge-0/0/4 {
vlan-tagging;
unit 0 {
encapsulation vlan-ccc;
vlan-id 101;
}
}
After you have configured the device, enter the commit command in configuration mode.
Verifying the Results of the Benchmarking Test for NNI Direction of an Ethernet Pseudowire
Service
Examine the results of the benchmarking test that is performed on the configured service
between Router A and Router B.
Purpose Verify that the necessary and desired statistical values are displayed for the benchmarking
test that is run on the configured service between Router A and Router B.
Action In operational mode, enter the run show services rpm rfc2544-benchmarking (aborted-tests
| active-tests | completed-tests | summary) command to display information about the
results of each category or state of the RFC 2544-based benchmarking test, such as
aborted tests, active tests, and completed tests, for each real-time performance
monitoring (RPM) instance.
Meaning The output displays the details of the benchmarking test that was performed. For more
information about the run show services rpm rfc2544-benchmarking operational command,
see show services rpm rfc2544-benchmarking in the CLI Explorer.
This example shows how to configure the benchmarking test for the user-to-network
interface (UNI) direction of an Ethernet pseudowire service.
Requirements
This example uses the following hardware and software components:
Overview
Consider a sample topology in which a router, Router A, functions as a reflector of the
test frames for an RFC 2544-based benchmarking test. The logical customer edge
(CE)-facing interface and inet family are configured on Router A. Router A is not part of
a pseudowire and therefore, a Layer 3 family configuration is required on it. Router A,
which is a customer edge device, CE1, is connected to Router B, which functions as a
provider edge device, PE1, over an Ethernet pseudowire in the UNI direction with EtherType
or Layer 2 Ethernet payload. The logical interface, CCC family, and UNI direction are
configured on Router B. Router B or PE1 is connected over an Ethernet pseudowire in the
NNI direction to a provider edge device at the remote site, PE2. The link between CE1 and
PE1 is an Ethernet Layer 2 network and it can be configured with any EtherType value.
The link between PE1 and PE2 is an Ethernet line (E-LINE) or an Ethernet Private Line
(EPL) that has Layer 2 payload and Layer 3 transport sent over it. Router B or PE1 functions
as an initiator and terminator of the test frames that are sent to Router A and reflected
back from it.
Figure 73 on page 1376 shows the sample topology to perform an RFC 2544 test for the
UNI direction of an Ethernet pseudowire service.
Configuration
In this example, you configure the benchmarking test for the UNI direction of an Ethernet
pseudowire service that is enabled between two routers to detect and analyze the
performance of the interconnecting routers.
CLI Quick To quickly configure this example, copy the following commands, paste them in a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level:
Configuring
Benchmarking Test
Parameters on Router
A
Configuring
Benchmarking Test
Parameters on Router
B
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit ge-0/0/0
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
10. Configure an RFC 2544-based benchmarking test for the RPM instance.
14. Specify the period for which the test is to be performed in hours, minutes, or seconds
by specifying a number followed by the letter h (for hours), m (for minutes), or s
(for seconds). In this example, you configure the period as 20 minutes.
15. Define the theoretical maximum bandwidth for the test in kilobits per second, with
a value from 1 Kbps through 1,000,000 Kbps.
16. Enter the up command to go the previous level in the configuration hierarchy.
17. Enter the up command to go the previous level in the configuration hierarchy.
18. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
19. Specify the name of the test profile—for example, throughput—to be associated
with a particular test name.
20. Specify the logical interface, ge-0/0/0.1, on which the RFC 2544-based
benchmarking test is run.
21. Specify the test mode for the packets that are sent during the benchmarking test
as initiation and termination.
22. Configure the address type family, inet, for the benchmarking test.
23. Configure the destination IPv4 address for the test packets as 200.0.0.2.
24. Specify the UDP port of the destination to be used in the UDP header for the
generated frames as 4001.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
[edit]
user@host# edit interfaces
[edit interfaces]
user@host# edit ge-0/0/4
[edit]
user@host# edit services
[edit services]
user@host# edit rpm
10. Configure an RFC 2544-based benchmarking test for the RPM instance.
11. Define a name for the test—for example, test1. The test name identifier can be up
to 32 characters in length.
12. Specify the logical interface on which the RFC 2544-based benchmarking test is
run.
13. Specify reflect as the test mode for the packets that are sent during the
benchmarking test.
14. Configure the address type family, ccc, for the benchmarking test.
15. Specify the direction of the interface on which the test must be run, which is UNI in
this example.
Results
[edit interfaces]
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 101;
family inet {
address 200.0.0.1/24;
}
}
}
tests {
test-name test1 {
interface ge-0/0/0.1;
test-profile throughput;
mode initiate,terminate;
family inet;
dest-address 200.0.0.2
udp-port 4001;
}
}
}
[edit interfaces]
ge-0/0/4 {
vlan-tagging;
unit 0 {
encapsulation vlan-ccc;
vlan-id 101;
}
}
After you have configured the device, enter the commit command in configuration mode.
Verifying the Results of the Benchmarking Test for UNI Direction of an Ethernet Pseudowire
Service
Examine the results of the benchmarking test that is performed on the configured service
between Router A and Router B.
Purpose Verify that the necessary and desired statistical values are displayed for the benchmarking
test that is run on the configured service between Router A and Router B.
Action In operational mode, enter the run show services rpm rfc2544-benchmarking (aborted-tests
| active-tests | completed-tests | summary) command to display information about the
results of each category or state of the RFC 2544-based benchmarking test, such as
aborted tests, active tests, and completed tests, for each real-time performance
monitoring (RPM) instance.
Meaning The output displays the details of the benchmarking test that was performed. For more
information about the run show services rpm rfc2544-benchmarking operational command,
see show services rpm rfc2544-benchmarking in the CLI Explorer.
Mirroring and analyzers enable you to mirror a copy of a packet to a configured destination,
in addition to the normal processing and forwarding of the packet. Mirroring enables you
to mirror a copy of a packet and an analyzer helps in mirroring a packet based on VLANs.
Mirroring and analyzers are useful for debugging network problems and to prevent attacks
on a network.
• Source—This is the source port or VLAN (based on bridge domain) from where the
packets are mirrored.
• Port mirroring—Support for both ingress and egress based port mirroring using analyzer
where input to mirror is through a list of ports configured through logical interface. You
need to include the analyzer CLI statement at the [edit forwarding-options] hierarchy
level
• VLAN mirroring—In this mode, packets entering a VLAN (based on bridge domain) are
mirrored. You need to include the analyzer CLI statement at the [edit forwarding-options]
hierarchy level, where input to a mirror is a VLAN (based on bridge domain).
• Flow mirroring—In this mode, input parameters for mirroring are specified through a
firewall filter. You need to include the port-mirror CLI statement at the [edit
forwarding-options] hierarchy level. The ACX5000 line of routers supports only family
NOTE:
• In flow-based mirroring, firewall filters can be configured on a logical
interface as well as on a physical interface.
• If the vlan-id option for a VLAN (bridge domain) is not configured, or if the
vlan-id option is configured as none, then the mirrored packet is sent as is
without any additional VLAN tags.
Related • VLAN and Flow Mirroring on ACX5000 Series Routers on page 1386
Documentation
• Configuring VLAN Mirroring on ACX5000 Series Routers
The ACX5000 line of routers supports port, VLAN, and flow mirroring modes to mirror a
copy of a packet from a source port to a destination port.
• Port mirroring—In this mode, packets entering to a configured port are mirrored. You
need to include the analyzer CLI statement at the [edit forwarding-options] hierarchy
level, where input to a mirror is through a list of ports configured through the logical
interface
• VLAN mirroring—In this mode, packets entering a VLAN (based on bridge domain) are
mirrored. You need to include the analyzer CLI statement at the [edit forwarding-options]
hierarchy level, where input to a mirror is a VLAN (based on bridge domain).
• Flow mirroring—In this mode, input parameters for mirroring are specified through a
firewall filter. You need to include the port-mirror CLI statement at the [edit
forwarding-options] hierarchy level. The ACX5000 line of routers supports only family
ethernet-switching and family inet configurations. If the input is family
ethernet-switching, then output must also be family ethernet-switching. If input is family
inet, then the output must also be family inet with output option as IP address. If you
configure flow-based mirroring without any firewall filter match conditions, then
mirroring is based on logical interface. The ACX5000 line of routers do not support
IPv6, CCC, MPLS, and VPLS family options under the [edit forwarding-options
port-mirroring] hierarchy level.
NOTE:
• The ACX5000 line of routers supports both ingress and egress mirroring
for the following mirroring modes:
• If the vlan-id option for a VLAN (bridge domain) is not configured, or if the
vlan-id option is configured as none, then the mirrored packet is sent as is
without any additional VLAN tags.
You need to consider the following limitations before configuring port, VLAN and flow
mirroring on the ACX5000 line of routers:
• Egress mirroring with firewall filter is not supported for port mirroring.
• When output of mirror is VLAN, then VLAN can have only one member and the mirrored
traffic is sent to that member.
• Only eight members per aggregated Ethernet interface are supported for mirroring.
• When both VLAN and flow mirroring matches a packet stream, then flow mirroring
takes the precedence.
• If egress mirroring for a port is configured within a bridge domain, then the mirrored
copy of the packet contains the vlan-only internal. This is applicable for Layer 3 routed
packets.
• Logical tunnel (-lt) interfaces are not supported for port mirroring.
• You can have only one logical interface as output at the [edit forwarding-options
analyzer analyzer-name output] hierarchy level. Adding another logical interface as
output will override the existing logical interface configuration. Mirroring happens at
the physical interface level, even though the configuration is done as a logical interface.
The ACX5000 line of routers supports the following mirroring modes to mirror a copy of
a packet to a configured destination:
• Port mirroring—In this mode, packets entering to a configured port are mirrored.
• VLAN mirroring—In this mode, packets entering a VLAN (based on bridge domain) are
mirrored. You need to include the analyzer CLI statement at the [edit forwarding-options]
hierarchy level, where input to a mirror is a VLAN (based on bridge domain).
• Flow mirroring—In this mode, input parameters for mirroring are specified through a
firewall filter. You need to include the port-mirror CLI statement at the [edit
forwarding-options] hierarchy level. The ACX5000 line of routers supports only family
ethernet-switching and family inet configurations. If the input is family
ethernet-switching, then output must also be family ethernet-switching. If input is family
inet, then the output must also be family inet with output option as IP address. If you
configure flow-based mirroring without any firewall filter match conditions, then
mirroring is based on logical interface. The ACX5000 line of routers do not support
IPv6, CCC, MPLS, and VPLS family options under the [edit forwarding-options
port-mirroring] hierarchy level.
This topic describes the various methods to configure port, VLAN, and flow mirroring on
the ACX5000 line of routers.
The following are the various methods to configure port mirroring on the ACX5000 line
of routers:
• Configuring the Input as Logical Interface and the Output as Logical Interface on page 1389
• Configuring the Input as a Logical Interface and the Ouput as VLAN on page 1389
• Configuring the Input as Logical Interface and the Output as Next-hop IP
Address on page 1389
• Configuring the Input as Logical Interface and Output as VLAN with the no-tag
Option on page 1390
Configuring the Input as Logical Interface and the Output as Logical Interface
You can configure port mirroring on the ACX5000 line of routers by configuring the input
as logical interface and the output as a logical interface as shown in the following
configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
interface interface -name or list of interfaces;
}
output {
interface logical-interface-name;
}
}
}
You can configure port mirroring on the ACX5000 line of routers by configuring the input
as a logical interface and the output as a VLAN (VLAN name or VLAN ID) as shown in
the following configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
interface interface -name or list of interfaces;
}
output {
vlan vlan-name;
}
}
}
Configuring the Input as Logical Interface and the Output as Next-hop IP Address
You can configure port mirroring on the ACX5000 line of routers by configuring the input
as a logical interface and the output as the next-hop IP address as shown in the following
configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
interface interface -name or list of interfaces;
}
output {
ip-address ip-address;
}
}
Configuring the Input as Logical Interface and Output as VLAN with the no-tag
Option
You can configure port mirroring on the ACX5000 line of routers by configuring the input
as a logical interface and the output as VLAN without any additional VLAN (bridge
domain) tag. Use the no-tag CLI statement as shown in the following configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
interfaceinterface -name or list of interfaces;
}
output {
vlan vlan-name; {
no-tag;
}
}
}
}
NOTE: In this method, the mirrored packet do not have any VLAN tags
associated with the packets.
The following are the various methods to configure VLAN mirroring on the ACX5000 line
of routers:
• Configuring the Input as VLAN and the Output as Logical Interface on page 1390
• Configuring the Input and the Ouput as VLAN on page 1391
• Configuring the Input as VLAN and the Output as Next-hop IP Address on page 1391
• Configuring the Input as VLAN and Output as VLAN with the no-tag Option on page 1391
You can configure VLAN mirroring on the ACX5000 line of routers by configuring the
input as VLAN (VLAN name or VLAN ID) and the output as a logical interface as shown
in the following configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
vlan vlan-name;
}
output {
interface logical-interface-name;
}
}
}
You can configure VLAN mirroring on the ACX5000 line of routers by configuring the
input as VLAN (VLAN name or VLAN ID) and the output as a VLAN (VLAN name or VLAN
ID) as shown in the following configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
vlan vlan-name;
}
output {
vlan vlan-name;
}
}
}
You can configure VLAN mirroring on the ACX5000 line of routers by configuring the
input as a VLAN (VLAN name or VLAN ID) and the output as the next-hop IP address as
shown in the following configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
vlan vlan-name;
}
output {
ip-address ip-address;
}
}
}
Configuring the Input as VLAN and Output as VLAN with the no-tag Option
You can configure VLAN mirroring on the ACX5000 line of routers by configuring the
input as a VLAN (VLAN name or VLAN ID) and the output as VLAN without any additional
VLAN (bridge domain) tag. Use the no-tag CLI statement as shown in the following
configuration:
[edit forwarding-options]
analyzer analyzer-name {
input {
ingress {
vlan vlan-name;
}
output {
vlan vlan-name; {
no-tag;
}
}
}
}
NOTE: In this method, the mirrored packet do not have any VLAN tags
associated with the packets.
The following are the various methods to configure flow mirroring on ACX5000 line of
routers:
You can configure flow mirroring on the ACX5000 line of routers by configuring the family
as ethernet-switching and specifying the output as a Layer 2 logical interface as shown
in the following configuration:
[edit forwarding-options]
port-mirroring {
family ethernet-switching {
output {
interface logical-interface-name;
}
}
}
[edit firewall]
family ethernet-switching {
filter filter-name {
term rule-name {
from {
match-conditions;
}
then port-mirror;
}
}
}
[edit interfaces]
interface-name {
unit interface-unit-number {
family ethernet-switching {
filter {
input filter-name;
}
vlan-id number;
encapsulation vlan-bridge;
}
}
}
You can configure flow mirroring on the ACX5000 line of routers by configuring the family
as ethernet-switching and specifying the output as a VLAN (VLAN name or VLAN ID) as
shown in the following configuration:
[edit forwarding-options]
port-mirroring {
family ethernet-switching {
output {
vlan vlan-name;
}
}
}
[edit firewall]
family ethernet-switching {
filter filter-name {
term rule-name {
from {
match-conditions;
}
then port-mirror;
}
}
}
[edit interfaces]
interface-name {
unit interface-unit-number {
family ethernet-switching {
filter {
input filter-name;
}
vlan-id number;
encapsulation vlan-bridge;
}
}
}
You can configure flow mirroring on the ACX5000 line of routers by configuring the output
as VLAN without any additional VLAN (bridge domain) tag. Use the no-tag CLI statement
as shown in the following configuration:
1. Configure the output as VLAN without any additional VLAN (bridge domain) tag by
using the no-tag CLI statement.
[edit forwarding-options]
port-mirroring {
family ethernet-switching {
output {
vlan vlan-name; {
no-tag;
}
}
}
}
2. Configure the firewall filter and specify the action as mirror or mirroring instance.
[edit firewall]
family ethernet-switching {
filter filter-name {
term rule-name {
from {
match-conditions;
}
then (port-mirror | port-mirror-instance instance-name);
}
}
}
[edit interfaces]
interface-name {
unit interface-unit-number {
family ethernet-switching {
filter {
input filter-name;
}
vlan-id number;
encapsulation vlan-bridge;
}
}
}
NOTE: In this method, the mirrored packet does not have any VLAN tags
associated with the packet.
Configuring the Family as inet and Specifying the Output as Next-Hop IP Address
You can configure flow mirroring on the ACX5000 line of routers by configuring the family
as inet and specifying the output as the next-hop IP address as shown in the following
configuration:
[edit forwarding-options]
port-mirroring {
family inet {
output {
ip-address ip-address;
}
}
}
[edit firewall]
family inet {
filter filter-name {
term rule-name {
from {
match-conditions;
}
then port-mirror;
}
}
}
3. Attach the firewall filter to the IP address of the packets in the inet family.
[edit interfaces]
interface-name {
unit interface-unit-number {
vlan-id number;
family inet {
ip-address ip-address;
filter {
input filter-name;
}
}
}
}
An sFlow monitoring system consists of an sFlow agent embedded in the device and a
central data collector, or sFlow analyzer. The sFlow agent performs packet sampling
and gathers interface statistics, and then combines the information into UDP datagrams
that are sent to the sFlow collectors for analysis. The sFlow agent is responsible for
monitoring the network port, sample all incoming packets including control traffic and
traffic arriving on all the ports in the system. The collector can be connected to one of
the data ports or the management interface.
The following sFlow features are supported on the ACX5000 line of routers:
• Adaptive sampling—Monitors the overall incoming traffic rate on the device and provides
feedback to the interfaces to dynamically adapt their sampling rate to traffic conditions.
The sFlow collector uses the IP address of the sFlow agent to determine the source of
the sFlow data. You can configure the IP address of the sFlow agent to ensure that the
agent ID for the sFlow agent remains constant. If you do not assign an IP address to the
agent, an IP address will be assigned to the agent using the IP address of a configured
interface.
If a particular interface is not configured, the IP address of the next interface in the priority
list is used as the IP address for the agent. Once an IP address is assigned to the agent,
the agent ID is not modified until the sFlow service is restarted. At least one interface has
to be configured for an IP address to be assigned to the agent.
• The ingress and egress sampling can be configured only on one of the units under a
physical interface and the sFlow is enabled for the physical interface (port). The sFlow
cannot be enabled if the unit under a physical interface is not configured.
• Egress sampling for Broadcast, Unknown unicast and Multicast (BUM) traffic is not
supported because the source-interface field in the SFlow datagrams cannot be
populated.
• Destination VLAN and Destination Priority fields are not populated in the case of Layer
3 forwarding.
• SFlow cannot be enabled on LAG interfaces, however, it can be enabled on LAG member
interfaces individually.
1. Configure the IP address and UDP port (optional) of at least one collector:
3. Specify how often (in seconds) the sFlow agent polls all interfaces at the global level:
4. Specify the rate at which packets are sampled at the global level. For example,
configuring a number of 1000 sets a sample rate of 1 in 1000 packets.
5. (Optional) You can also configure the polling interval and sample rate at the interface
level:
You can use the following CLI commands to verify and troubleshoot the configurations:
• show sflow interface—Display the interfaces on which sFlow is enabled and the sampling
parameters for the interface.
• show sflow collector—Display a list of configured sFlow collectors and their properties.
• clear sflow collector statistics—Clear the sample counters for all sFlow collectors.
• CT1 and CE1 Interfaces Alarms, Errors, and Defects on page 1401
• Troubleshooting PoE Interfaces on ACX2000 Universal Access Routers on page 1402
• Troubleshooting and Monitoring TCAM Resource in ACX Series Routers on page 1403
Table 108 on page 1401 lists the ct1 and ce1 media-specific alarms or defects that can
render the interface on ACX Series routers unable to pass packets.
Table 108: CT1 and CE1 Interface Alarms and Error Definitions
Alarm or Error Definitions Structure-Agnostic Interface Type Structure-Aware
AIS Alarm indication signal (blue alarm) ct1 and ce1 interfaces ct1 and ce1 interfac
ES Errored seconds ct1 and ce1 interfaces ct1 and ce1 interfac
LCV Line code violation ct1 and ce1 interfaces ct1 and ce1 interfac
LES Line errored seconds ct1 and ce1 interfaces ct1 and ce1 interfac
Table 108: CT1 and CE1 Interface Alarms and Error Definitions (continued)
Alarm or Error Definitions Structure-Agnostic Interface Type Structure-Aware
LOS Loss of signal ct1 and ce1 interfaces ct1 and ce1 interfac
SEFS Severely errored frame seconds N/A ct1 and ce1 interfac
SES Severely errored seconds ct1 and ce1 interfaces ct1 and ce1 interfac
UAS Unavailable seconds ct1 and ce1 interfaces ct1 and ce1 interfac
Problem Description: A Power over Ethernet (PoE) interface is not supplying power to the powered
device.
Solution Check for the items shown in Table 109 on page 1402.
Has PoE capability been disabled for that Use the show poe interface command to check
interface? PoE interface status.
Is the cable properly seated in the port socket? Check the hardware.
Does the powered device require more power Use the show poe interface command to check
than is available on the interface? the maximum power provided by the interface.
If the telemetries option has been enabled for Use the show poe telemetries command to
the interface, check the history of power display the history of power consumption.
consumption.
Related • Understanding PoE on ACX Series Universal Access Routers on page 142
Documentation
• Example: Configuring PoE on ACX2000 Routers on page 144
The dynamic allocation of Ternary Content Addressable Memory (TCAM) space in ACX
Series efficiently allocates the available TCAM resources for various filter applications.
In the dynamic TCAM model, various filter applications (such as inet-firewall,
bridge-firewall, cfm-filters, etc.) can optimally utilize the available TCAM resources as
and when required. Dynamic TCAM resource allocation is usage driven and is dynamically
allocated for filter applications on a need basis. When a filter application no longer uses
the TCAM space, the resource is freed and available for use by other applications. This
dynamic TCAM model caters to higher scale of TCAM resource utilization based on
application’s demand. You can use the show and clear commands to monitor and
troubleshoot dynamic TCAM resource usage in ACX Series routers.
Table 110 on page 1403 shows the task and the commands to monitor and troubleshoot
TCAM resources in ACX Series routers
Table 110: Commands to Monitor and Troubleshoot TCAM Resource in ACX Series
How to Command
View the shared and the related applications for a particular show pfe tcam app (list-shared-apps | list-related-apps)
application.
View the number of applications across all tcam stages. show pfe tcam usage all-tcam-stages
View the number of applications using the TCAM resource at a show pfe tcam usage tcam-stage (ingress | egress |
specified stage. pre-egress)
View the TCAM resource used by an application in detail. show pfe tcam usage app <application-name> detail
View the TCAM resource used by an application at a specified stage. show pfe tcam usage tcam-stage (ingress | egress |
pre-egress) app <application-name>
Know the number of TCAM resource consumed by a tcam-app show pfe tcam usage app <application-name>
View the TCAM resource usage errors for all stages. show pfe tcam errors all-tcam-stages detail
View the TCAM resource usage errors for a stage show pfe tcam errors tcam-stage (ingress | egress |
pre-egress)
View the TCAM resource usage errors for an application. show pfe tcam errors app <application-name>
View the TCAM resource usage errors for an application along with show pfe tcam errors app <application-name> shared-usage
its other shared application.
Clear the TCAM resource usage error statistics for all stages. clear pfe tcam-errors all-tcam-stages
Table 110: Commands to Monitor and Troubleshoot TCAM Resource in ACX Series (continued)
How to Command
Clear the TCAM resource usage error statistics for a specified stage clear pfe tcam-errors tcam-stage (ingress | egress |
pre-egress)
Clear the TCAM resource usage error statistics for an application. clear pfe tcam-errors app <application-name>
To know more about dynamic TCAM in ACX Series, see “Dynamic Ternary Content
Addressable Memory Overview” on page 1157.
Configuration Statements
access-profile
Description After you have created the access profile that specifies authentication and accounting
parameters, you must specify where the profile is used. Authentication and accounting
will not run unless you specify the profile. You can attach access profiles globally at the
[edit] hierarchy level, or you can apply them to DHCP clients or subscribers, VLANs, or
to a routing instance.
Options profile-name—Name of the access profile that you configured at the [edit access profile
name] hierarchy level.
• Configuring Access Components for the DHCP Layer 3 Wholesale Network Solution
active
Description Determine whether static, aggregate, or generated routes are removed from the routing
and forwarding tables when they become inactive. Static routes are only removed from
the routing table if the next hop becomes unreachable. This can occur if the local or
neighbor interface goes down. Routes that have been configured to remain continually
installed in the routing and forwarding tables are marked with reject next hops when they
are inactive.
• active—Remove a route from the routing and forwarding tables when it becomes
inactive.
• passive—Have a route remain continually installed in the routing and forwarding tables
even when it becomes inactive.
Include the active statement when configuring an individual route in the route portion of
the static statement to override a passive option specified in the defaults portion of the
statement.
Default active
address (Interfaces)
Related • Junos OS Network Interfaces Library for Routing Devices for other statements that do
Documentation not affect services interfaces.
aggregate (Routing)
Syntax aggregate {
defaults {
... aggregate-options ...
}
route destination-prefix {
policy policy-name;
... aggregate-options ...
}
}
• (brief | full);
• community [ community-ids ];
• discard;
defaults—Specify global aggregate route options. These options only set default attributes
inherited by all newly created aggregate routes. These are treated as global defaults
and apply to all the aggregate routes you configure in the aggregate statement. This
part of the aggregate statement is optional.
Release Information Statement introduced in Junos OS Release 12.3X54 for ACX Series Routers.
Description Define an aggregate policer as a single parent policer across all the child policer instances
in the system. A single instance of the policer is created system-wide.
You must then link or associate the child policers to the parent or aggregate policer by
specifying at each child policer by using the aggregate-policing aggregate-policer-name
statement at the [edit firewall policer policer-name if-exceeding] hierarchy level. This step
is additional, from the procedure to create a single-level policer, to configure a hierarchical
policer.
Options global—Indicates that the aggregate policer is a parent and applicable globally throughout
the system.
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
Syntax aggregate-policing {
policer policer-name {
aggregate-sharing-mode (peak | guarantee | hybrid);
}
}
Release Information Statement introduced in Junos OS Release 12.3X54 for ACX Series Routers.
Description Define a child or micro policer and the mode of hierarchical policing for the child policer.
You can configure a normal policer as a child policer or a two-rate three-color policer as
a child policer. You can also define the mode of policing as hybrid, peak, or guarantee.
An aggregate parent policer must be configured to attach or group all child policers
defined with the parent policer that is globally applicable throughout the system.
Options aggregate-policing—Defines the child or micro policer for an aggregate parent policer.
policer policer-name—Name that identifies the policer. The name can contain letters,
numbers, and hyphens (-), and can be up to 255 characters long. To include spaces
in the name, enclose it in quotation marks (“ ”).
NOTE: You can configure hybrid mode for two-rate three-color policers
only.
• Configuring Aggregate Parent and Child Policers on ACX Series Routers on page 931
aggregated-devices
Syntax aggregated-devices {
ima {
device-count number;
}
}
Release Information Statement introduced in Junos OS Release 12.2 for ACX Series routers.
Description Configure the number of aggregated Inverse Multiplexing ATM (IMA) group interfaces
created on channelized CT1 or CE1 interfaces. The IMA group interface name format is
at-fpc/pic/port with the port number taken from the last port on the MIC plus 1. For
example, on the ACX2000 router with a 16-port built-in T1/E1 TDM MIC, the IMA group
interface numbering starts with at-0/0/16 and increments by 1 to at-0/0/17, and so on.
On the ACX1000 router with an 8-port built-in TDM MIC, the IMA group interface
numbering starts with at-0/0/8 and increments by 1 to at-0/0/9, and so on
alarm (chassis)
Syntax alarm {
interface-type {
alarm-name (ignore |red | yellow);
}
}
relay
input {
port port-number {
mode (close | open);
trigger (ignore | red | yellow);
}
}
output{
port port-number {
input-relay input-relay;
mode (close | open);
temperature;
}
}
Release Information Statement introduced in Junos OS Release 12.3 for the ACX Series Routers.
Description Configure the chassis alarms and whether they trigger a red or yellow alarm, or whether
they are ignored. Red alarm conditions light the RED ALARM LED on either the router’s
craft interface or the switch’s LCD screen and trigger an audible alarm if one is connected
to the contact on the craft interface or LCD screen. Yellow alarm conditions light the
YELLOW ALARM LED on either the router’s craft interface or the switch’s LCD screen and
trigger an audible alarm if one is connected to the craft interface or LCD screen.
Options alarm-name—Alarm condition. For a list of conditions, see System-Wide Alarms and Alarms
for Each Interface Type.
ignore—The specified alarm condition does not set off any alarm.
interface-type—Type of interface on which you are configuring the alarm: atm, ethernet,
t1, or e1.
alarm (chassis)
Syntax alarm {
interface-type {
alarm-name (ignore |red | yellow);
}
}
Description Configure the chassis alarms and whether they trigger a red or yellow alarm, or whether
they are ignored. Red alarm conditions light the RED ALARM LED on either the router’s
craft interface or the switch’s LCD screen and trigger an audible alarm if one is connected
to the contact on the craft interface or LCD screen. Yellow alarm conditions light the
YELLOW ALARM LED on either the router’s craft interface or the switch’s LCD screen and
trigger an audible alarm if one is connected to the craft interface or LCD screen.
Options alarm-name—Alarm condition. For a list of conditions, see System-Wide Alarms and Alarms
for Each Interface Type.
ignore—The specified alarm condition does not set off any alarm.
interface-type—Type of interface on which you are configuring the alarm: atm, ethernet,
sonet, or t3.
allow-any-vci
Syntax allow-any-vci;
Description Specify the rate of announce messages that a Precision Time Protocol (PTP) slave
requests from the master during a unicast-negotiation session. The announce interval
is configured on the slave.
Related • IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
Documentation on page 237
Release Information Statement introduced in Junos OS Release 12.3 for ACX Series Routers.
Description Configure the logarithmic mean interval for the announce messages to be sent by the
2
master. This is a log value, which means that announce messages are requested to be
sent every two seconds.
• Example: Configuring a PTP Boundary Clock With Unicast Negotiation on page 250
Description Associate BGP autonomous system (AS) path information with a static, aggregate, or
generated route.
In Junos OS Release 9.1 and later, the numeric range for the AS number is extended to
provide BGP support for 4-byte AS numbers as defined in RFC 4893, BGP Support for
Four-octet AS Number Space. RFC 4893 introduces two new optional transitive BGP
attributes, AS4_PATH and AS4_AGGREGATOR. These new attributes are used to
propagate 4-byte AS path information across BGP speakers that do not support 4-byte
AS numbers. RFC 4893 also introduces a reserved, well-known, 2-byte AS number, AS
23456. This reserved AS number is called AS_TRANS in RFC 4893. All releases of Junos
OS support 2-byte AS numbers.
In Junos OS Release 9.2 and later, you can also configure a 4-byte AS number using the
AS-dot notation format of two integer values joined by a period: <16-bit high-order value
in decimal>.<16-bit low-order value in decimal>. For example, the 4-byte AS number
of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format.
You can specify a value in the range from 0.0 through 65535.65535 in AS-dot notation
format.
Options aggregator—(Optional) Attach the BGP aggregator path attribute to the aggregate route.
You must specify the last AS number that formed the aggregate route (encoded as
two octets) for as-number, followed by the IP address of the BGP system that formed
the aggregate route for ip-address.
origin egp—(Optional) BGP origin attribute that indicates that the path information
originated in another AS.
origin igp—(Optional) BGP origin attribute that indicates that the path information
originated within the local AS.
origin incomplete—(Optional) BGP origin attribute that indicates that the path information
was learned by some other means.
as-path-compare
Syntax as-path-compare;
Description Specify to have the algorithm that is used to determine the active path compare the AS
numbers in the AS path. In a VPN scenario with multiple BGP paths, the algorithm selects
as the active path the route whose AS numbers match. By default, the algorithm evaluates
only the length and not the contents of the AS path.
Related • Configuring the Algorithm That Determines the Active Route to Evaluate AS Numbers
Documentation in AS Paths for VPN Routes on page 855
asymmetry
For MX Series:
Release Information Statement introduced in Junos OS Release 15.2 for MX Series routers.
Statement introduced in Junos OS Release 17.3 for QFX Series switches.
Description Specify the asymmetry value between the master and the slave. A compensating value
for networks in which there is path asymmetry between the 1588v2 slave and master.
Specify a positive or negative value that is added to the path delay value from the slave
to the master, making the delay symmetric and equal to the path from the master to the
slave.
Options number—The asymmetry value is in nanoseconds and can vary from minus (–)100
milliseconds to 100 milliseconds, allowing compensation for up to 1/10 of a second
of path asymmetry.
Related • IEEE 1588v2 Precision Timing Protocol (PTP) on ACX Series Universal Access Routers
Documentation on page 237
asymmetric-hold-time
Syntax asymmetric-hold-time;
Description Enable the VRRP master router to switch over to the backup router immediately, without
waiting for the priority hold time to expire, when a route goes down. However, when the
route comes back online, the backup router that is acting as the master waits for the
priority hold time to expire before switching the mastership back to the original master
VRRP router.
atm-options
Syntax atm-options {
cell-bundle-size cells;
ilmi;
linear-red-profiles profile-name {
high-plp-max-threshold percent;
low-plp-max-threshold percent;
queue-depth cells high-plp-threshold percent low-plp-threshold percent;
}
mpls {
pop-all-labels {
required-depth number;
}
}
pic-type (atm1 | atm2);
plp-to-clp;
promiscuous-mode {
vpi vpi-identifier;
}
scheduler-maps map-name {
forwarding-class class-name {
epd-threshold cells plp1 cells;
linear-red-profile profile-name;
priority (high | low);
transmit-weight (cells number | percent number);
}
vc-cos-mode (alternate | strict);
}
use-null-cw;
vpi vpi-identifier {
maximum-vcs maximum-vcs;
oam-liveness {
up-count cells;
down-count cells;
}
oam-period (disable | seconds);
shaping {
(cbr rate | rtvbr peak rate sustained rate burst length | vbr peak rate sustained rate burst
length);
queue-length number;
}
}
}
• shaping
atm-policer (Firewall)
Release Information Statement introduced in Junos OS Release 12.2 on ACX Series routers.
Description (ACX Series routers) Create a policer, which polices each cell in the ATM packet. A policer
defines the maximum amount of traffic that can flow through an interface and further
determines the actions to be taken when the traffic exceeds the defined limits.
When included at the [edit firewall] hierarchy level, the atm-policer statement creates
a policer that can be applied explicitly to multiple ATM IMA interfaces at the edit interface]
hierarchy level.
Options policer-name—ATM policer name. The name can contain letters, numbers, and hyphens
(-), and can be up to 255 characters long. To include spaces in the name, enclose it
in quotation marks (“ ”).
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Policing on an ATM IMA Pseudowire on page 912
atm-service
Release Information Statement introduced in Junos OS Release 12.2 on ACX Series routers.
Description (ACX Series routers) Configure the ATM service category on ATM IMA pseudowire
interfaces to define bandwidth shaping and policing.
• For policing at the [edit firewall atm-policer atm-policer-name] hierarchy level, configure
the ATM IMA pseudowire to control the number of cells that fall within the defined
parameters. Policing is based on the ATM service categories—cbr, rtvbr, nrtvbr, and
ubr.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Policing on an ATM IMA Pseudowire on page 912
auto-export
Syntax auto-export {
disable;
family inet {
disable;
flow {
disable;
rib-group rib-group;
}
multicast {
disable;
rib-group rib-group;
}
unicast {
disable;
rib-group rib-group;
}
}
family inet6 {
disable;
multicast {
disable;
rib-group rib-group;
}
unicast {
disable;
rib-group rib-group;
}
}
family iso {
disable;
unicast {
disable;
rib-group rib-group;
}
}
traceoptions {
file filename <files number> <size maximum-file-size> <world-readable |
no-world-readable>;
flag flag <flag-modifier> <disable>;
}
}
This statement enables you to leak routes between VPN routing and forwarding (VRF)
instances that are locally configured on a provider edge (PE) router. Auto export is always
applied on the local PE router, because it applies to only local prefix leaking by evaluating
the export policy of each VRF and determining which route targets can be leaked. The
standard VRF import and export policies affect remote PE prefix leaking.
You can use this statement as an alternative to using the VRF import and export policies.
family—Address family.
autoinstallation
Syntax autoinstallation {
configuration-servers {
url;
}
interfaces {
interface-name {
bootp;
rarp;
}
}
}
Description Download a configuration file automatically from an FTP, Hypertext Transfer Protocol
(HTTP), or Trivial FTP (TFTP) server. When you power on a router or switch configured
for autoinstallation, it requests an IP address from a Dynamic Host Configuration Protocol
(DHCP) server. Once the router or switch has an address, it sends a request to a
configuration server and downloads and installs a configuration.
Options The remaining statements are explained separately. See CLI Explorer.
• configuration-servers
• idle-timeout
Syntax autoinstallation {
delete-upon-commit;
continue-network-mode;
configuration-servers {
url;
}
interfaces {
interface-name {
bootp;
rarp;
}
}
}
Release Information Statement introduced in Junos OS Release 12.2 for ACX Series Universal Access Routers.
continue-network-mode option introduced in Junos OS Release 12.3X53 for ACX Series
Universal Access Routers.
Description (ACX Series routers). Download a configuration file automatically from an FTP, Hypertext
Transfer Protocol (HTTP), or Trivial FTP (TFTP) server. When you power on a router or
switch configured for autoinstallation, it requests an IP address from a Dynamic Host
Configuration Protocol (DHCP) server. Once the router or switch has an address, it sends
a request to a configuration server and downloads and installs a configuration.
Options The remaining statements are explained separately. See CLI Explorer.
• configuration-servers
• idle-timeout
autonomous-system
An autonomous system (AS) is a set of routing devices that are under a single technical
administration and that generally use a single interior gateway protocol (IGP) and metrics
to propagate routing information within the set of routing devices. An AS appears to other
ASs to have a single, coherent interior routing plan and presents a consistent picture of
what destinations are reachable through it. ASs are identified by a number that is assigned
by the Network Information Center (NIC) in the United States (http://www.isi.edu).
If you are using BGP on the routing device, you must configure an AS number.
The AS path attribute is modified when a route is advertised to an EBGP peer. Each time
a route is advertised to an EBGP peer, the local routing device prepends its AS number
to the existing path attribute, and a value of 1 is added to the AS number.
In Junos OS Release 9.1 and later, the numeric range is extended to provide BGP support
for 4-byte AS numbers as defined in RFC 4893, BGP Support for Four-octet AS Number
Space. RFC 4893 introduces two new optional transitive BGP attributes, AS4_PATH and
AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path
information across BGP speakers that do not support 4-byte AS numbers. RFC 4893
also introduces a reserved, well-known, 2-byte AS number, AS 23456. This reserved AS
number is called AS_TRANS in RFC 4893. All releases of Junos OS support 2-byte AS
numbers.
In Junos OS Release 9.3 and later, you can also configure a 4-byte AS number using the
AS-dot notation format of two integer values joined by a period: <16-bit high-order value
in decimal>.<16-bit low-order value in decimal>. For example, the 4-byte AS number
of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format.
[edit]
routing-options {
autonomous-system 65546;
}
Range: 0.0 through 65535.65535 in AS-dot notation format for 4-byte numbers
[edit]
routing-options {
autonomous-system 1.10;
}
Range: 1 through 65,535 in plain-number format for 2-byte AS numbers (this is a subset
of the 4-byte range)
[edit]
routing-options {
autonomous-system 60000;
}
NOTE: When you specify the same AS number in more than one routing
instance on the local routing device, you must configure the same number
of loops for the AS number in each instance. For example, if you configure a
value of 3 for the loops statement in a VRF routing instance that uses the
same AS number as that of the master instance, you must also configure a
value of 3 loops for the AS number in the master instance.
backup-neighbor
Description Configure pseudowire redundancy for Layer 2 circuits and VPLS. A redundant pseudowire
can act as a backup connection and can be configured between a PE router and a CE
device or between PE routers, maintaining Layer 2 circuit and VPLS services after certain
types of failures. This feature can help improve the reliability of certain types of networks
where a single point of failure could interrupt service for customers.
• psn-tunnel-endpoint
• virtual-circuit-id
Release Information Statement introduced in Junos OS Release 12.3X53 for ACX Series routers.
Description Define the theoretical maximum bandwidth, in kilobits per second, for the test. The
theoretical limit of the media for the frame size configured for the test. This value is
typically set to the bandwidth of the server being tested. The range is 1,000 Kbps through
1,000,000 Kbps (1 Gbps). The value defined is the highest bandwidth value used for this
test.
Description (ACX Series, MX Series 3D Universal Edge Routers and T4000 Core Routers only) Specify
the amount of bandwidth in gigabits per second to reserve for tunnel services. For ACX
Series routers, you can configure a bandwidth of only 1 Gbps and 10 Gbps for logical
tunnel (lt-) interfaces.
NOTE: The bandwidth that you specify determines the port number of the
tunnel interfaces that are created. When you specify a bandwidth of 1g, the
port number is always 10. When you specify any other bandwidth, the port
number is always 0.
NOTE: If you specify a bandwidth that is not compatible with the type of
DPCs or MPCs and their respective Packet Forwarding Engine, tunnel services
are not activated. For example, you cannot specify 1 gigabit per second
bandwidth for a Packet Forwarding Engine on a 10-Gigabit Ethernet 4-port
DPC or 16x10GE 3D MPC.
When the tunnel bandwidth is unspecified in the Routing Engine CLI, the
maximum tunnel bandwidth for MPC3E is 60G.
bits
Syntax bits {
priority number;
quality-level (prc | prs |sec | smc | ssu-a | ssu-b | st2 | st3 | st3e | st4 | stu | tnc);
request request (force-switch | lockout);
}
Release Information Statement introduced in Junos OS Release 12.2 for ACX Series Routers.
Description Configure the external BITS device connected to the router’s T1 or E1 building-integrated
timing supply (BITS) interface, which upon configuration becomes a candidate for
selection as the clock source by the clock source selection algorithm.
Options The remaining statements are explained separately. See CLI Explorer.
Related • External Clock Synchronization Overview for ACX Series Routers on page 226
Documentation
• Configuring External Clock Synchronization for ACX Series Routers on page 228
bpdu-block-on-edge
Syntax bpdu-block-on-edge;
Related • Understanding BPDU Protection for Spanning-Tree Instance Interfaces on page 423
Documentation
• BPDU Protection on All Edge Ports of the Bridge
• rstp
• mstp
• vstp
bpdu-timeout-action
Description Provide STP loop protection for a given STP family protocol interface.
Default If the bpdu-timeout-action statement is not configured, an interface that stops receiving
BPDUs will transition to the designated port (forwarding) state, creating a potential loop.
Options log—The interface logs the fact that it has not received BPDUs during the timeout interval.
block—The interface is blocked and the fact that the interface has not received BPDUs
during the timeout interval is logged.
Related • Understanding Loop Protection for Spanning-Tree Instance Interfaces on page 426
Documentation
• Configuring Loop Protection for a Spanning-Tree Instance Interface on page 428
• rstp
• mstp
• vstp
brief
Description Configure all AS numbers from all contributing paths to be included in the aggregate or
generated route’s path.
• brief—Include only the longest common leading sequences from the contributing AS
paths. If this results in AS numbers being omitted from the aggregate route, the BGP
ATOMIC_ATTRIBUTE path attribute is included with the aggregate route.
• full—Include all AS numbers from all contributing paths in the aggregate or generated
route’s path. Include this option when configuring an individual route in the route portion
of the generate statement to override a retain option specified in the defaults portion
of the statement.
Default full
Syntax bridge-domains {
bridge-domain-name {
bridge-options {
...bridge-options-configuration...
}
domain-type bridge;
interface interface-name;
no-irb-layer-2-copy;
routing-interface routing-interface-name;
vlan-id (all | none | number);
vlan-id-list [ vlan-id-numbers ];
vlan-tags outer number inner number;
bridge-options {
interface interface-name {
static-mac mac-address;
}
interface-mac-limit limit;
mac-statistics;
mac-table-size limit;
no-mac-learning;
}
}
}
Release Information Statement introduced in Junos OS Release 12.3X52 for ACX Series routers.
Description Configure a domain that includes a set of logical ports that share the same flooding or
broadcast characteristics in order to perform Layer 2 bridging.
NOTE: You cannot use the slash (/) character as part of the bridge domain
name. If you do, the configuration will not commit.
Related
Documentation
Syntax bridge-options {
interface interface-name;
static-mac static-mac-address;
}
interface-mac-limit limit;
packet-action drop;
}
mac-table-size limit;
no-mac-learning;
}
Release Information Statement introduced in Junos OS Release 12.3X52 for ACX Series routers.
Description Configure Layer 2 learning and forwarding properties for a bridge domain.
bundle
Description Associate the multilink interface with the logical interface it is joining.
cdvt
Release Information Statement introduced in Junos OS Release 12.2 for ACX Series routers.
Description (ACX Series routers) Define the Cell Delay/Variation Tolerance (CDVT) rate for the policer
or traffic control profile on an ATM IMA interface.
Related • Understanding CoS on ATM IMA Pseudowire Interfaces Overview on page 895
Documentation
• Configuring Policing on an ATM IMA Pseudowire on page 912
cell-bundle-size
Description For ATM2 IQ interfaces using ATM Layer 2 circuit cell-relay transport mode only, configure
the maximum number of ATM cells per frame.
Related • Configuring the Layer 2 Circuit Cell-Relay Cell Maximum Overview on page 189
Documentation
cell-bundle-size
Description For ATM2 IQ interfaces using ATM Layer 2 circuit cell-relay transport mode only, configure
the maximum number of ATM cells per frame.
Related • Configuring the Layer 2 Circuit Cell-Relay Cell Maximum Overview on page 189
Documentation
cesopsn-options
Syntax cesopsn-options {
excessive-packet-loss-rate {
sample-period milliseconds;
threshold percentile;
}
idle-pattern pattern;
jitter-buffer-latency milliseconds;
jitter-buffer-packets packets;
packetization-latency microseconds;
}